Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo


  • This topic is locked This topic is locked
23 replies to this topic

#1 sharpie

sharpie

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 23 January 2008 - 02:51 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry720225

thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:17 AM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkll.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvvow.dll,startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {858B4F85-E945-4F0C-AF65-059E0AD9EEC0} (IntraLaunch.MainControl) - file://D:\Interface\IntraLaunch.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - IntelŽ Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6593 bytes

BC AdBot (Login to Remove)

 


#2 sharpie

sharpie
  • Topic Starter

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 24 January 2008 - 06:34 PM

now my computer is starting to freeze and when i boot up i get a message that says
potential errors found in system
registry errors were found
NT Kernel error 1256
K Mode exception not handled.

this message didnt pop up yesterday and i haven't done anything different

someone please help

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:11 PM

Posted 28 January 2008 - 12:07 PM

Hi Sharpie!

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.
Sorry that it took us so long to get back to you, but as you can see we're stumped with the amout of logs.

Before we can start, please post a fresh hijackthis log back here.
Posted Image

#4 sharpie

sharpie
  • Topic Starter

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 28 January 2008 - 04:25 PM

i hope this hijackthis will be ok. i am having internet problems with my "infected" computer. right now i am using a different computer on the other side of the house that is using the same "hook ups" for the internet and it is working fine. hopefully if i mess with it for a while it will start to work again, but it wasn't doing this a while ago. i am able to post a hjt kog, but what i had to do was paste the log on to microsoft word and then save it on my flash drive. then i had to plug my flash drive in to this computer, open word then paste it in here. :thumbsup:

thank you so much for your help-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:09 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\a-squared Anti-Malware\a2guard .exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\a-squared Anti-Malware\a2wizard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkll.exe
O2 - BHO: (no name) - {559FEE06-74B3-4EBF-8C62-D9986CBC88CF} - C:\WINDOWS\system32\jkkll.dll
O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\xxyxwut.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zovnfxtj.dll
O2 - BHO: {a84a6bff-3134-d1f9-af44-af3f13e3e88e} - {e88e3e31-f3fa-44fa-9f1d-4313ffb6a48a} - C:\WINDOWS\system32\fehmtoty.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\Helper9.dll (file missing)
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvvow.dll,startup
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {858B4F85-E945-4F0C-AF65-059E0AD9EEC0} (IntraLaunch.MainControl) - file://D:\Interface\IntraLaunch.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O20 - Winlogon Notify: xxyxwut - C:\WINDOWS\SYSTEM32\xxyxwut.dll
O20 - Winlogon Notify: zovnfxtj - C:\WINDOWS\SYSTEM32\zovnfxtj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ntxabrdv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7125 bytes

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:11 PM

Posted 30 January 2008 - 09:04 AM

Hi Sharpie!

Step #1
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe



Step #2
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



Step #3
Please post a Fresh HijackThis log, Sdfix log and Combofix log back here :thumbsup:
Posted Image

#6 sharpie

sharpie
  • Topic Starter

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 30 January 2008 - 08:42 PM

combo fix-

T.Fox - 08-01-30 13:36:40.18 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\T.Fox\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-12-30 to 2008-01-30 ))))))))))))))))))))))))))))))))))


2008-01-30 12:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 16:13 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-26 19:00 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-26 19:00 274,432 --a------ C:\WINDOWS\system32\imon.dll
2008-01-26 19:00 <DIR> d-------- C:\Program Files\ESET
2008-01-25 11:52 87,104 --a------ C:\WINDOWS\system32\cqcslgmf.dll
2008-01-25 11:47 74,304 --a------ C:\WINDOWS\system32\ntxabrdv.exe
2008-01-24 14:49 87,616 --a------ C:\WINDOWS\system32\ygynulqe.dll
2008-01-24 14:49 74,304 --a------ C:\WINDOWS\system32\dvnoyblg.exe
2008-01-23 23:48 76,352 --a------ C:\WINDOWS\system32\rvkhnsrn.dll
2008-01-23 23:45 163,904 --a------ C:\WINDOWS\system32\zovnfxtj.dll
2008-01-23 23:45 163,904 --a------ C:\WINDOWS\system32\slcnhnno.dll
2008-01-22 23:44 8,790 --ahs---- C:\WINDOWS\system32\llkkj.ini2
2008-01-22 23:44 338,432 --a------ C:\WINDOWS\system32\jkkll.exe
2008-01-22 23:44 334,848 --a------ C:\WINDOWS\system32\jkkll.dll
2008-01-22 22:10 26,624 --a------ C:\WINDOWS\lsass .exe
2008-01-22 22:05 <DIR> d-------- C:\Program Files\Wide Angle Software
2008-01-22 21:32 6,822 --ahs---- C:\WINDOWS\system32\dfhkj.ini2
2008-01-22 21:27 39,424 --a------ C:\WINDOWS\system32\xxyxwut.dll
2008-01-22 21:27 38,912 --a------ C:\WINDOWS\system32\khfgecb.dll
2008-01-22 21:27 15,360 --a------ C:\WINDOWS\system32\drvvowr.dll
2008-01-22 21:27 103,936 --a------ C:\WINDOWS\system32\drvvow.dll
2008-01-22 21:27 <DIR> d-------- C:\Program Files\Outerinfo
2008-01-21 22:33 <DIR> d-------- C:\WINDOWS\Minidump
2008-01-03 13:23 <DIR> d-------- C:\fixwareout


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-01-29 07:40 -------- d-------- C:\Program Files\LimeWire
2008-01-26 19:52 334848 --a------ C:\WINDOWS\system32\jkkll.Vdll
2008-01-26 18:52 -------- d-------- C:\Program Files\Mozilla Firefox
2008-01-25 14:34 -------- d-------- C:\Program Files\ewido anti-malware
2008-01-24 14:47 -------- d-------- C:\Program Files\QuickTime
2008-01-24 14:47 -------- d-------- C:\Program Files\Microsoft ActiveSync
2008-01-22 23:33 -------- d-------- C:\Program Files\Winamp
2008-01-22 23:32 -------- d-------- C:\Program Files\iTunes
2008-01-22 22:00 -------- d-------- C:\Program Files\Eraser
2007-12-27 14:13 -------- d-------- C:\Program Files\SUPERAntiSpyware
2007-12-12 03:01 -------- d-------- C:\Program Files\Internet Explorer
2007-11-13 03:31 60416 --a------ C:\WINDOWS\system32\tzchange.exe
2007-11-07 01:26 721920 --a------ C:\WINDOWS\system32\lsasrv.dll
2007-10-21 18:29 61678 --a------ C:\Documents and Settings\T.Fox\Application Data\PFP110JPR.{PB
2007-10-21 18:29 12358 --a------ C:\Documents and Settings\T.Fox\Application Data\PFP110JCM.{PB


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"a-squared"="\"C:\\Program Files\\a-squared Anti-Malware\\a2guard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzdn32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxwut
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zovnfxtj

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 08-01-30 13:45:41.59
C:\ComboFix.txt ... 08-01-30 13:45
C:\ComboFix2.txt ... 08-01-24 16:42
C:\ComboFix3.txt ... 08-01-10 17:18


sdfix log-


SDFix: Version 1.133

Run by T.Fox on Wed 01/30/2008 at 12:37 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\T.Fox\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Program Files\lsass.exe - Deleted



Folder C:\Program Files\Helper - Removed


Removing Temp Files...

ADS Check:




Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 13:03:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\p2pnetworks\\p2pnetworks.exe"="C:\\Program Files\\p2pnetworks\\p2pnetworks.exe:*:Enabled:P2PNetworks"
"C:\\Documents and Settings\\T.Fox\\Desktop\\SUPERSCAN 0.4.0\\SuperScan4.exe"="C:\\Documents and Settings\\T.Fox\\Desktop\\SUPERSCAN 0.4.0\\SuperScan4.exe:*:Enabled:SuperScan 4 Beta 1"
"C:\\Documents and Settings\\T.Fox\\Desktop\\kazaa.exe"="C:\\Documents and Settings\\T.Fox\\Desktop\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\Program Files\\Yahoo! Games\\Alien Shooter\\AlienShooter.exe"="C:\\Program Files\\Yahoo! Games\\Alien Shooter\\AlienShooter.exe:*:Enabled:AlienShooter Application"
"C:\\Documents and Settings\\T.Fox\\Desktop\\AdventNet_SecureCentral_ScanFi_Windows\\AdventNet\\ScanFi\\jre\\bin\\java.exe"="C:\\Documents and Settings\\T.Fox\\Desktop\\AdventNet_SecureCentral_ScanFi_Windows\\AdventNet\\ScanFi\\jre\\bin\\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Documents and Settings\\T.Fox\\Desktop\\AdventNet_SecureCentral_ScanFi_Windows\\AdventNet\\ScanFi\\mysql\\bin\\mysqld-nt.exe"="C:\\Documents and Settings\\T.Fox\\Desktop\\AdventNet_SecureCentral_ScanFi_Windows\\AdventNet\\ScanFi\\mysql\\bin\\mysqld-nt.exe:*:Enabled:mysqld-nt"
"C:\\Program Files\\MSGTAG\\MSGTAG.exe"="C:\\Program Files\\MSGTAG\\MSGTAG.exe:*:Enabled:MSGTAG"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dvnoyblg.exe"="C:\\WINDOWS\\system32\\dvn"
"C:\\WINDOWS\\system32\\ntxabrdv.exe"="C:\\WINDOWS\\system32\\ntx"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\T.Fox\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 17 May 2007 56 ..SHR --- "C:\WINDOWS\system32\87A6E61C42.sys"
Thu 17 May 2007 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 21 Nov 2005 435,896 A.SH. --- "C:\WINDOWS\system32\kjjlm.tmp"
Wed 21 Dec 2005 399,559 A.SH. --- "C:\WINDOWS\system32\kjjlm.bak2"
Mon 19 Dec 2005 395,002 A.SH. --- "C:\WINDOWS\system32\kjjlm.bak1"
Wed 30 Jan 2008 22,236 A.SH. --- "C:\WINDOWS\system32\zovnfxtj.dllbox"
Mon 6 Feb 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 22 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT31.tmp"
Sat 7 Apr 2007 21,504 ...H. --- "C:\Documents and Settings\T.Fox\Application Data\Microsoft\Word\~WRL0003.tmp"
Sun 7 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 7 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 7 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Fri 23 Sep 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!


and

hkt log-



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:25 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\xxyxwut.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zovnfxtj.dll
O2 - BHO: (no name) - {B7193C3C-FBF3-41DA-81D5-E3A34EEFCEFE} - C:\WINDOWS\system32\jkkll.dll
O2 - BHO: {a84a6bff-3134-d1f9-af44-af3f13e3e88e} - {e88e3e31-f3fa-44fa-9f1d-4313ffb6a48a} - C:\WINDOWS\system32\fehmtoty.dll (file missing)
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {858B4F85-E945-4F0C-AF65-059E0AD9EEC0} (IntraLaunch.MainControl) - file://D:\Interface\IntraLaunch.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O20 - Winlogon Notify: xxyxwut - C:\WINDOWS\SYSTEM32\xxyxwut.dll
O20 - Winlogon Notify: zovnfxtj - C:\WINDOWS\SYSTEM32\zovnfxtj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ntxabrdv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6712 byte


thanks. it is still acting wierd. what else can i do?

#7 sharpie

sharpie
  • Topic Starter

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 31 January 2008 - 11:18 PM

I hope you guys didnt forget about me? I will not have internet access Friday >>> Tuesday so please dont close this topic I still need help.

-Thank you

Edited by sharpie, 31 January 2008 - 11:19 PM.


#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:11 PM

Posted 05 February 2008 - 02:24 AM

Hi!

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible.
Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.


Step #1
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\xxyxwut.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zovnfxtj.dll
O2 - BHO: (no name) - {B7193C3C-FBF3-41DA-81D5-E3A34EEFCEFE} - C:\WINDOWS\system32\jkkll.dll
O2 - BHO: {a84a6bff-3134-d1f9-af44-af3f13e3e88e} - {e88e3e31-f3fa-44fa-9f1d-4313ffb6a48a} - C:\WINDOWS\system32\fehmtoty.dll (file missing)
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O20 - Winlogon Notify: xxyxwut - C:\WINDOWS\SYSTEM32\xxyxwut.dll
O20 - Winlogon Notify: zovnfxtj - C:\WINDOWS\SYSTEM32\zovnfxtj.dll


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Step #2
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Zolero
Tizzletalk
MediaTickets
Cowabanga


Please note any other programs that you dont recognize in that list in your next response

Step #3
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
File::
C:\WINDOWS\system32\cqcslgmf.dll
C:\WINDOWS\system32\ntxabrdv.exe
C:\WINDOWS\system32\ygynulqe.dll
C:\WINDOWS\system32\dvnoyblg.exe
C:\WINDOWS\system32\rvkhnsrn.dll
C:\WINDOWS\system32\zovnfxtj.dll
C:\WINDOWS\system32\slcnhnno.dll
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\jkkll.exe
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\xxyxwut.dll
C:\WINDOWS\system32\khfgecb.dll
C:\WINDOWS\system32\drvvowr.dll
C:\WINDOWS\system32\drvvow.dll
C:\WINDOWS\system32\jkkll.Vdll
C:\WINDOWS\system32\kjjlm.tmp
C:\WINDOWS\system32\kjjlm.bak2
C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\zovnfxtj.dllbox

Folder::
C:\Program Files\Outerinfo

Driver::
DomainService
MSControlService

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\dvnoyblg.exe"=-
"C:\\WINDOWS\\system32\\ntxabrdv.exe"=-

RenV::
C:\WINDOWS\lsass .exe


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Step #4
Please do the following...

Download ATF (Atribune Temp File) CleanerŠ by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Do not run it yet.


Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
AVG Anti-Spyware
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update successful message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG antispyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Once in Safe Mode:

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

Still in Safe Mode

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.

Step #5
Please post a fresh HijackThis log, Combofix log and AVG Anti-Spyware results back here :thumbsup:

Edited by Baabiouz, 05 February 2008 - 02:24 AM.

Posted Image

#9 sharpie

sharpie
  • Topic Starter

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 08 February 2008 - 09:00 PM

sorry it took so long, but here is the new combo fix log.

T.Fox - 08-02-08 17:47:03.34 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\"
Command switches used :: "C:\Documents and Settings\T.Fox\Desktop\SDFIX.EXE-1B21BC24.pf"

((((((((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 ))))))))))))))))))))))))))))))))))


2008-01-31 22:16 8,576 --a------ C:\WINDOWS\system32\drivers\cnnwtmvlrqki.sys
2008-01-31 22:11 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-01-31 21:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-30 12:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 16:13 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-26 19:00 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-26 19:00 274,432 --a------ C:\WINDOWS\system32\imon.dll
2008-01-26 19:00 <DIR> d-------- C:\Program Files\ESET
2008-01-25 11:52 87,104 --a------ C:\WINDOWS\system32\cqcslgmf.dll
2008-01-25 11:47 74,304 --a------ C:\WINDOWS\system32\ntxabrdv.exe
2008-01-24 14:49 87,616 --a------ C:\WINDOWS\system32\ygynulqe.dll
2008-01-24 14:49 74,304 --a------ C:\WINDOWS\system32\dvnoyblg.exe
2008-01-23 23:48 76,352 --a------ C:\WINDOWS\system32\rvkhnsrn.dll
2008-01-23 23:45 163,904 --a------ C:\WINDOWS\system32\zovnfxtj.dll
2008-01-23 23:45 163,904 --a------ C:\WINDOWS\system32\slcnhnno.dll
2008-01-22 23:44 338,432 --a------ C:\WINDOWS\system32\jkkll.exe
2008-01-22 23:44 334,848 --a------ C:\WINDOWS\system32\jkkll.dll
2008-01-22 23:44 284,779 --ahs---- C:\WINDOWS\system32\llkkj.ini2
2008-01-22 22:10 26,624 --a------ C:\WINDOWS\lsass .exe
2008-01-22 22:05 <DIR> d-------- C:\Program Files\Wide Angle Software
2008-01-22 21:32 6,822 --ahs---- C:\WINDOWS\system32\dfhkj.ini2
2008-01-22 21:27 39,424 --a------ C:\WINDOWS\system32\xxyxwut.dll
2008-01-22 21:27 38,912 --a------ C:\WINDOWS\system32\khfgecb.dll
2008-01-22 21:27 15,360 --a------ C:\WINDOWS\system32\drvvowr.dll
2008-01-22 21:27 103,936 --a------ C:\WINDOWS\system32\drvvow.dll
2008-01-22 21:27 <DIR> d-------- C:\Program Files\Outerinfo
2008-01-21 22:33 <DIR> d-------- C:\WINDOWS\Minidump


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-01-31 22:44 -------- d-------- C:\Program Files\Mozilla Firefox
2008-01-31 22:35 -------- d-------- C:\Program Files\ewido anti-malware
2008-01-31 22:29 -------- d-------- C:\Program Files\Internet Explorer
2008-01-29 07:40 -------- d-------- C:\Program Files\LimeWire
2008-01-26 19:52 334848 --a------ C:\WINDOWS\system32\jkkll.Vdll
2008-01-24 14:47 -------- d-------- C:\Program Files\QuickTime
2008-01-24 14:47 -------- d-------- C:\Program Files\Microsoft ActiveSync
2008-01-22 23:33 -------- d-------- C:\Program Files\Winamp
2008-01-22 23:32 -------- d-------- C:\Program Files\iTunes
2008-01-22 22:00 -------- d-------- C:\Program Files\Eraser
2007-12-27 14:13 -------- d-------- C:\Program Files\SUPERAntiSpyware
2007-11-13 03:31 60416 --a------ C:\WINDOWS\system32\tzchange.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"a-squared"="\"C:\\Program Files\\a-squared Anti-Malware\\a2guard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzdn32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxwut
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zovnfxtj

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 08-02-08 17:57:33.95
C:\ComboFix.txt ... 08-02-08 17:57
C:\ComboFix2.txt ... 08-01-30 13:45
C:\ComboFix3.txt ... 08-01-24 16:42

#10 sharpie

sharpie
  • Topic Starter

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 08 February 2008 - 09:19 PM

thank you for your help, but i am having a few problems. when i try to click on some things like control panel, my computer etc they wont open. i double clicked many times and waited a long time after each time, but they still wont open. i have tried restarting the computer and they still wont open. also, i downloaded the new AVG and it is not opening because there was an error. i had the older version of AVG on my computer and that too wont open because of an error(this has been happening for a long time with my old AVG that is why i stopped using it)

Thank you

#11 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:11 PM

Posted 09 February 2008 - 07:40 AM

Hi Sharpie!

Combofix script didn't work. Please do the Step #3 again and at the Step #4 use this Kaspersky Online scanner:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image

#12 sharpie

sharpie
  • Topic Starter

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 09 February 2008 - 03:48 PM

T.Fox - 08-02-09 12:29:01.17 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Program Files\Common Files\System\MAPI\1033\nt"
Command switches used :: "C:\Documents and Settings\T.Fox\Desktop\CFScript.txt"

((((((((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 ))))))))))))))))))))))))))))))))))


2008-02-08 18:10 <DIR> d-------- C:\Documents and Settings\T.Fox\Application Data\Grisoft
2008-02-08 18:09 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-31 22:16 8,576 --a------ C:\WINDOWS\system32\drivers\cnnwtmvlrqki.sys
2008-01-31 22:11 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-01-31 21:30 <DIR> d--------

ok i did it again and i hope this works

C:\WINDOWS\system32\ActiveScan
2008-01-30 12:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 16:13 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-26 19:00 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-26 19:00 274,432 --a------ C:\WINDOWS\system32\imon.dll
2008-01-26 19:00 <DIR> d-------- C:\Program Files\ESET
2008-01-25 11:52 87,104 --a------ C:\WINDOWS\system32\cqcslgmf.dll
2008-01-25 11:47 74,304 --a------ C:\WINDOWS\system32\ntxabrdv.exe
2008-01-24 14:49 87,616 --a------ C:\WINDOWS\system32\ygynulqe.dll
2008-01-24 14:49 74,304 --a------ C:\WINDOWS\system32\dvnoyblg.exe
2008-01-23 23:48 76,352 --a------ C:\WINDOWS\system32\rvkhnsrn.dll
2008-01-23 23:45 163,904 --a------ C:\WINDOWS\system32\zovnfxtj.dll
2008-01-23 23:45 163,904 --a------ C:\WINDOWS\system32\slcnhnno.dll
2008-01-22 23:44 338,432 --a------ C:\WINDOWS\system32\jkkll.exe
2008-01-22 23:44 334,848 --a------ C:\WINDOWS\system32\jkkll.dll
2008-01-22 23:44 287,454 --ahs---- C:\WINDOWS\system32\llkkj.ini2
2008-01-22 22:10 26,624 --a------ C:\WINDOWS\lsass .exe
2008-01-22 22:05 <DIR> d-------- C:\Program Files\Wide Angle Software
2008-01-22 21:32 6,822 --ahs---- C:\WINDOWS\system32\dfhkj.ini2
2008-01-22 21:27 39,424 --a------ C:\WINDOWS\system32\xxyxwut.dll
2008-01-22 21:27 38,912 --a------ C:\WINDOWS\system32\khfgecb.dll
2008-01-22 21:27 15,360 --a------ C:\WINDOWS\system32\drvvowr.dll
2008-01-22 21:27 103,936 --a------ C:\WINDOWS\system32\drvvow.dll
2008-01-22 21:27 <DIR> d-------- C:\Program Files\Outerinfo
2008-01-21 22:33 <DIR> d-------- C:\WINDOWS\Minidump


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-02-08 18:09 -------- d-------- C:\Program Files\Grisoft
2008-01-31 22:44 -------- d-------- C:\Program Files\Mozilla Firefox
2008-01-31 22:35 -------- d-------- C:\Program Files\ewido anti-malware
2008-01-31 22:29 -------- d-------- C:\Program Files\Internet Explorer
2008-01-29 07:40 -------- d-------- C:\Program Files\LimeWire
2008-01-26 19:59 -------- d-------- C:\Documents and Settings\T.Fox\Application Data\wsInspector
2008-01-26 19:52 334848 --a------ C:\WINDOWS\system32\jkkll.Vdll
2008-01-25 14:31 -------- d-------- C:\Documents and Settings\T.Fox\Application Data\AVG7
2008-01-24 14:47 -------- d-------- C:\Program Files\QuickTime
2008-01-24 14:47 -------- d-------- C:\Program Files\Microsoft ActiveSync
2008-01-22 23:33 -------- d-------- C:\Program Files\Winamp
2008-01-22 23:32 -------- d-------- C:\Program Files\iTunes
2008-01-22 22:00 -------- d-------- C:\Program Files\Eraser
2007-12-27 14:13 -------- d-------- C:\Program Files\SUPERAntiSpyware
2007-11-13 03:31 60416 --a------ C:\WINDOWS\system32\tzchange.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"a-squared"="\"C:\\Program Files\\a-squared Anti-Malware\\a2guard.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzdn32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxwut
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zovnfxtj

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 08-02-09 12:40:25.51
C:\ComboFix.txt ... 08-02-09 12:40
C:\ComboFix2.txt ... 08-02-08 17:57
C:\ComboFix3.txt ... 08-01-30 13:45

#13 sharpie

sharpie
  • Topic Starter

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 09 February 2008 - 09:51 PM

KASPERSKY ONLINE SCANNER REPORT
Saturday, February 09, 2008 6:41:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/02/2008
Kaspersky Anti-Virus database records: 555870


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 98170
Number of viruses found 32
Number of infected objects 75
Number of suspicious objects 0
Duration of the scan process 04:59:21

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip/MWSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.p skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip/MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ai skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3CJPEG.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3DTACTL.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.z skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3HISTSW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3HTTPCT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3RESTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3SCHMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/M3HTML.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.f skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/M3IDLE.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/M3OUTLCN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/M3PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.t skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/M3SKIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/mwsoemon.ex$ Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip/bar/1.bin/NPMYWEBS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip ZIP: infected - 21 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/1.bin/MWSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/1.bin/MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/F3DTACTL.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/F3HISTSW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/F3SCHMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/F3SHLLVW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/M3HTML.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.f skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/M3OUTLCN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/M3PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/MWSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/MWSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.q skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/bar/3.bin/MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip/SrchAstt/3.bin/MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip ZIP: infected - 18 skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\T.Fox\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\80720.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.OneStep.c skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\80720.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\80720.exe/WISE0020.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\80720.exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\80720.exe WiseSFXDropper: infected - 3 skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\anarchey.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.OneStep.c skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\anarchey.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\anarchey.exe/WISE0020.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\anarchey.exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\T.Fox\Desktop\Logons\anarchey.exe WiseSFXDropper: infected - 3 skipped

C:\Documents and Settings\T.Fox\Desktop\SDFix\backups\backups.zip/backups/lsass.exe Infected: Trojan-Downloader.Win32.Alphabet.cc skipped

C:\Documents and Settings\T.Fox\Desktop\SDFix\backups\backups.zip ZIP: infected - 1 skipped

C:\Documents and Settings\T.Fox\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\T.Fox\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\T.Fox\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\T.Fox\Local Settings\Temp\Perflib_Perfdata_a2c.dat Object is locked skipped

C:\Documents and Settings\T.Fox\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3605.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3606.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3607.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3608.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3609.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos360A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos360B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos360C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos360D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos360E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos360F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3610.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3611.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3612.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3613.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3614.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3615.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3616.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3617.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3618.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3619.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos361A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos361B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos361C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos361D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos361E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos361F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3620.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3621.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3622.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3623.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3624.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3625.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3626.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3627.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3628.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3629.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos362A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos362B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos362C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos362D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos362E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos362F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3630.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3631.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3632.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3633.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3634.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3635.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3636.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3637.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3638.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3639.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos363A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos363B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos363C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos363D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos363E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos363F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3640.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3641.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3642.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3643.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3644.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3645.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3646.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3647.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3648.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3649.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos364A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos364B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos364C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos364D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos364E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos364F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3650.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3651.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3652.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3653.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3654.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3655.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3656.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3657.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3658.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3659.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos365A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos365B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos365C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos365D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos365E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos365F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3660.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3661.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3662.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3663.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3664.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3665.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3666.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3667.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3668.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3669.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos366A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos366B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos366C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos366D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos366E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos366F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3670.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3671.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3672.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3673.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3674.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3675.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3676.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3677.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3678.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3679.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos367A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos367B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos367C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos367D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos367E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos367F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3680.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3681.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3682.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3683.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3684.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3685.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3686.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3687.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3688.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3689.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos368A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos368B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos368C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos368D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos368E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos368F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3690.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3691.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3692.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3693.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3694.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3695.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3696.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3697.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3698.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3699.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos369A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos369B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos369C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos369D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos369E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos369F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36A9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36AA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36AB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36AC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36AD.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36AE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36AF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36B9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36BA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36BB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36BC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36BD.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36BE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36BF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36C9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36CA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36CB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36CC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36CD.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36CE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36CF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36D9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36DA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36DB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36DC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36DD.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36DE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36DF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36E9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36EA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36EB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36EC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36ED.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36EE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36EF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36F9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36FA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36FB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36FC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36FD.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36FE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos36FF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3700.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3701.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3702.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3703.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3704.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3705.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3706.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3707.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3708.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3709.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos370A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos370B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos370C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos370D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos370E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos370F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3710.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3711.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3712.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3713.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3714.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3715.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3716.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3717.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3718.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3719.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos371A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos371B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos371C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos371D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos371E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos371F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3720.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3721.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3722.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3723.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3724.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3725.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3726.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3727.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3728.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3729.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos372A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos372B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos372C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos372D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos372E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos372F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3730.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3731.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3732.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3733.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3734.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3735.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3736.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3737.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3738.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3739.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos373A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos373B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos373C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos373D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos373E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos373F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3740.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3741.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3742.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3743.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3744.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3745.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3746.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3747.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3748.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3749.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos374A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos374B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos374C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos374D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos374E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos374F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3750.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3751.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3752.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3753.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3754.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3755.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3756.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3757.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3758.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3759.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos375A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos375B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos375C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos375D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos375E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos375F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3760.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3761.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3762.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3763.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3764.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3765.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3766.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3767.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3768.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3769.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos376A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos376B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos376C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos376D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos376E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos376F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3770.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3771.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3772.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3773.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3774.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3775.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3776.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3777.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3778.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3779.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos377A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos377B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos377C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos377D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos377E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos377F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3780.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3781.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3782.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3783.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3784.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3785.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3786.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3787.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3788.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3789.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos378A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos378B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos378C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos378D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos378E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos378F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3790.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3791.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3792.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3793.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3794.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3795.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3796.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3797.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3798.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos3799.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos379A.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos379B.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos379C.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos379D.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos379E.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos379F.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37A9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37AA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37AB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37AC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37AD.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37AE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37AF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37B9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37BA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37BB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37BC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37BD.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37BE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37BF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37C9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37CA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37CB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37CC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37CD.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37CE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37CF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37D9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37DA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37DB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37DC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37DD.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37DE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37DF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37E9.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37EA.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37EB.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37EC.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37ED.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37EE.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37EF.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37F0.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37F1.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37F2.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37F3.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37F4.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37F5.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37F6.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37F7.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\My Documents\pos37F8.tmp Object is locked skipped

C:\Documents and Settings\T.Fox\ntuser.dat Object is locked skipped

C:\Documents and Settings\T.Fox\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\T.Fox\Shared\by the time i get to arizona.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped

C:\Documents and Settings\T.Fox\Shared\concerto for 2 violins.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped

C:\pos3410.tmp Object is locked skipped

C:\pos3411.tmp Object is locked skipped

C:\pos3412.tmp Object is locked skipped

C:\pos3413.tmp Object is locked skipped

C:\pos3414.tmp Object is locked skipped

C:\pos3415.tmp Object is locked skipped

C:\pos3416.tmp Object is locked skipped

C:\pos3417.tmp Object is locked skipped

C:\pos3418.tmp Object is locked skipped

C:\pos3419.tmp Object is locked skipped

C:\pos341A.tmp Object is locked skipped

C:\pos341B.tmp Object is locked skipped

C:\pos341C.tmp Object is locked skipped

C:\pos341D.tmp Object is locked skipped

C:\pos341E.tmp Object is locked skipped

C:\pos341F.tmp Object is locked skipped

C:\pos3420.tmp Object is locked skipped

C:\pos3421.tmp Object is locked skipped

C:\pos3422.tmp Object is locked skipped

C:\pos3423.tmp Object is locked skipped

C:\pos3424.tmp Object is locked skipped

C:\pos3425.tmp Object is locked skipped

C:\pos3426.tmp Object is locked skipped

C:\pos3427.tmp Object is locked skipped

C:\pos3428.tmp Object is locked skipped

C:\pos3429.tmp Object is locked skipped

C:\pos342A.tmp Object is locked skipped

C:\pos342B.tmp Object is locked skipped

C:\pos342C.tmp Object is locked skipped

C:\pos342D.tmp Object is locked skipped

C:\pos342E.tmp Object is locked skipped

C:\pos342F.tmp Object is locked skipped

C:\pos3430.tmp Object is locked skipped

C:\pos3431.tmp Object is locked skipped

C:\pos3432.tmp Object is locked skipped

C:\pos3433.tmp Object is locked skipped

C:\pos3434.tmp Object is locked skipped

C:\pos3435.tmp Object is locked skipped

C:\pos3436.tmp Object is locked skipped

C:\pos3437.tmp Object is locked skipped

C:\pos3438.tmp Object is locked skipped

C:\pos3439.tmp Object is locked skipped

C:\pos343A.tmp Object is locked skipped

C:\pos343B.tmp Object is locked skipped

C:\pos343C.tmp Object is locked skipped

C:\pos343D.tmp Object is locked skipped

C:\pos343E.tmp Object is locked skipped

C:\pos343F.tmp Object is locked skipped

C:\pos3440.tmp Object is locked skipped

C:\pos3441.tmp Object is locked skipped

C:\pos3442.tmp Object is locked skipped

C:\pos3443.tmp Object is locked skipped

C:\pos3444.tmp Object is locked skipped

C:\pos3445.tmp Object is locked skipped

C:\pos3446.tmp Object is locked skipped

C:\pos3447.tmp Object is locked skipped

C:\pos3448.tmp Object is locked skipped

C:\pos3449.tmp Object is locked skipped

C:\pos344A.tmp Object is locked skipped

C:\pos344B.tmp Object is locked skipped

C:\pos344C.tmp Object is locked skipped

C:\pos344D.tmp Object is locked skipped

C:\pos344E.tmp Object is locked skipped

C:\pos344F.tmp Object is locked skipped

C:\pos3450.tmp Object is locked skipped

C:\pos3451.tmp Object is locked skipped

C:\pos3452.tmp Object is locked skipped

C:\pos3453.tmp Object is locked skipped

C:\pos3454.tmp Object is locked skipped

C:\pos3455.tmp Object is locked skipped

C:\pos3456.tmp Object is locked skipped

C:\pos3457.tmp Object is locked skipped

C:\pos3458.tmp Object is locked skipped

C:\pos3459.tmp Object is locked skipped

C:\pos345A.tmp Object is locked skipped

C:\pos345B.tmp Object is locked skipped

C:\pos345C.tmp Object is locked skipped

C:\pos345D.tmp Object is locked skipped

C:\pos345E.tmp Object is locked skipped

C:\pos345F.tmp Object is locked skipped

C:\pos3460.tmp Object is locked skipped

C:\pos3461.tmp Object is locked skipped

C:\pos3462.tmp Object is locked skipped

C:\pos3463.tmp Object is locked skipped

C:\pos3464.tmp Object is locked skipped

C:\pos3465.tmp Object is locked skipped

C:\pos3466.tmp Object is locked skipped

C:\pos3467.tmp Object is locked skipped

C:\pos3468.tmp Object is locked skipped

C:\pos3469.tmp Object is locked skipped

C:\pos346A.tmp Object is locked skipped

C:\pos346B.tmp Object is locked skipped

C:\pos346C.tmp Object is locked skipped

C:\pos346D.tmp Object is locked skipped

C:\pos346E.tmp Object is locked skipped

C:\pos346F.tmp Object is locked skipped

C:\pos3470.tmp Object is locked skipped

C:\pos3471.tmp Object is locked skipped

C:\pos3472.tmp Object is locked skipped

C:\pos3473.tmp Object is locked skipped

C:\pos3474.tmp Object is locked skipped

C:\pos3475.tmp Object is locked skipped

C:\pos3476.tmp Object is locked skipped

C:\pos3477.tmp Object is locked skipped

C:\pos3478.tmp Object is locked skipped

C:\pos3479.tmp Object is locked skipped

C:\pos347A.tmp Object is locked skipped

C:\pos347B.tmp Object is locked skipped

C:\pos347C.tmp Object is locked skipped

C:\pos347D.tmp Object is locked skipped

C:\pos347E.tmp Object is locked skipped

C:\pos347F.tmp Object is locked skipped

C:\pos3480.tmp Object is locked skipped

C:\pos3481.tmp Object is locked skipped

C:\pos3482.tmp Object is locked skipped

C:\pos3483.tmp Object is locked skipped

C:\pos3484.tmp Object is locked skipped

C:\pos3485.tmp Object is locked skipped

C:\pos3486.tmp Object is locked skipped

C:\pos3487.tmp Object is locked skipped

C:\pos3488.tmp Object is locked skipped

C:\pos3489.tmp Object is locked skipped

C:\pos348A.tmp Object is locked skipped

C:\pos348B.tmp Object is locked skipped

C:\pos348C.tmp Object is locked skipped

C:\pos348D.tmp Object is locked skipped

C:\pos348E.tmp Object is locked skipped

C:\pos348F.tmp Object is locked skipped

C:\pos3490.tmp Object is locked skipped

C:\pos3491.tmp Object is locked skipped

C:\pos3492.tmp Object is locked skipped

C:\pos3493.tmp Object is locked skipped

C:\pos3494.tmp Object is locked skipped

C:\pos3495.tmp Object is locked skipped

C:\pos3496.tmp Object is locked skipped

C:\pos3497.tmp Object is locked skipped

C:\pos3498.tmp Object is locked skipped

C:\pos3499.tmp Object is locked skipped

C:\pos349A.tmp Object is locked skipped

C:\pos349B.tmp Object is locked skipped

C:\pos349C.tmp Object is locked skipped

C:\pos349D.tmp Object is locked skipped

C:\pos349E.tmp Object is locked skipped

C:\pos349F.tmp Object is locked skipped

C:\pos34A0.tmp Object is locked skipped

C:\pos34A1.tmp Object is locked skipped

C:\pos34A2.tmp Object is locked skipped

C:\pos34A3.tmp Object is locked skipped

C:\pos34A4.tmp Object is locked skipped

C:\pos34A5.tmp Object is locked skipped

C:\pos34A6.tmp Object is locked skipped

C:\pos34A7.tmp Object is locked skipped

C:\pos34A8.tmp Object is locked skipped

C:\pos34A9.tmp Object is locked skipped

C:\pos34AA.tmp Object is locked skipped

C:\pos34AB.tmp Object is locked skipped

C:\pos34AC.tmp Object is locked skipped

C:\pos34AD.tmp Object is locked skipped

C:\pos34AE.tmp Object is locked skipped

C:\pos34AF.tmp Object is locked skipped

C:\pos34B0.tmp Object is locked skipped

C:\pos34B1.tmp Object is locked skipped

C:\pos34B2.tmp Object is locked skipped

C:\pos34B3.tmp Object is locked skipped

C:\pos34B4.tmp Object is locked skipped

C:\pos34B5.tmp Object is locked skipped

C:\pos34B6.tmp Object is locked skipped

C:\pos34B7.tmp Object is locked skipped

C:\pos34B8.tmp Object is locked skipped

C:\pos34B9.tmp Object is locked skipped

C:\pos34BA.tmp Object is locked skipped

C:\pos34BB.tmp Object is locked skipped

C:\pos34BC.tmp Object is locked skipped

C:\pos34BD.tmp Object is locked skipped

C:\pos34BE.tmp Object is locked skipped

C:\pos34BF.tmp Object is locked skipped

C:\pos34C0.tmp Object is locked skipped

C:\pos34C1.tmp Object is locked skipped

C:\pos34C2.tmp Object is locked skipped

C:\pos34C3.tmp Object is locked skipped

C:\pos34C4.tmp Object is locked skipped

C:\pos34C5.tmp Object is locked skipped

C:\pos34C6.tmp Object is locked skipped

C:\pos34C7.tmp Object is locked skipped

C:\pos34C8.tmp Object is locked skipped

C:\pos34C9.tmp Object is locked skipped

C:\pos34CA.tmp Object is locked skipped

C:\pos34CB.tmp Object is locked skipped

C:\pos34CC.tmp Object is locked skipped

C:\pos34CD.tmp Object is locked skipped

C:\pos34CE.tmp Object is locked skipped

C:\pos34CF.tmp Object is locked skipped

C:\pos34D0.tmp Object is locked skipped

C:\pos34D1.tmp Object is locked skipped

C:\pos34D2.tmp Object is locked skipped

C:\pos34D3.tmp Object is locked skipped

C:\pos34D4.tmp Object is locked skipped

C:\pos34D5.tmp Object is locked skipped

C:\pos34D6.tmp Object is locked skipped

C:\pos34D7.tmp Object is locked skipped

C:\pos34D8.tmp Object is locked skipped

C:\pos34D9.tmp Object is locked skipped

C:\pos34DA.tmp Object is locked skipped

C:\pos34DB.tmp Object is locked skipped

C:\pos34DC.tmp Object is locked skipped

C:\pos34DD.tmp Object is locked skipped

C:\pos34DE.tmp Object is locked skipped

C:\pos34DF.tmp Object is locked skipped

C:\pos34E0.tmp Object is locked skipped

C:\pos34E1.tmp Object is locked skipped

C:\pos34E2.tmp Object is locked skipped

C:\pos34E3.tmp Object is locked skipped

C:\pos34E4.tmp Object is locked skipped

C:\pos34E5.tmp Object is locked skipped

C:\pos34E6.tmp Object is locked skipped

C:\pos34E7.tmp Object is locked skipped

C:\pos34E8.tmp Object is locked skipped

C:\pos34E9.tmp Object is locked skipped

C:\pos34EA.tmp Object is locked skipped

C:\pos34EB.tmp Object is locked skipped

C:\pos34EC.tmp Object is locked skipped

C:\pos34ED.tmp Object is locked skipped

C:\pos34EE.tmp Object is locked skipped

C:\pos34EF.tmp Object is locked skipped

C:\pos34F0.tmp Object is locked skipped

C:\pos34F1.tmp Object is locked skipped

C:\pos34F2.tmp Object is locked skipped

C:\pos34F3.tmp Object is locked skipped

C:\pos34F4.tmp Object is locked skipped

C:\pos34F5.tmp Object is locked skipped

C:\pos34F6.tmp Object is locked skipped

C:\pos34F7.tmp Object is locked skipped

C:\pos34F8.tmp Object is locked skipped

C:\pos34F9.tmp Object is locked skipped

C:\pos34FA.tmp Object is locked skipped

C:\pos34FB.tmp Object is locked skipped

C:\pos34FC.tmp Object is locked skipped

C:\pos34FD.tmp Object is locked skipped

C:\pos34FE.tmp Object is locked skipped

C:\pos34FF.tmp Object is locked skipped

C:\pos3500.tmp Object is locked skipped

C:\pos3501.tmp Object is locked skipped

C:\pos3502.tmp Object is locked skipped

C:\pos3503.tmp Object is locked skipped

C:\pos3504.tmp Object is locked skipped

C:\pos3505.tmp Object is locked skipped

C:\pos3506.tmp Object is locked skipped

C:\pos3507.tmp Object is locked skipped

C:\pos3508.tmp Object is locked skipped

C:\pos3509.tmp Object is locked skipped

C:\pos350A.tmp Object is locked skipped

C:\pos350B.tmp Object is locked skipped

C:\pos350C.tmp Object is locked skipped

C:\pos350D.tmp Object is locked skipped

C:\pos350E.tmp Object is locked skipped

C:\pos350F.tmp Object is locked skipped

C:\pos3510.tmp Object is locked skipped

C:\pos3511.tmp Object is locked skipped

C:\pos3512.tmp Object is locked skipped

C:\pos3513.tmp Object is locked skipped

C:\pos3514.tmp Object is locked skipped

C:\pos3515.tmp Object is locked skipped

C:\pos3516.tmp Object is locked skipped

C:\pos3517.tmp Object is locked skipped

C:\pos3518.tmp Object is locked skipped

C:\pos3519.tmp Object is locked skipped

C:\pos351A.tmp Object is locked skipped

C:\pos351B.tmp Object is locked skipped

C:\pos351C.tmp Object is locked skipped

C:\pos351D.tmp Object is locked skipped

C:\pos351E.tmp Object is locked skipped

C:\pos351F.tmp Object is locked skipped

C:\pos3520.tmp Object is locked skipped

C:\pos3521.tmp Object is locked skipped

C:\pos3522.tmp Object is locked skipped

C:\pos3523.tmp Object is locked skipped

C:\pos3524.tmp Object is locked skipped

C:\pos3525.tmp Object is locked skipped

C:\pos3526.tmp Object is locked skipped

C:\pos3527.tmp Object is locked skipped

C:\pos3528.tmp Object is locked skipped

C:\pos3529.tmp Object is locked skipped

C:\pos352A.tmp Object is locked skipped

C:\pos352B.tmp Object is locked skipped

C:\pos352C.tmp Object is locked skipped

C:\pos352D.tmp Object is locked skipped

C:\pos352E.tmp Object is locked skipped

C:\pos352F.tmp Object is locked skipped

C:\pos3530.tmp Object is locked skipped

C:\pos3531.tmp Object is locked skipped

C:\pos3532.tmp Object is locked skipped

C:\pos3533.tmp Object is locked skipped

C:\pos3534.tmp Object is locked skipped

C:\pos3535.tmp Object is locked skipped

C:\pos3536.tmp Object is locked skipped

C:\pos3537.tmp Object is locked skipped

C:\pos3538.tmp Object is locked skipped

C:\pos3539.tmp Object is locked skipped

C:\pos353A.tmp Object is locked skipped

C:\pos353B.tmp Object is locked skipped

C:\pos353C.tmp Object is locked skipped

C:\pos353D.tmp Object is locked skipped

C:\pos353E.tmp Object is locked skipped

C:\pos353F.tmp Object is locked skipped

C:\pos3540.tmp Object is locked skipped

C:\pos3541.tmp Object is locked skipped

C:\pos3542.tmp Object is locked skipped

C:\pos3543.tmp Object is locked skipped

C:\pos3544.tmp Object is locked skipped

C:\pos3545.tmp Object is locked skipped

C:\pos3546.tmp Object is locked skipped

C:\pos3547.tmp Object is locked skipped

C:\pos3548.tmp Object is locked skipped

C:\pos3549.tmp Object is locked skipped

C:\pos354A.tmp Object is locked skipped

C:\pos354B.tmp Object is locked skipped

C:\pos354C.tmp Object is locked skipped

C:\pos354D.tmp Object is locked skipped

C:\pos354E.tmp Object is locked skipped

C:\pos354F.tmp Object is locked skipped

C:\pos3550.tmp Object is locked skipped

C:\pos3551.tmp Object is locked skipped

C:\pos3552.tmp Object is locked skipped

C:\pos3553.tmp Object is locked skipped

C:\pos3554.tmp Object is locked skipped

C:\pos3555.tmp Object is locked skipped

C:\pos3556.tmp Object is locked skipped

C:\pos3557.tmp Object is locked skipped

C:\pos3558.tmp Object is locked skipped

C:\pos3559.tmp Object is locked skipped

C:\pos355A.tmp Object is locked skipped

C:\pos355B.tmp Object is locked skipped

C:\pos355C.tmp Object is locked skipped

C:\pos355D.tmp Object is locked skipped

C:\pos355E.tmp Object is locked skipped

C:\pos355F.tmp Object is locked skipped

C:\pos3560.tmp Object is locked skipped

C:\pos3561.tmp Object is locked skipped

C:\pos3562.tmp Object is locked skipped

C:\pos3563.tmp Object is locked skipped

C:\pos3564.tmp Object is locked skipped

C:\pos3565.tmp Object is locked skipped

C:\pos3566.tmp Object is locked skipped

C:\pos3567.tmp Object is locked skipped

C:\pos3568.tmp Object is locked skipped

C:\pos3569.tmp Object is locked skipped

C:\pos356A.tmp Object is locked skipped

C:\pos356B.tmp Object is locked skipped

C:\pos356C.tmp Object is locked skipped

C:\pos356D.tmp Object is locked skipped

C:\pos356E.tmp Object is locked skipped

C:\pos356F.tmp Object is locked skipped

C:\pos3570.tmp Object is locked skipped

C:\pos3571.tmp Object is locked skipped

C:\pos3572.tmp Object is locked skipped

C:\pos3573.tmp Object is locked skipped

C:\pos3574.tmp Object is locked skipped

C:\pos3575.tmp Object is locked skipped

C:\pos3576.tmp Object is locked skipped

C:\pos3577.tmp Object is locked skipped

C:\pos3578.tmp Object is locked skipped

C:\pos3579.tmp Object is locked skipped

C:\pos357A.tmp Object is locked skipped

C:\pos357B.tmp Object is locked skipped

C:\pos357C.tmp Object is locked skipped

C:\pos357D.tmp Object is locked skipped

C:\pos357E.tmp Object is locked skipped

C:\pos357F.tmp Object is locked skipped

C:\pos3580.tmp Object is locked skipped

C:\pos3581.tmp Object is locked skipped

C:\pos3582.tmp Object is locked skipped

C:\pos3583.tmp Object is locked skipped

C:\pos3584.tmp Object is locked skipped

C:\pos3585.tmp Object is locked skipped

C:\pos3586.tmp Object is locked skipped

C:\pos3587.tmp Object is locked skipped

C:\pos3588.tmp Object is locked skipped

C:\pos3589.tmp Object is locked skipped

C:\pos358A.tmp Object is locked skipped

C:\pos358B.tmp Object is locked skipped

C:\pos358C.tmp Object is locked skipped

C:\pos358D.tmp Object is locked skipped

C:\pos358E.tmp Object is locked skipped

C:\pos358F.tmp Object is locked skipped

C:\pos3590.tmp Object is locked skipped

C:\pos3591.tmp Object is locked skipped

C:\pos3592.tmp Object is locked skipped

C:\pos3593.tmp Object is locked skipped

C:\pos3594.tmp Object is locked skipped

C:\pos3595.tmp Object is locked skipped

C:\pos3596.tmp Object is locked skipped

C:\pos3597.tmp Object is locked skipped

C:\pos3598.tmp Object is locked skipped

C:\pos3599.tmp Object is locked skipped

C:\pos359A.tmp Object is locked skipped

C:\pos359B.tmp Object is locked skipped

C:\pos359C.tmp Object is locked skipped

C:\pos359D.tmp Object is locked skipped

C:\pos359E.tmp Object is locked skipped

C:\pos359F.tmp Object is locked skipped

C:\pos35A0.tmp Object is locked skipped

C:\pos35A1.tmp Object is locked skipped

C:\pos35A2.tmp Object is locked skipped

C:\pos35A3.tmp Object is locked skipped

C:\pos35A4.tmp Object is locked skipped

C:\pos35A5.tmp Object is locked skipped

C:\pos35A6.tmp Object is locked skipped

C:\pos35A7.tmp Object is locked skipped

C:\pos35A8.tmp Object is locked skipped

C:\pos35A9.tmp Object is locked skipped

C:\pos35AA.tmp Object is locked skipped

C:\pos35AB.tmp Object is locked skipped

C:\pos35AC.tmp Object is locked skipped

C:\pos35AD.tmp Object is locked skipped

C:\pos35AE.tmp Object is locked skipped

C:\pos35AF.tmp Object is locked skipped

C:\pos35B0.tmp Object is locked skipped

C:\pos35B1.tmp Object is locked skipped

C:\pos35B2.tmp Object is locked skipped

C:\pos35B3.tmp Object is locked skipped

C:\pos35B4.tmp Object is locked skipped

C:\pos35B5.tmp Object is locked skipped

C:\pos35B6.tmp Object is locked skipped

C:\pos35B7.tmp Object is locked skipped

C:\pos35B8.tmp Object is locked skipped

C:\pos35B9.tmp Object is locked skipped

C:\pos35BA.tmp Object is locked skipped

C:\pos35BB.tmp Object is locked skipped

C:\pos35BC.tmp Object is locked skipped

C:\pos35BD.tmp Object is locked skipped

C:\pos35BE.tmp Object is locked skipped

C:\pos35BF.tmp Object is locked skipped

C:\pos35C0.tmp Object is locked skipped

C:\pos35C1.tmp Object is locked skipped

C:\pos35C2.tmp Object is locked skipped

C:\pos35C3.tmp Object is locked skipped

C:\pos35C4.tmp Object is locked skipped

C:\pos35C5.tmp Object is locked skipped

C:\pos35C6.tmp Object is locked skipped

C:\pos35C7.tmp Object is locked skipped

C:\pos35C8.tmp Object is locked skipped

C:\pos35C9.tmp Object is locked skipped

C:\pos35CA.tmp Object is locked skipped

C:\pos35CB.tmp Object is locked skipped

C:\pos35CC.tmp Object is locked skipped

C:\pos35CD.tmp Object is locked skipped

C:\pos35CE.tmp Object is locked skipped

C:\pos35CF.tmp Object is locked skipped

C:\pos35D0.tmp Object is locked skipped

C:\pos35D1.tmp Object is locked skipped

C:\pos35D2.tmp Object is locked skipped

C:\pos35D3.tmp Object is locked skipped

C:\pos35D4.tmp Object is locked skipped

C:\pos35D5.tmp Object is locked skipped

C:\pos35D6.tmp Object is locked skipped

C:\pos35D7.tmp Object is locked skipped

C:\pos35D8.tmp Object is locked skipped

C:\pos35D9.tmp Object is locked skipped

C:\pos35DA.tmp Object is locked skipped

C:\pos35DB.tmp Object is locked skipped

C:\pos35DC.tmp Object is locked skipped

C:\pos35DD.tmp Object is locked skipped

C:\pos35DE.tmp Object is locked skipped

C:\pos35DF.tmp Object is locked skipped

C:\pos35E0.tmp Object is locked skipped

C:\pos35E1.tmp Object is locked skipped

C:\pos35E2.tmp Object is locked skipped

C:\pos35E3.tmp Object is locked skipped

C:\pos35E4.tmp Object is locked skipped

C:\pos35E5.tmp Object is locked skipped

C:\pos35E6.tmp Object is locked skipped

C:\pos35E7.tmp Object is locked skipped

C:\pos35E8.tmp Object is locked skipped

C:\pos35E9.tmp Object is locked skipped

C:\pos35EA.tmp Object is locked skipped

C:\pos35EB.tmp Object is locked skipped

C:\pos35EC.tmp Object is locked skipped

C:\pos35ED.tmp Object is locked skipped

C:\pos35EE.tmp Object is locked skipped

C:\pos35EF.tmp Object is locked skipped

C:\pos35F0.tmp Object is locked skipped

C:\pos35F1.tmp Object is locked skipped

C:\pos35F2.tmp Object is locked skipped

C:\pos35F3.tmp Object is locked skipped

C:\pos35F4.tmp Object is locked skipped

C:\pos35F5.tmp Object is locked skipped

C:\pos35F6.tmp Object is locked skipped

C:\pos35F7.tmp Object is locked skipped

C:\pos35F8.tmp Object is locked skipped

C:\pos35F9.tmp Object is locked skipped

C:\pos35FA.tmp Object is locked skipped

C:\pos35FB.tmp Object is locked skipped

C:\pos35FC.tmp Object is locked skipped

C:\pos35FD.tmp Object is locked skipped

C:\pos35FE.tmp Object is locked skipped

C:\pos35FF.tmp Object is locked skipped

C:\pos3600.tmp Object is locked skipped

C:\pos3601.tmp Object is locked skipped

C:\pos3602.tmp Object is locked skipped

C:\pos3603.tmp Object is locked skipped

C:\Program Files\a-squared Anti-Malware\a2guard.exe Object is locked skipped

C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped

C:\Program Files\ESET\infected\HHE2MSCA.NQF Infected: Virus.Win32.Trats.d skipped

C:\Program Files\ESET\infected\NKA1WNBA.NQF Infected: Trojan.Win32.Zapchast.dt skipped

C:\Program Files\ESET\logs\virlog.dat Object is locked skipped

C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped

C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE Object is locked skipped

C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE Object is locked skipped

C:\Program Files\Outerinfo\FF\components\FF.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\Program Files\Outerinfo\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped

C:\Program Files\Outerinfo\OiUninstaller.exe NSIS: infected - 1 skipped

C:\Program Files\QuickTime\qttask .exe Object is locked skipped

C:\Program Files\QuickTime\qttask .exe Object is locked skipped

C:\Program Files\QuickTime\qttask.exe Object is locked skipped

C:\Program Files\Trend Micro\HijackThis\backups\backup-20080208-172810-493.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dux skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP727\A0999336.exe Infected: Trojan-Downloader.Win32.Alphabet.cc skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP728\A1003324.dll Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP730\A1014375.exe Infected: Worm.Win32.RJump.a skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\A1017371.exe Infected: Trojan-Downloader.Win32.Alphabet.cc skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\A1017379.exe Infected: Trojan-Downloader.Win32.Alphabet.cc skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\lsass .exe Infected: Trojan-Downloader.Win32.Alphabet.cc skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\cqcslgmf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\drvvow.dll Infected: Trojan.Win32.Dialer.yz skipped

C:\WINDOWS\system32\dvnoyblg.exe Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\jkkll.dll Object is locked skipped

C:\WINDOWS\system32\jkkll.exe Object is locked skipped

C:\WINDOWS\system32\jkkll.Vdll Object is locked skipped

C:\WINDOWS\system32\khfgecb.dll Object is locked skipped

C:\WINDOWS\system32\ntxabrdv.exe Object is locked skipped

C:\WINDOWS\system32\rvkhnsrn.dll Object is locked skipped

C:\WINDOWS\system32\slcnhnno.dll Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\xxyxwut.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dux skipped

C:\WINDOWS\system32\ygynulqe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\zovnfxtj.dll Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:11 PM

Posted 11 February 2008 - 11:57 PM

Hi!

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Step #1
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Step #2
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
File::
C:\WINDOWS\system32\cqcslgmf.dll
C:\WINDOWS\system32\ntxabrdv.exe
C:\WINDOWS\system32\ygynulqe.dll
C:\WINDOWS\system32\dvnoyblg.exe
C:\WINDOWS\system32\rvkhnsrn.dll
C:\WINDOWS\system32\zovnfxtj.dll
C:\WINDOWS\system32\slcnhnno.dll
C:\WINDOWS\system32\jkkll.exe
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\xxyxwut.dll
C:\WINDOWS\system32\khfgecb.dll
C:\WINDOWS\system32\drvvowr.dll
C:\WINDOWS\system32\drvvow.dll
C:\WINDOWS\system32\jkkll.Vdll
C:\Documents and Settings\T.Fox\Shared\by the time i get to arizona.wm
C:\Documents and Settings\T.Fox\Shared\concerto for 2 violins.wm
C:\Documents and Settings\T.Fox\Desktop\Logons\80720.exe
C:\Documents and Settings\T.Fox\Desktop\Logons\anarchey.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch19.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch53.zip

RenV::
C:\WINDOWS\lsass .exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE
C:\Program Files\QuickTime\qttask .exe

Folder::
C:\Program Files\Outerinfo


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Step #3
Please click Start --> Run, and type in:
CMD.exe /C Del /Q C:\pos*.tmp
Click OK

Step #4
(in normal mode)
Please post a fresh HijackThis log and Combofix log back here :thumbsup:

Edited by Baabiouz, 11 February 2008 - 11:58 PM.

Posted Image

#15 sharpie

sharpie
  • Topic Starter

  • Members
  • 702 posts
  • OFFLINE
  •  
  • Location:Nor-Cal
  • Local time:12:11 PM

Posted 12 February 2008 - 07:07 PM

T.Fox - 08-02-12 18:40:25.04 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\T.Fox"
Command switches used :: "C:\Documents and Settings\T.Fox\Desktop\CFScript.txt"

((((((((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 ))))))))))))))))))))))))))))))))))


2008-02-09 12:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-09 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-08 18:10 <DIR> d-------- C:\Documents and Settings\T.Fox\Application Data\Grisoft
2008-02-08 18:09 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-31 22:16 8,576 --a------ C:\WINDOWS\system32\drivers\cnnwtmvlrqki.sys
2008-01-31 22:11 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-01-31 21:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-30 12:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 16:13 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-26 19:00 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-26 19:00 274,432 --a------ C:\WINDOWS\system32\imon.dll
2008-01-26 19:00 <DIR> d-------- C:\Program Files\ESET
2008-01-25 11:52 87,104 --a------ C:\WINDOWS\system32\cqcslgmf.dll
2008-01-25 11:47 74,304 --a------ C:\WINDOWS\system32\ntxabrdv.exe
2008-01-24 14:49 87,616 --a------ C:\WINDOWS\system32\ygynulqe.dll
2008-01-24 14:49 74,304 --a------ C:\WINDOWS\system32\dvnoyblg.exe
2008-01-23 23:48 76,352 --a------ C:\WINDOWS\system32\rvkhnsrn.dll
2008-01-23 23:45 163,904 --a------ C:\WINDOWS\system32\zovnfxtj.dll
2008-01-23 23:45 163,904 --a------ C:\WINDOWS\system32\slcnhnno.dll
2008-01-22 23:44 338,432 --a------ C:\WINDOWS\system32\jkkll.exe
2008-01-22 23:44 334,848 --a------ C:\WINDOWS\system32\jkkll.dll
2008-01-22 23:44 296,595 --ahs---- C:\WINDOWS\system32\llkkj.ini2
2008-01-22 22:10 26,624 --a------ C:\WINDOWS\lsass .exe
2008-01-22 22:05 <DIR> d-------- C:\Program Files\Wide Angle Software
2008-01-22 21:32 6,822 --ahs---- C:\WINDOWS\system32\dfhkj.ini2
2008-01-22 21:27 39,424 --a------ C:\WINDOWS\system32\xxyxwut.dll
2008-01-22 21:27 38,912 --a------ C:\WINDOWS\system32\khfgecb.dll
2008-01-22 21:27 15,360 --a------ C:\WINDOWS\system32\drvvowr.dll
2008-01-22 21:27 103,936 --a------ C:\WINDOWS\system32\drvvow.dll
2008-01-22 21:27 <DIR> d-------- C:\Program Files\Outerinfo
2008-01-21 22:33 <DIR> d-------- C:\WINDOWS\Minidump


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-02-12 18:28 -------- d-------- C:\Program Files\Mozilla Firefox
2008-02-08 18:09 -------- d-------- C:\Program Files\Grisoft
2008-01-31 22:35 -------- d-------- C:\Program Files\ewido anti-malware
2008-01-31 22:29 -------- d-------- C:\Program Files\Internet Explorer
2008-01-29 07:40 -------- d-------- C:\Program Files\LimeWire
2008-01-26 19:59 -------- d-------- C:\Documents and Settings\T.Fox\Application Data\wsInspector
2008-01-26 19:52 334848 --a------ C:\WINDOWS\system32\jkkll.Vdll
2008-01-25 14:31 -------- d-------- C:\Documents and Settings\T.Fox\Application Data\AVG7
2008-01-24 14:47 -------- d-------- C:\Program Files\QuickTime
2008-01-24 14:47 -------- d-------- C:\Program Files\Microsoft ActiveSync
2008-01-22 23:33 -------- d-------- C:\Program Files\Winamp
2008-01-22 23:32 -------- d-------- C:\Program Files\iTunes
2008-01-22 22:00 -------- d-------- C:\Program Files\Eraser
2007-12-27 14:13 -------- d-------- C:\Program Files\SUPERAntiSpyware
2007-11-13 03:31 60416 --a------ C:\WINDOWS\system32\tzchange.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"a-squared"="\"C:\\Program Files\\a-squared Anti-Malware\\a2guard.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzdn32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxwut
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zovnfxtj

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 08-02-12 18:45:05.67
C:\ComboFix.txt ... 08-02-12 18:45
C:\ComboFix2.txt ... 08-02-09 12:40
C:\ComboFix3.txt ... 08-02-08 17:57




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:47 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\xxyxwut.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zovnfxtj.dll
O2 - BHO: (no name) - {B1B3C778-9F9D-4A5A-B258-2E221939B325} - C:\WINDOWS\system32\jkkll.dll
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {858B4F85-E945-4F0C-AF65-059E0AD9EEC0} (IntraLaunch.MainControl) - file://D:\Interface\IntraLaunch.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O20 - Winlogon Notify: xxyxwut - C:\WINDOWS\SYSTEM32\xxyxwut.dll
O20 - Winlogon Notify: zovnfxtj - C:\WINDOWS\SYSTEM32\zovnfxtj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ntxabrdv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6779 bytes


ok. what else would you like me to do?

-thanks

Edited by sharpie, 12 February 2008 - 10:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users