Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Packed.morphine.d


  • This topic is locked This topic is locked
13 replies to this topic

#1 Bourbon_Slurpie

Bourbon_Slurpie

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 PM

Posted 18 December 2007 - 09:34 PM

Hey guys, how's it going? I'm new to the whole forum idea so yeah, go easy on me.

Fixing a friends computer, AVG keeps popping up with Virus found, atmfdk.dll identifyed as Packed.Morphine.D. Ive searched everywhere to try and get rid of this with little luck. I did follow the instructions given in http://www.bleepingcomputer.com/forums/t/121018/bhocvx/ regarding Killbox.exe and OTMoveIt.exe with no luck deleting the infected file.

Ive tryed using AVG to move it to the Vault, but it reappears when ever i restart the computer.

Here is the HiJackThis log.

I will be greatful for any help.

Cheers


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:20 PM, on 19/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qau10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: rightonads optimizer - {10F3E8BD-257A-4702-A2F5-DC02055B068C} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7C423C13-E9BB-4774-9E74-5A54975C107A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: (no name) - {E0E46F66-9F83-4C27-A507-EE5D17B306AD} - c:\windows\system32\atmfdk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games9.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n6/dlhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC82AF2-37EC-4924-AFAC-0B9521DE717D}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1F6C3A8-ADE1-4532-AB62-67207924FCF1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FC82AF2-37EC-4924-AFAC-0B9521DE717D}: Domain = vic.bigpond.net.au
O20 - Winlogon Notify: hewyvpgb - C:\WINDOWS\SYSTEM32\atmfdk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://bombersfc.com.au/cp2/c2/webi/image/011511ao.eva

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:43 AM

Posted 26 December 2007 - 07:15 AM

Hello Bourbon_Slurpie, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.
Note that I have closed and moved the duplicate topic you posted today. Please stick to this topic from now on.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 Bourbon_Slurpie

Bourbon_Slurpie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 PM

Posted 26 December 2007 - 07:27 AM

Thanks mate, i look forward to working with you.

Looking around i can gather that Packed.Morhpine.d is a difficult and annoying problem to get rid of.

Cheers bud, Merry Christmas.

#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:43 AM

Posted 26 December 2007 - 07:39 AM

Hello again.
__________________________________________________

IMPORTANT
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled your firewall, please re-enable it.
If you do not have a firewall installed, please download and install one of these good (and free) products:
- ZoneAlarm
NOTE: At installing ZoneAlarm, please remove the checkmark from the checkbox labelled "Include ZoneAlarm Spy Blocker [...]". The toolbar is not recommended (see: Sunbelt Blog: Another security company succumbs to temptation).
- Comodo Free Firewall
- Outpost Firewall Free
- Sunbelt Personal Firewall (= Kerio) - learn more here

NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously.

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1
You have AVG Anti-Spyware 7.5 running on your machine and that is good. However, AVG Anti-Spyware's Resident Shield can interfere with the changes you will make on your system, so please follow these instructions to temporarily disable AVG Anti-Spyware's Resident Shield:
1. Launch AVG Anti-Spyware by double-clicking the program's icon on your Desktop or in the system tray.
2. The main Status menu will appear. Select the Change state option to inactivate AVG AS's Resident Shield and Automatic Updates.
3. Right-click on the AVG Anti-Spyware icon in the system tray and uncheck the option labelled "Start with Windows".
4. Go to Start > Run.
5. In the Open: field type services.msc and press the OK button.
6. When the WinXP Services utility starts up, click the Extended tab on the bottom and scroll down the list to find the AVG Anti-Spyware Guard service.
7. When you find the service, double-click on it.
8. In the Properties window > General tab that opens, click the Stop button.
9. From the drop-down menu next to Startup type:, click on Manual.
10. Now click the Apply button, followed by clicking the OK button.
11. Close the Services window.

Step #2
Your Java is out of date. Older versions have vulnerabilities that malware can and are using to infect systems. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them.
Please follow these steps to remove older version Java components:
1. Close all programs--especially your web browser--so that you have nothing open and are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE or J2SE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all Java versions.
4. Once all Java components are removed, reboot your computer.

Once rebooted, download and install the latest version of Java Runtime Environment (JRE) 6 Update 3 by following these steps:
1. Go to http://java.sun.com/javase/downloads/index.jsp.
2. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3 … The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
3. Click the Download button to the right.
4. Review the License Agreement and then select the radio button labelled "Accept License Agreement".
The page will refresh.
5. Click on the link to download the Windows Offline Installation and save the file to your Desktop.
6. From your Desktop, double-click the jre-6u3-windows-i586-p.exe file to install the newest version.

Step #3
You have a Vundo infection. Download VundoFix.exe to your Desktop to get rid of it.
Download VundoFix.exe

Once downloaded, follow these steps to run VundoFix:
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it is done scanning, click the Remove Vundo button.
4. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
5. When completed, it will prompt that it will reboot your computer. Click OK.
6. Post the entire contents of C:\vundofix.txt in your next reply.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button." - when VundoFix appears upon rebooting.

Step #4
We need to use HijackThis to create an uninstall list. Please provide me an uninstall list by performing these steps:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the Open Uninstall Manager... button. You'll see a list of currently installed programs.
5. Click on the Save list... button and specify where you would like to save the uninstall list.
6. Click Save.
Notepad will open up with the contents of that file.
7. Copy and paste the contents of that Notepad file (uninstall_list.txt) as a reply to this topic.

Step #5
Scan with HijackThis again and post a new HijackThis log please.
__________________________________________________

So in your next reply, please post the entire contents of:
- C:\vundofix.txt
- the created uninstall list (uninstall_list.txt)
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 Bourbon_Slurpie

Bourbon_Slurpie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 PM

Posted 26 December 2007 - 09:15 AM

Hey again, i followed your steps.

Vundo Fix found nothing

Vundo Log
VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 12:27:25 AM 27/12/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Uninstall log
32 Bit HP CIO Components Installer
Adobe Reader 6.0
Adobe Shockwave Player
Adssite Advanced Toolbar
Adssite Games Collection
Advanced WindowsCare 2.55 Personal
Apple Mobile Device Support
Apple Software Update
Avanquest update
AVG Anti-Spyware 7.5
AVG Free Edition
BigPond Broadband ADSL FAQ
Browser Optimizer Rightonadz
Compaq Connections
Dcads Games Collection
EasyCleaner
Excavation from Compaq (remove only)
Five Card Frenzy from Compaq (remove only)
FrostWire 4.13.3
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB929120)
HP Customer Participation Program 8.0
HP Deskjet All-In-One Software 8.0
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Imaging Device Functions 8.0
HP Photo & Imaging 3.5 - HP Devices
HP Photosmart Essential
HP PSC & OfficeJet 3.0
HP Smart Web Printing 1.0
HP Software Update
HP Solution Center 8.0
HP Update
HPSSupply
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iPod for Windows 2006-06-28
iTunes
Java™ 6 Update 3
KBD
LimeWire 4.14.8
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard - WE 2004
Microsoft Golf 1998 Edition
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money
Microsoft Money System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Picture It! Photo Standard 9
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Motorola Phone Tools
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH® Jukebox
NVIDIA Display Driver
NVIDIA Ethernet Driver
NVIDIA GART Driver
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PC-Doctor for Windows
Peter Jackson's King Kong - Demo KFC
Photosmart 140,240,7200,7600,7700,7900 Series
Python 2.2 combined Win32 extensions
Python 2.2.1
RecordNow!
Registry Mechanic 5.2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Shockwave
Slyder from Compaq (remove only)
Sonic Update Manager
Spybot - Search & Destroy 1.4
Super Motocross Kings
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VIA Rhine-Family Fast Ethernet Adapter
WIDCOMM Bluetooth Software
WildTangent GameChannel (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
ZoneAlarm

Hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:14 AM, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qau10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: rightonads optimizer - {10F3E8BD-257A-4702-A2F5-DC02055B068C} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C423C13-E9BB-4774-9E74-5A54975C107A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: (no name) - {E0E46F66-9F83-4C27-A507-EE5D17B306AD} - c:\windows\system32\atmfdk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games9.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n6/dlhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC82AF2-37EC-4924-AFAC-0B9521DE717D}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1F6C3A8-ADE1-4532-AB62-67207924FCF1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FC82AF2-37EC-4924-AFAC-0B9521DE717D}: Domain = vic.bigpond.net.au
O20 - Winlogon Notify: hewyvpgb - C:\WINDOWS\SYSTEM32\atmfdk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://bombersfc.com.au/cp2/c2/webi/image/011511ao.eva

--
End of file - 7556 bytes

Cheers

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:43 AM

Posted 26 December 2007 - 07:12 PM

Hello again.

Have you ever had any Symantec Corporation product installed?
__________________________________________________

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


You most likely got infected through file sharing. I see some P2P/File Sharing (related) programs installed on your computer: FrostWire 4.13.3 and LimeWire 4.14.8. Aside from the obvious legal issues, file sharing is one of the primary ways through which people become infected with malware. Anytime you are running any type of P2P application, you are more prone to infection.
I suggest to remove these programs. If you agree, go to Start > Control Panel > Add/Remove Programs and uninstall the following programs (if they are listed):
FrostWire 4.13.3
LimeWire 4.14.8
If you do not want to uninstall (some of) these programs, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

Step #1
Go to Start > Control Panel > Add/Remove Programs and uninstall the following programs (if they are listed):
Adssite Advanced Toolbar
Adssite Games Collection
Browser Optimizer Rightonadz
Dcads Games Collection
WildTangent GameChannel (remove only)


The above Add/Remove Programs entries correspond to programs that are either malware, install malware, or are bundled with malware.

Step #2
Please download ComboFix from any of the links below and save it to your Desktop.
(1) Download ComboFix.exe
(2) Download ComboFix.exe
(3) Download ComboFix.exe
WARNING: You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could render your system/pc inoperable.

NOTE: In the event you already have ComboFix, this is a new version that I need you to download. It is important that ComboFix is saved directly to your Desktop.

When the file has finished downloading:
1. Close any open broswers/windows.
2. Disconnect from the Internet.
3. VERY IMPORTANT: Temporarily disable your antivirus, script blocking and any anti-malware real-time protection before performing a scan. (They can interfere with the running of ComboFix or remove some of its embedded files which may cause "unpredictable results".)
Click on this link to see a list of programs that should be disabled. NOTE: The list is not all inclusive. If yours is not listed and you do not know how to disable it, please ask.
4. Double-click ComboFix.exe to launch the application and follow the on-screen prompts.
NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
5. When finished, ComboFix shall produce a log for you; post the entire contents of C:\ComboFix.txt in your next reply.

Step #3
Scan with HijackThis again and post a new HijackThis log.
__________________________________________________

So in your next reply, please post the entire contents of:
- C:\ComboFix.txt
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 Bourbon_Slurpie

Bourbon_Slurpie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 PM

Posted 26 December 2007 - 07:52 PM

G'day

The system is not mine, i am fixing it for a friend. But looking further i would make a safe bet that anything from the Symantec Corporation was installed.

Combofix log
ComboFix 07-12-21.4 - Owner 2007-12-27 11:36:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.436 [GMT 11:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\atmfdk.dll
C:\WINDOWS\system32\drivers\cmrjjsum.dat
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\fo-remove.exe
C:\WINDOWS\Tasks.\At1.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BFMOETXS
-------\LEGACY_SFSYNC02
-------\LEGACY_YDGBKDZH
-------\bfmoetxs
-------\sfsync02
-------\ydgbkdzh


((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-27 00:27 . 2007-12-27 00:27 <DIR> d-------- C:\VundoFix Backups
2007-12-27 00:23 . 2007-12-27 11:42 147,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-27 00:23 . 2007-12-27 11:41 2,780 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-27 00:19 . 2007-12-27 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-27 00:19 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-27 00:19 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-27 00:19 . 2007-12-27 00:21 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-27 00:17 . 2007-12-27 11:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-27 00:17 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 00:16 . 2007-12-27 00:16 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-19 13:11 . 2007-12-27 11:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-12-18 00:29 . 2007-12-18 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-17 23:43 . 2004-02-14 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-17 23:43 . 2004-02-14 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-17 23:43 . 2004-02-14 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-17 23:43 . 2004-02-14 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-17 23:21 . 2007-12-17 23:21 <DIR> d-------- C:\Program Files\IObit
2007-12-16 17:22 . 2007-12-17 12:23 <DIR> d-------- C:\Program Files\New Folder
2007-12-15 12:14 . 2007-12-15 12:14 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-15 12:14 . 2007-12-15 12:14 741,632 --a------ C:\WINDOWS\system32\slorarmg.dat
2007-12-15 12:14 . 2007-12-15 12:14 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-15 12:14 . 2007-12-15 12:14 42,240 --a------ C:\WINDOWS\system32\dpbbxotd.dat
2007-12-15 12:14 . 2007-12-15 12:14 36,096 --a------ C:\WINDOWS\system32\klobezip.dat
2007-12-15 12:14 . 2007-12-15 12:14 35,072 --a------ C:\WINDOWS\system32\eqbtnkvc.dat
2007-12-14 12:04 . 2007-12-14 12:04 119,552 --a------ C:\WINDOWS\system32\wetdkyvk.dat
2007-12-09 20:17 . 2007-12-09 20:17 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-12-03 22:30 . 2007-12-03 22:30 244 --ah----- C:\sqmnoopt04.sqm
2007-12-03 22:30 . 2007-12-03 22:30 232 --ah----- C:\sqmdata04.sqm
2007-11-27 18:48 . 2007-12-17 23:32 <DIR> d-------- C:\Program Files\Dcads Advanced Toolbar
2007-11-27 18:48 . 2007-11-27 22:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Dcads Advanced Toolbar
2007-11-27 18:45 . 2007-12-27 11:32 <DIR> d-------- C:\Program Files\Adssite Advanced Toolbar
2007-11-27 18:45 . 2007-11-27 18:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Adssite Advanced Toolbar
2007-11-27 16:56 . 2007-11-27 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 00:33 --------- d-----w C:\Program Files\WildTangent
2007-12-26 13:17 --------- d-----w C:\Program Files\Java
2007-12-26 12:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-17 12:44 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-17 12:41 --------- d-----w C:\Program Files\Google
2007-12-16 22:20 --------- d-----w C:\Program Files\FrostWire
2007-12-14 01:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-06 08:26 --------- d-----w C:\Program Files\LimeWire
2007-12-03 23:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2007-11-25 07:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 11:04 --------- d-----w C:\Program Files\Avanquest update
2007-11-07 07:15 --------- d-----w C:\Program Files\iTunes
2007-11-07 07:14 --------- d-----w C:\Program Files\iPod
2007-11-07 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-07 07:07 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-01 05:29 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-10-21 12:49 12,290,511 ------w C:\AVG7QT.DAT
2007-10-21 08:55 384 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2007-10-20 23:35 18,432 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2007-10-20 23:11 537 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
2007-10-16 21:56 139,264 ----a-w C:\WINDOWS\mirar_distro_876260.exe
2007-06-24 09:19 24,192 -c--a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-06-24 09:19 22,768 -c--a-w C:\Documents and Settings\Owner\usbsermpt.sys
2004-07-26 10:36 1,298 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2004-06-09 06:04 910,552 -c--a-w C:\Program Files\NPSWF32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-23 16:55]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 18:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 16:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 23:44:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-26 13:12:39 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2007-12-15 09:27:53 C:\WINDOWS\Tasks\WebReg Deskjet F2100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 11:43:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-27 11:45:38 - machine was rebooted
.
2007-12-12 05:05:22 --- E O F ---

Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:37 AM, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games9.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n6/dlhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC82AF2-37EC-4924-AFAC-0B9521DE717D}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1F6C3A8-ADE1-4532-AB62-67207924FCF1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FC82AF2-37EC-4924-AFAC-0B9521DE717D}: Domain = vic.bigpond.net.au
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://bombersfc.com.au/cp2/c2/webi/image/011511ao.eva

--
End of file - 6886 bytes


Cheers

#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:43 AM

Posted 27 December 2007 - 08:19 PM

Hello again.

[...] But looking further i would make a safe bet that anything from the Symantec Corporation was installed. [...]

The posted uninstall list shows that not all Norton/Symantec products are completely removed from the computer. Therefore, please follow these steps in order to completely get rid of Norton/Symantec:
1. Go to Start > Control Panel > Add/Remove Programs and uninstall the following entries (if they are present):
....LiveReg (Symantec Corporation)
....LiveUpdate 2.6 (Symantec Corporation)

2. Download and run the Norton Removal Tool after uninstallation in order to completely remove all Norton products from your computer. Download Norton Removal Tool (SymNRT.exe)
__________________________________________________

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1
Download Flash_Disinfector.exe to your Desktop.
Download Flash_Disinfector.exe

If you have any flash drives being used previously, since this is a flash drive infection, insert your flash drive as well, because above tool will disinfect it as well.
Then doubleclick the Flash_Disinfector.exe file to run the tool.
NOTE: Your desktop and icons will disappear afterwards. This is normal.
When the tool has finished, reboot your computer.

Step #2
Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail.
File::
C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
C:\Documents and Settings\Owner\Application Data\internaldb41.dat
C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
C:\WINDOWS\mirar_distro_876260.exe

Folder::
C:\VundoFix Backups
C:\Program Files\Dcads Advanced Toolbar
C:\Documents and Settings\Owner\Application Data\Dcads Advanced Toolbar
C:\Program Files\Adssite Advanced Toolbar
C:\Documents and Settings\Owner\Application Data\Adssite Advanced Toolbar
C:\Program Files\WildTangent

FileLook::
C:\WINDOWS\system32\dpbbxotd.dat
C:\WINDOWS\system32\wetdkyvk.dat
C:\Program Files\NPSWF32.dll

DirLook::
C:\Program Files\New Folder
Click File > Save and save as CFScript.txt to the Desktop.

WARNING: The above code was created specifically for this user. If you are not this user, do NOT follow these directions.

Once the file is created:
1. Close any open browsers/windows.
2. Disconnect from the Internet (physically unplug/pull out CAT5 cable if you hafta).
3. VERY IMPORTANT: Temporarily disable your antivirus, script blocking and any anti-malware real-time protection before performing a scan.
4. Drag CFScript.txt on top of ComboFix.exe as shown in the screenshot below. This will start ComboFix again.
….Posted Image
5. After reboot--in case it asks to reboot--post the entire contents of ComboFix.txt in your next reply.

NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!

Step #3
Scan with HijackThis again and post a new HijackThis log please.
_________________________

So in your next reply, please post the entire contents of:
- ComboFix.txt
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#9 Bourbon_Slurpie

Bourbon_Slurpie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 PM

Posted 28 December 2007 - 01:16 AM

How's it going mate?

What sort of flash drive infection was it?

The file from the link you gave me for Norton Removal Tool is out dated and wouldnt work, so i followed the promts and got the newer verson.

All went smoothly.

Combofix Log
ComboFix 07-12-21.4 - Owner 2007-12-28 17:02:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.450 [GMT 11:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Owner\Application Data\internaldb41.dat
C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
C:\WINDOWS\mirar_distro_876260.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\Adssite Advanced Toolbar
C:\Documents and Settings\Owner\Application Data\Adssite Advanced Toolbar\advertbuttons.xml
C:\Documents and Settings\Owner\Application Data\Adssite Advanced Toolbar\selected.xml
C:\Documents and Settings\Owner\Application Data\Dcads Advanced Toolbar
C:\Documents and Settings\Owner\Application Data\Dcads Advanced Toolbar\advertbuttons.xml
C:\Documents and Settings\Owner\Application Data\Dcads Advanced Toolbar\selected.xml
C:\Documents and Settings\Owner\Application Data\internaldb41.dat
C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
C:\Program Files\Adssite Advanced Toolbar
C:\Program Files\Dcads Advanced Toolbar
C:\Program Files\WildTangent
C:\Program Files\WildTangent\Apps\CDA\CDAEngine0400.dll
C:\Program Files\WildTangent\Apps\CDA\CDAEngine0501.dll
C:\Program Files\WildTangent\Apps\CDA\CDALogger0402.dll
C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\about.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\cache.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\updates.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\DMMP\index.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\DRM\index.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\index.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\nav.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\Webd\index.html
C:\Program Files\WildTangent\Apps\CDA\ControlPanel\wt.gif
C:\Program Files\WildTangent\Apps\CDA\GameData\gamedata.dat
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\WildTangent\Apps\CDA\OtherLicenses.txt
C:\Program Files\WildTangent\Apps\CDA\wt.ico
C:\Program Files\WildTangent\Apps\CDA\wtControlPanel.dll
C:\Program Files\WildTangent\Apps\CDA\wtControlPanel.exe
C:\Program Files\WildTangent\Apps\DRM0301.dll
C:\Program Files\WildTangent\Apps\DRM0301Java.jar
C:\Program Files\WildTangent\Apps\DRM0302.dll
C:\Program Files\WildTangent\Apps\DRM0302Java.jar
C:\Program Files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\26DC0ED6-93A7-43C1-8DC5-EC16079580F9\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\26DC0ED6-93A7-43C1-8DC5-EC16079580F9\settings.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\2FDCC229-354D-4279-ABEF-CE17E355BFFA\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\75528D5F-DD82-402E-BA7C-045B7DC6A712\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\75528D5F-DD82-402E-BA7C-045B7DC6A712\hs_err_pid572.log
C:\Program Files\WildTangent\Apps\GameChannel\Games\8A225900-C06D-41DD-B66C-43840D472758\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\settings.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\C679AA5F-C2C8-4EA8-9CD1-504A39AEC264\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\C679AA5F-C2C8-4EA8-9CD1-504A39AEC264\settings.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\F07504C6-20C5-4BFE-83A0-523FB2455E72\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{4bdc3f86-5f2f-4527-89e8-dbaaeb417821}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{4bdc3f86-5f2f-4527-89e8-dbaaeb417821}\images\dl_off.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{4bdc3f86-5f2f-4527-89e8-dbaaeb417821}\images\dl_on.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{4bdc3f86-5f2f-4527-89e8-dbaaeb417821}\images\main_hp.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{4bdc3f86-5f2f-4527-89e8-dbaaeb417821}\images\main_wg.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{4bdc3f86-5f2f-4527-89e8-dbaaeb417821}\images\spacer.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{4bdc3f86-5f2f-4527-89e8-dbaaeb417821}\index.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\images\blackhawkstriker2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\images\dl_off.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\images\dl_on.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\images\download-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\images\playnow-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\images\playnow.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\images\screen_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\images\screen_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\images\spacer.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{54a00abf-8162-4e46-a444-f86a8c4ae1bd}\index.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{5f1ce890-6d3e-4056-85ee-350f66e2c81d}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\images\dl_off.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\images\dl_on.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\images\download-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\images\playnow-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\images\playnow.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\images\screen_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\images\screen_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\images\spacer.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\images\supergranny.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{6bd840fc-b707-43f0-a301-0b51c4f31ca5}\index.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_01.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_02.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_04.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_05.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_07.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_08.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_09.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_11.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_13.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_14.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\crystalmaze_15.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_1.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_10.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_11.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_4.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_5.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_6.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_7.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_8.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_off_9.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_1.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_10.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_11.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_4.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_5.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_6.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_7.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_8.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\dl_on_9.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\download-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\download.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\download_tag.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\main_1.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\main_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\main_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\play-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\play.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\play_tag.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\spacer.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\text_1.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\text_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\images\text_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{730f546c-f024-4565-8348-d3f464aea5b1}\index.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{7C09ABCE-DBE3-453c-B05E-90C06075354F}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{910fa28d-4ecc-41c9-8d7e-d9cbe5047736}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{9BAC992E-77E6-4ad3-8C8A-2C2EB76C6702}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\images\dl_off.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\images\dl_on.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\images\download-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\images\playnow-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\images\playnow.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\images\screen_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\images\screen_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\images\screen_4.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\images\shrek2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{b9d886b5-9c0b-430b-8322-32dc1fa72cf0}\index.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_1.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_10.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_11.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_4.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_5.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_6.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_7.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_8.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_off_9.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_1.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_10.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_11.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_4.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_5.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_6.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_7.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_8.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\dl_on_9.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\download-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\download.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\note.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\playnow-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\playnow.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\spacer.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_01.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_02.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_03-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_04.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_05-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_06.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_07.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_08.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_09-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_10.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_11.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_12.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_14.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_15.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\tradewinds_16.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\upgrade-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\images\upgrade.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\index.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{c6cbde54-b0f2-4800-86b0-8700e8bee14b}\version.js
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\blackhawkstriker2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\dl_off.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\dl_on.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\download-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\playnow-over.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\playnow.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\screen_2.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\screen_3.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\screen_4.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\images\spacer.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{dcb341e3-a640-4d00-bf03-58a6774a544e}\index.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{f388931a-fa43-4a56-baa1-8a6cd1d17a77}\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{f388931a-fa43-4a56-baa1-8a6cd1d17a77}\images\background.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{f388931a-fa43-4a56-baa1-8a6cd1d17a77}\index.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\gamelinks.exe
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\games.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\htmlapp.htm
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\icon.ico
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_01.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_02.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_03.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_04.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_05.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_06.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_07.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_08.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_09.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_10.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_11.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_12.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_13.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_14.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_15.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_16.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_17.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_18.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_19.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_20.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_21.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_22.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_23.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_24.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_25.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_26.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_27.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_28.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_29.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_30.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_31.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_32.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_33.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_34.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_35.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_36.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_over_08.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_over_12.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_over_16.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_over_25.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_over_27.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\games_over_29.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\images\spacer.gif
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\rungame.exe
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\tutorial.html
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\welcome_06.jpg
C:\Program Files\WildTangent\Apps\GameChannel\Notifications\hpwelcome\wtproducts.js
C:\Program Files\WildTangent\Apps\rDRM0301.dll
C:\Program Files\WildTangent\Apps\rDRM0302.dll
C:\Program Files\WildTangent\Apps\wtKernel0100.dll
C:\Program Files\WildTangent\Components\SystemConfig0100.dll
C:\Program Files\WildTangent\Components\wtAppConfig0200.dll
C:\Program Files\WildTangent\Components\wtAppConfig0501.dll
C:\Program Files\WildTangent\Components\wtCache0200.dll
C:\Program Files\WildTangent\Components\wtCache0300.dll
C:\Program Files\WildTangent\Components\wtCookie0200.dll
C:\Program Files\WildTangent\Components\wtCookie0501.dll
C:\Program Files\WildTangent\Components\wtDownloader0200.dll
C:\Program Files\WildTangent\Components\wtDownloader0301b.dll
C:\Program Files\WildTangent\Components\wtGameData0200.dll
C:\Program Files\WildTangent\Components\wtGameData0501.dll
C:\Program Files\WildTangent\Components\wtGUI0200.dll
C:\Program Files\WildTangent\Components\wtGUI0501.dll
C:\Program Files\WildTangent\Components\wtIO0200.dll
C:\Program Files\WildTangent\Components\wtIO0300.dll
C:\Program Files\WildTangent\Components\wtKernel0200.dll
C:\Program Files\WildTangent\Components\wtKernel0300.dll
C:\Program Files\WildTangent\Components\wtLua0200.dll
C:\Program Files\WildTangent\Components\wtLua0300.dll
C:\Program Files\WildTangent\Components\wtNetworking0200.dll
C:\Program Files\WildTangent\Components\wtPropertyBag0200.dll
C:\Program Files\WildTangent\Components\wtPropertyBag0300.dll
C:\Program Files\WildTangent\Components\wtScript0200.dll
C:\Program Files\WildTangent\Components\wtScript0300.dll
C:\Program Files\WildTangent\Components\wtSerialization0200.dll
C:\Program Files\WildTangent\Components\wtSerialization0300.dll
C:\Program Files\WildTangent\Components\wtStreamProcessing0200.dll
C:\Program Files\WildTangent\Components\wtStreamProcessing0300.dll
C:\Program Files\WildTangent\Components\wtStreamProcessing0301.dll
C:\Program Files\WildTangent\Components\wtSystem0200.dll
C:\Program Files\WildTangent\Components\wtSystem0300.dll
C:\Program Files\WildTangent\Components\wtSystemConfig0200.dll
C:\Program Files\WildTangent\Components\wtSystemConfig0300.dll
C:\Program Files\WildTangent\Components\wtUserSupport0200.dll
C:\Program Files\WildTangent\Components\wtUserSupport0501.dll
C:\Program Files\WildTangent\Components\wtXml0200.dll
C:\Program Files\WildTangent\Components\wtXml0300.dll
C:\Program Files\WildTangent\LFS\AppConfig\CDA.wtcfg
C:\Program Files\WildTangent\LFS\Cache\00000001.Cache
C:\Program Files\WildTangent\LFS\Cache\Cache.dat
C:\Program Files\WildTangent\LFS\CDAData\Checkin\download.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\downloadTrayIconData.cdas
C:\Program Files\WildTangent\LFS\CDAData\Checkin\icon.ico
C:\Program Files\WildTangent\LFS\CDAData\Checkin\install.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\install_complete.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\install_nofiles.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\install_progress.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\installTrayIconData.cdas
C:\Program Files\WildTangent\LFS\CDAData\Checkin\inuse.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\inuseitems.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\items.html
C:\Program Files\WildTangent\LFS\CDAData\Checkin\style.css
C:\Program Files\WildTangent\LFS\CDAData\Checkin\wt.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAOnlyScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAOnlyScreen\uninstall_prompt.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAWithDependantsScreen\items.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAWithDependantsScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAWithDependantsScreen\uninstall_promptdependant.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ErrorScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ErrorScreen\uninstall_error.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\FinishedScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\FinishedScreen\uninstall_complete.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\FinishedScreen\uninstallpackage_complete.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\bc.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\bl.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\br.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\btm.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\cancel-over.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\cancel.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\finish-over.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\finish.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\header.jpg
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\le.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\mb.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\next-disabled.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\next-over.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\next.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\re.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\retry-over.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\retry.gif
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\inuse.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\items.html
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ProgressScreen\style.css
C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ProgressScreen\uninstall_progress.html
C:\Program Files\WildTangent\LFS\Download\00000000.cache
C:\Program Files\WildTangent\LFS\Download\cache.dat
C:\Program Files\WildTangent\LFS\Scripts\Common\AUML01.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Files.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Install.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_InstallConditions.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_LFSInit.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Registry.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Scheduler.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_String.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_User.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\DpidLibrary_01.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\GameDataImmediate.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\MasterUpdateLibrary_01.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\UI_HTML.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\UI_Stub.cdas
C:\Program Files\WildTangent\LFS\Scripts\Common\UrlUpdateList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Downloaded\MasterUpdate.cdas
C:\Program Files\WildTangent\LFS\Scripts\Downloaded\UrlUpdateList.cdas
C:\Program Files\WildTangent\LFS\Scripts\GameData.log
C:\Program Files\WildTangent\LFS\Scripts\Install\CPL_fileList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\CPL_uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_fileList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_install.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_Uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_fileList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_install.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_Uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\UI_checkin.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd331_filelist.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd331_Uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_fileList.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_install.cdas
C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_Uninstall.cdas
C:\Program Files\WildTangent\LFS\Scripts\SystemConfiguration.log
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\DMMP.cdanfo
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\DRM0302.cdanfo
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Uninstaller.cdas
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Webd331.cdanfo
C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Webd4_1_1.cdanfo
C:\Program Files\WildTangent\LFS\System\LFSRegistry\Cache.lfs
C:\Program Files\WildTangent\LFS\System\LFSRegistry\Download.lfs
C:\Program Files\WildTangent\LFS\System\LFSRegistry\Games.lfs
C:\Program Files\WildTangent\LFS\System\LFSRegistry\Legacy.lfs
C:\Program Files\WildTangent\LFS\System\LFSRegistry\Notifications.lfs
C:\Program Files\WildTangent\LFS\System\LFSRegistry\System.lfs
C:\Program Files\WildTangent\LFS\System\LFSRegistry\Temp.lfs
C:\Program Files\WildTangent\LFS\System\wt.sto
C:\Program Files\WildTangent\LFS\TaskStore\BGDownloaderLibrary_01.cdas
C:\Program Files\WildTangent\LFS\TaskStore\BGDownloaderListAll.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\BGDownloaderListAll.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\BGDownloaderReload.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\BGDownloaderReload.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\BGDownloaderStop.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\BGDownloaderStop.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\BGDownloaderTriggered.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\BGDownloaderTriggered.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\GameDataNormalTriggered.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\GameDataNormalTriggered.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\GameDataNormalTriggered.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\GameDataTriggered.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\GameDataTriggered.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\ManualUpdate.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\ManualUpdate.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateLibrary01.cdas
C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdas
C:\Program Files\WildTangent\LFS\TaskStore\UpdateApplicationLibrary01.cdas
C:\Program Files\WildTangent\LFS\TaskStore\updatecda.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\updatecda.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\updatecda.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaet
C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaed
C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaes
C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaet
C:\VundoFix Backups
C:\WINDOWS\mirar_distro_876260.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 00:23 . 2007-12-28 17:07 180,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-27 00:23 . 2007-12-28 16:55 2,972 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-27 00:19 . 2007-12-27 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-27 00:19 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-27 00:19 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-27 00:19 . 2007-12-27 00:21 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-27 00:17 . 2007-12-28 16:57 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-27 00:17 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 00:16 . 2007-12-27 00:16 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-19 13:11 . 2007-12-27 11:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-12-18 00:29 . 2007-12-18 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-17 23:43 . 2004-02-14 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-17 23:43 . 2004-02-14 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-17 23:43 . 2004-02-14 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-17 23:43 . 2004-02-14 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-17 23:21 . 2007-12-17 23:21 <DIR> d-------- C:\Program Files\IObit
2007-12-16 17:22 . 2007-12-17 12:23 <DIR> d-------- C:\Program Files\New Folder
2007-12-15 12:14 . 2007-12-15 12:14 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-15 12:14 . 2007-12-15 12:14 741,632 --a------ C:\WINDOWS\system32\slorarmg.dat
2007-12-15 12:14 . 2007-12-15 12:14 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-15 12:14 . 2007-12-15 12:14 42,240 --a------ C:\WINDOWS\system32\dpbbxotd.dat
2007-12-15 12:14 . 2007-12-15 12:14 36,096 --a------ C:\WINDOWS\system32\klobezip.dat
2007-12-15 12:14 . 2007-12-15 12:14 35,072 --a------ C:\WINDOWS\system32\eqbtnkvc.dat
2007-12-14 12:04 . 2007-12-14 12:04 119,552 --a------ C:\WINDOWS\system32\wetdkyvk.dat
2007-12-09 20:17 . 2007-12-09 20:17 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-12-03 22:30 . 2007-12-03 22:30 244 --ah----- C:\sqmnoopt04.sqm
2007-12-03 22:30 . 2007-12-03 22:30 232 --ah----- C:\sqmdata04.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 05:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-26 13:17 --------- d-----w C:\Program Files\Java
2007-12-26 12:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-17 12:44 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-17 12:41 --------- d-----w C:\Program Files\Google
2007-12-16 22:20 --------- d-----w C:\Program Files\FrostWire
2007-12-14 01:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-06 08:26 --------- d-----w C:\Program Files\LimeWire
2007-12-03 23:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2007-11-27 05:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2007-11-25 07:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 11:04 --------- d-----w C:\Program Files\Avanquest update
2007-11-07 07:15 --------- d-----w C:\Program Files\iTunes
2007-11-07 07:14 --------- d-----w C:\Program Files\iPod
2007-11-07 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-07 07:07 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-01 05:29 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-10-21 12:49 12,290,511 ------w C:\AVG7QT.DAT
2007-06-24 09:19 24,192 -c--a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-06-24 09:19 22,768 -c--a-w C:\Documents and Settings\Owner\usbsermpt.sys
2004-07-26 10:36 1,298 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2004-06-09 06:04 910,552 -c--a-w C:\Program Files\NPSWF32.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- C:\Program Files\NPSWF32.dll ----

Company: Macromedia, Inc.
File Description: Shockwave Flash 7.0 r19
File Version: 7,0,19,0
Product Name: Shockwave Flash
Copyright: Copyright c 1996-2003 Macromedia, Inc.
Original file name: npswf32.dll

- Not a PE file.

- Not a PE file.

---- Directory of C:\Program Files\New Folder ----

2007-09-15 19:58 273527 --a------ C:\Program Files\New Folder\goldminer.swf


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-23 16:55]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 18:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 16:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys [2007-06-24 20:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ebc976-add7-11dc-b3cf-000ea694e190}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 23:44:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 09:27:53 C:\WINDOWS\Tasks\WebReg Deskjet F2100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 17:07:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 17:08:37
C:\ComboFix2.txt ... 2007-12-27 11:45
.
2007-12-12 05:05:22 --- E O F ---



HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:25 PM, on 28/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games9.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n6/dlhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC82AF2-37EC-4924-AFAC-0B9521DE717D}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1F6C3A8-ADE1-4532-AB62-67207924FCF1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FC82AF2-37EC-4924-AFAC-0B9521DE717D}: Domain = vic.bigpond.net.au
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://bombersfc.com.au/cp2/c2/webi/image/011511ao.eva

--
End of file - 6852 bytes

I look forward to hearing from you again :thumbsup:

cheers

#10 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:43 AM

Posted 28 December 2007 - 07:58 AM

How's it going mate? [...]

We are making progress. Good job so far! :thumbsup:
Is the computer running better already? Do you experience changes in behaviour?

[...] What sort of flash drive infection was it? [...]

Not easy to say; the tool I let you run targets them.

Question: Have you uninstalled the WildTangent GameChannel (remove only) entry via Add/Remove Programs as instructed to in one of my previous posts?
__________________________________________________

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1
Please go to http://virusscan.jotti.org/ and follow these steps to upload a file and scan it with Jotti's malware scan:
1. Click the Browse... button at the top of the page.
2. Navigate to this file if it is present: C:\WINDOWS\system32\wetdkyvk.dat
3. Click Open.
4. Now click the Submit button (positioned next to the Browse... button) to upload the file.
5. Please be patient as the file will be scanned.
6. Once scanned, copy and paste the results in your next reply.

NOTE: In case Jotti is busy, try VirusTotal.com.

Step #2
Download Deckard's System Scanner (DSS) to your Desktop. NOTE: You must be logged onto an account with administrator privileges.
Download Deckard's System Scanner (dss.exe)

To run the program:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized.
3. Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the contents main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.
NOTE: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Step #3
Scan with HijackThis again and post a new HijackThis log please.
__________________________________________________

So in your next reply, please post the entire contents of:
- the Jotti's malware scan/VirusTotal.com scan results
- the DSS reports main.txt + extra.txt
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#11 Bourbon_Slurpie

Bourbon_Slurpie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 PM

Posted 30 December 2007 - 04:07 AM

Mate, thanks for your help.

After all that work, clients wanted an upgrade. Gotta' love em.

Your a star, I have one question. Your profile says your only 18years old, what are you studying?

#12 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:43 AM

Posted 30 December 2007 - 06:43 AM

Mate, thanks for your help.

You're welcome. :thumbsup:

After all that work, clients wanted an upgrade. Gotta' love em.

An upgrade to what? To Vista? Anyway, in order to keep your computer safe and secure on the Internet in the future, it is not a bad idea to click on this tutorial and follow each step listed here: Simple and easy ways to keep your computer safe and secure on the Internet.

Your profile says your only 18years old, what are you studying?

The work I do here at BleepingComputer is what I do in my spare time, simply because I like doing it. In "real life" however--lol--, I am currently doing a sort of biochemistrial study at university (which takes up a lot of time though).

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Do not forget to tell your friends about us.

Edited by htv8, 30 December 2007 - 06:44 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#13 Bourbon_Slurpie

Bourbon_Slurpie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:43 PM

Posted 30 December 2007 - 07:44 AM

Oh nice.

yeah they want vista. mehh

Im studing IT Security, minoring in software developement hehe.

thanks bud

#14 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:43 AM

Posted 30 December 2007 - 08:44 AM

As the problem here seems to be resolved, this topic is now closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Glad we could help. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users