Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Up Problem


  • This topic is locked This topic is locked
15 replies to this topic

#1 kklynn1955

kklynn1955

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 31 January 2008 - 08:01 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:20 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\aaksrv.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Documents and Settings\kklynn\Local Settings\Temporary Internet Files\Content.IE5\CKHLPJSG\stinger[1].exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5248] command /c del "H:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4084] cmd /c del "H:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [iolo Task Agent] H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6263] command /c del "H:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3907] cmd /c del "H:\WINDOWS\system32\drivers\core.cache.dsk"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: system32\aakah.dll,H:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll
O23 - Service: aaksrv - Spydex, Inc. - H:\WINDOWS\system32\aaksrv.exe
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
O23 - Service: Diskeeper - Diskeeper Corporation - H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5162 bytes

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:33 PM

Posted 31 January 2008 - 10:15 PM

Hello kklynn1955,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 kklynn1955

kklynn1955
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 02 February 2008 - 03:47 PM

here is what you asked for..............thank you ever so much for your help!!!


ComboFix 08-02.03.1 - kklynn 2008-02-02 14:17:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT -6:00]
Running from: H:\Documents and Settings\kklynn\Local Settings\Temporary Internet Files\Content.IE5\SMJ516I6\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\Documents and Settings\kklynn\Application Data\inst.exe
H:\WINDOWS\system32\bszip.dll
H:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-01-31 20:14 . 2007-07-02 15:02 3,073,320 --a------ H:\WINDOWS\system32\AdvrCntr2D6E0B790.dll
2008-01-31 20:12 . 2007-07-02 15:02 996,648 --a------ H:\WINDOWS\system32\ShellManager10E2D762.dll
2008-01-31 20:12 . 2007-07-02 14:19 638,976 --a------ H:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-01-31 19:52 . 2008-01-31 19:53 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-31 19:51 . 2008-01-31 19:51 <DIR> d-------- H:\WINDOWS\cache
2008-01-31 18:46 . 2008-01-31 18:46 101 --a------ H:\WINDOWS\wininit.ini
2008-01-31 18:23 . 2008-01-31 18:23 <DIR> d-------- H:\Program Files\Spybot - Search & Destroy
2008-01-31 18:23 . 2008-01-31 18:47 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 14:33 . 2008-01-31 14:33 <DIR> d-------- H:\Program Files\Trend Micro
2008-01-31 13:56 . 2008-01-31 13:56 <DIR> d-------- H:\WINDOWS\AntiSpy
2008-01-31 13:56 . 2008-01-31 13:56 <DIR> d-------- H:\Program Files\DefenderPro
2008-01-30 08:32 . 2008-01-30 08:32 <DIR> d-------- H:\Program Files\MSXML 4.0
2008-01-30 08:32 . 2004-08-04 06:00 221,184 --a------ H:\WINDOWS\system32\wmpns.dll
2008-01-29 22:14 . 2008-01-29 22:14 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Big Fish Games
2008-01-29 22:10 . 2008-01-29 22:10 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\PlayFirst
2008-01-29 22:10 . 2008-01-29 22:10 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-29 22:03 . 2008-01-29 22:03 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Gaijin Ent
2008-01-13 21:16 . 2008-01-31 15:19 69 --a------ H:\WINDOWS\NeroDigital.ini
2008-01-13 21:14 . 2008-01-13 21:14 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Media Player Classic
2008-01-12 23:11 . 2008-01-12 23:11 <DIR> d-------- H:\Program Files\Defender Pro
2008-01-12 23:11 . 2008-02-02 14:34 2,951,456 --ahs---- H:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 23:11 . 2008-02-02 14:34 305,184 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-12 23:11 . 2008-01-31 10:50 91,700 --a------ H:\WINDOWS\system32\drivers\klin.dat
2008-01-12 23:11 . 2008-01-12 23:24 85,860 --a------ H:\WINDOWS\system32\drivers\klick.dat
2008-01-12 23:11 . 2008-02-02 14:33 40,580 --ahs---- H:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 23:11 . 2008-02-02 14:33 29,660 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- H:\WINDOWS\Sun
2008-01-12 22:56 . 2008-01-12 22:56 <DIR> d-------- H:\Program Files\Common Files\Scanner
2008-01-12 22:49 . 2008-01-25 18:02 <DIR> d-------- H:\Program Files\Google
2008-01-12 22:48 . 2008-01-12 22:48 <DIR> d-------- H:\Program Files\Java
2008-01-12 22:48 . 2007-09-24 23:31 69,632 --a------ H:\WINDOWS\system32\javacpl.cpl
2008-01-12 22:47 . 2008-01-12 22:47 <DIR> d-------- H:\Program Files\Common Files\Java
2008-01-12 20:23 . 2008-01-12 20:23 <DIR> d-------- H:\Program Files\Universal
2008-01-12 19:55 . 2008-01-12 19:55 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Yahoo!
2008-01-12 19:40 . 2008-01-12 19:41 <DIR> d--h----- H:\WINDOWS\msdownld.tmp
2008-01-12 19:40 . 2008-01-31 19:52 <DIR> d-------- H:\Program Files\Yahoo!
2008-01-12 15:23 . 2008-01-12 15:23 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Defender Pro
2008-01-12 15:20 . 2008-01-31 13:56 137 --a------ H:\WINDOWS\tsiwinfile.dat
2008-01-12 15:12 . 2008-01-12 15:12 3,120 --a------ H:\WINDOWS\system32\DRWSJLAD.ocx
2008-01-12 15:12 . 2008-01-12 15:12 3,120 --a------ H:\WINDOWS\LJRGKDD9.ocx
2008-01-12 15:11 . 2008-02-02 12:21 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Defender Pro
2008-01-12 12:57 . 2008-01-12 12:57 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 12:20 . 2008-01-12 12:20 167,545 --a------ H:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-12 12:20 . 2008-01-12 12:20 86,144 --a------ H:\WINDOWS\system32\drivers\pschedd.sys
2008-01-12 00:49 . 2008-01-12 00:49 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-11 23:25 . 2008-01-11 23:25 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\vlc
2008-01-10 23:32 . 2008-01-10 23:32 <DIR> d-------- H:\Program Files\DVD Shrink
2008-01-10 23:32 . 2008-01-10 23:32 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-10 23:31 . 2008-01-10 23:31 <DIR> d-------- H:\Program Files\DVD Decrypter
2008-01-10 23:30 . 2008-01-10 23:30 <DIR> d-------- H:\WINDOWS\system32\custom matrices
2008-01-10 23:28 . 2008-01-12 19:29 <DIR> d--h----- H:\Program Files\InstallShield Installation Information
2008-01-10 23:28 . 2008-01-10 23:29 <DIR> d-------- H:\Program Files\GoldEsel
2008-01-10 23:28 . 2008-01-10 23:29 <DIR> d-------- H:\Program Files\Ahead
2008-01-10 23:26 . 2008-01-10 23:26 <DIR> d-------- H:\Program Files\K-Lite Codec Pack
2008-01-10 23:26 . 2008-01-10 23:26 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-10 23:26 . 2002-07-08 00:14 1,294,336 --a------ H:\WINDOWS\system32\vorbis.acm
2008-01-10 23:26 . 2004-01-27 13:53 1,024,000 --a------ H:\WINDOWS\system32\3ivx.dll
2008-01-10 23:26 . 2004-01-27 13:53 286,720 --a------ H:\WINDOWS\system32\3ivxVfWCodec.dll
2008-01-10 23:26 . 2005-12-08 13:56 65,536 --a------ H:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 23:26 . 2005-12-08 13:56 49,152 --a------ H:\WINDOWS\system32\QuickTime.qts
2008-01-10 23:24 . 2007-02-02 02:47 45,056 --a------ H:\WINDOWS\system32\WNASPI32.DLL
2008-01-10 23:24 . 2007-02-02 02:47 25,244 --a------ H:\WINDOWS\system32\drivers\ASPI32.SYS
2008-01-10 23:24 . 2007-02-02 02:47 5,600 --a------ H:\WINDOWS\system\WINASPI.DLL
2008-01-10 23:24 . 2007-02-02 02:47 4,672 --a------ H:\WINDOWS\system\WOWPOST.EXE
2008-01-10 23:21 . 2008-01-12 00:58 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Ahead
2008-01-10 23:20 . 2008-01-10 23:20 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Ahead
2008-01-10 23:19 . 2008-01-10 23:19 <DIR> d-------- H:\Program Files\Nero
2008-01-10 23:19 . 2008-01-31 21:11 <DIR> d-------- H:\Program Files\Common Files\Ahead
2008-01-10 23:19 . 2008-01-10 23:19 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Nero
2008-01-10 23:12 . 2008-01-10 23:57 <DIR> d-------- H:\Program Files\DAEMON Tools
2008-01-10 23:07 . 2008-01-10 23:07 <DIR> d-------- H:\WINDOWS\system32\QuickTime
2008-01-10 23:07 . 2008-01-10 23:54 <DIR> d-------- H:\WINDOWS\system32\C2MP
2008-01-10 23:07 . 2008-01-10 23:07 685,816 --a------ H:\WINDOWS\system32\drivers\sptd.sys
2008-01-10 23:05 . 2008-01-10 23:05 <DIR> d-------- H:\Program Files\MSECache
2008-01-10 23:04 . 2008-01-10 23:04 <DIR> d-------- H:\Program Files\Combined Community Codec Pack
2008-01-10 23:01 . 2008-01-10 23:01 <DIR> d-------- H:\Program Files\VSO
2008-01-10 23:01 . 2008-02-01 22:09 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Vso
2008-01-10 23:01 . 2006-09-29 11:24 217,127 --a------ H:\WINDOWS\system32\drv43260.dll
2008-01-10 23:01 . 2006-09-29 11:25 208,935 --a------ H:\WINDOWS\system32\drv33260.dll
2008-01-10 23:01 . 2006-09-29 11:26 176,165 --a------ H:\WINDOWS\system32\drv23260.dll
2008-01-10 23:01 . 2008-01-10 23:01 47,360 --a------ H:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-10 23:01 . 2008-01-10 23:01 47,360 --a------ H:\Documents and Settings\kklynn\Application Data\pcouffin.sys
2008-01-10 22:31 . 2008-01-10 22:31 <DIR> d-------- H:\Program Files\ffdshow
2008-01-10 22:31 . 2008-01-10 22:31 <DIR> d-------- H:\Program Files\AviSynth 2.5
2008-01-10 22:31 . 2008-01-10 22:31 43,668 --a------ H:\WINDOWS\system32\xvid-uninstall.exe
2008-01-10 22:30 . 2008-01-10 22:30 <DIR> d-------- H:\Program Files\Gabest
2008-01-10 22:30 . 2008-01-10 22:31 <DIR> d-------- H:\Program Files\AutoGK
2008-01-10 22:26 . 2008-01-10 22:26 <DIR> d-------- H:\Program Files\Windows Media Connect 2
2008-01-10 22:24 . 2008-01-10 22:24 <DIR> d-------- H:\WINDOWS\system32\LogFiles
2008-01-10 22:24 . 2008-01-10 22:25 <DIR> d-------- H:\WINDOWS\system32\drivers\UMDF
2008-01-10 22:23 . 2008-01-10 22:23 <DIR> d-------- H:\Program Files\WinAVIVideoConverter
2008-01-10 22:22 . 2008-01-10 22:22 <DIR> d-------- H:\Program Files\VideoLAN
2008-01-10 22:11 . 2008-01-10 22:11 249,856 --a------ H:\WINDOWS\system32\aaksrv.exe
2008-01-10 22:11 . 2008-01-10 22:11 81,920 --a------ H:\WINDOWS\system32\aakah.dll
2008-01-10 22:11 . 2008-01-10 22:11 33,152 --a------ H:\WINDOWS\system32\aakah.sys
2008-01-10 22:11 . 2008-01-10 22:11 20,768 --a------ H:\WINDOWS\system32\aakbdrv.sys
2008-01-10 22:11 . 2008-01-10 22:11 4,400 --a------ H:\WINDOWS\system32\lqoe89kr.lwp
2008-01-10 22:06 . 2008-01-10 22:06 <DIR> d--hs---- H:\Documents and Settings\kklynn\UserData
2008-01-10 21:58 . 2008-01-10 22:15 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Lavasoft
2008-01-10 21:39 . 2008-01-10 21:39 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\IsolatedStorage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 02:40 --------- d-----w H:\Documents and Settings\kklynn\Application Data\.BitTornado
2008-01-11 00:48 --------- d-----w H:\Program Files\Diskeeper Corporation
2008-01-11 00:48 --------- d-----w H:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-01-11 00:28 --------- d-----w H:\Program Files\microsoft frontpage
2007-11-07 09:26 721,920 ----a-w H:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w H:\WINDOWS\system32\dllcache\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iolo Task Agent"="H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe" [2001-10-25 14:20 41984]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"System Mechanic Popup Stopper"="H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-09-08 08:21 491008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00 158208]
"NeroFilterCheck"="H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"AVP"="H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe" [2007-08-07 15:00 941120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=system32\aakah.dll,H:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=H:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=H:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=H:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAK]
H:\Program Files\Advanced Anti Keylogger\aak.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-aware]
H:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 19:03 152872 H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-16 05:24 167368 H:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 H:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 H:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
H:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

R1 pschedd;pschedd;H:\WINDOWS\system32\drivers\pschedd.sys [2008-01-12 12:20]
R2 aakah;aakah;H:\WINDOWS\system32\aakah.sys [2008-01-10 22:11]
R2 aakbdrv;aakbdrv;H:\WINDOWS\system32\aakbdrv.sys [2008-01-10 22:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 23:37:00 H:\WINDOWS\Tasks\AntiSpy.job"
- H:\Program Files\DefenderPro\TSAntiSpy.exe
"2008-01-11 02:23:32 H:\WINDOWS\Tasks\WebReg 20080110202331.job"
- H:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe\/TaskName 20080110202331 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 14:34:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
H:\WINDOWS\system32\aaksrv.exe
H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-02-02 14:37:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 20:37:12
.
2008-01-30 14:50:04 --- E O F ---



and the hijack this file;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:47 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\aaksrv.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe
H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\notepad.exe
H:\Program Files\internet explorer\iexplore.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [iolo Task Agent] H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O8 - Extra context menu item: Add to Anti-Banner - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: system32\aakah.dll,H:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll
O23 - Service: aaksrv - Spydex, Inc. - H:\WINDOWS\system32\aaksrv.exe
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
O23 - Service: Diskeeper - Diskeeper Corporation - H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5096 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:33 PM

Posted 04 February 2008 - 01:01 PM

Hello,

Hope you had a great weekend, and you're welcome. :thumbsup:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
H:\WINDOWS\system32\drivers\core.cache.dsk
H:\WINDOWS\system32\drivers\pschedd.sys

Driver::
pschedd


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 kklynn1955

kklynn1955
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 04 February 2008 - 11:29 PM

Hello,

Hope you had a great weekend, and you're welcome. :blink:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
H:\WINDOWS\system32\drivers\core.cache.dsk
H:\WINDOWS\system32\drivers\pschedd.sys

Driver::
pschedd


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now please?

Thanks,
tea




so far so good..no pop ups !!!! yah!!!! thank you so much!!! below is the file copioes you asked for ...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:13, on 2008-02-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\aaksrv.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [combofix] H:\WINDOWS\system32\kmd.exe /c H:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [iolo Task Agent] H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: system32\aakah.dll,H:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll
O23 - Service: aaksrv - Spydex, Inc. - H:\WINDOWS\system32\aaksrv.exe
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
O23 - Service: Diskeeper - Diskeeper Corporation - H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4774 bytes


>tncache
usedZAu  _  core.104.z.imgz%lȘ @ȘdȘ  b usedڛ[  `  AppManager.102.z.imglȘ @ȘdȘ  b usedQ F m  UrlMonitor.101.z.imglȘ @ȘdȘ  b used` d [  UrlNotifier.102.z.imgȘ @ȘdȘ  b used/ $ U~  Notifier.107.z.img%lȘ @ȘdȘ  b FREE  X̘ pȘz%lȘ @ȘdȘ  b FREE  X̘ pȘz%lȘ @ȘdȘ  b FREE  X̘ pȘz%lȘ @ȘdȘ  b FREE  X̘ pȘz%lȘ @ȘdȘ  b FREE  X̘ pȘz%lȘ @ȘdȘ  b >VmImgDescriptorC   x} \TU`sTTQp\@dDdrѾefeeb"i/֥DE@Eyνwfzϯ޳=9yγsnbu(XEgQ?7Z1%K+n1?D-lj[EOW+3D8B~_&ȨYP,YhQ~Xkuj3TC~IkvപLF\'uu18=R#lzkR~^PY̥eyfjqq1m.+S'@Y{fQVrˋ
N*P%YP6Z0.W]W,Td1@fLϚoH2du8Ht3u :C#R Q.%cgƆƅFv)pQKǒ,@n5eJ SP g2KJ
\^AbKf`%LCsKZnp3KJa,_,3’< bK9+vk7\蚾,:PPΚUU $z iF^\4ę9bMr 6p)D%o)y.]\$o)vDR.-+-Lqa 1ycK1,g*44Q䑉 aJp'7aEaK;1 ?90P-_.M̚4|"LAG
W0f$0=D.#d=+6EAiyD(=F|W~DYra L62@p5K4d|y4)}'*)II`̥+5@XhŠs̚9T<]#<%xYP)(Gh^Θ-"9<KURREbm’ @hsQ6Kg(_6vXѸt_b.rt{䉁j.< H:`1d1]Rlɓ,lܡp`lRU8fEfF^5w$Чpq^Rc"K5ɉ1bE'5fi`uh -5Q񦸘poLgce`d^,V@Y& DK(1H.1P
8AoDRfv!tNqaVw,v$c4MZOTXanb$q'!Bs.g3fUo:eF&tKxtQx~Xvrإ+)2.&+e
뙴;-\w! i*GI+VG&&v, 2-S OB0sq,L#B R3,~iD r%]3)N(@dmD~F\TRP\*fKD| ^*i[3_y@.ITfeh夿mO|Ӎ_zvN@Zx
!GBUP_]819%Å\t,RcLIHrTNWNjO_A%&EE:D
?g.BKa_r܂8i2G#p-.fhr/R.U:~.tj'C$9XP(DJLg}Hi=:g tXMh6
W@VU/V0b^ȥ\..Ww~.(dZaA¬LmCz8  T9X%Ry`IIkIZے}K[n^,;䎸%ݞ.X7A".xBw9#鏿w1Yi#- /(E61-L۱YO̱,}.33%Ba<,Ɉvg.#xIش0T- XXG¥.uKK Y"O81?Jr\;(!Lܝ_+fM$K(+/0*n\XrC/%~tSݎ읿Dk)f1艔:1e =k&jX||eeQ|c>iM8D]xL kt@",לLQJKX2CIv_3OD̥?g|eJDU8+̔,+;YE*g%~>ȎpG@n;3i]f^iv$th,X"JK;)%RJHZ`
΁x\tF`)Y
q`1)MnKKǸV׌hFt\ˋ\R 2,? ȼff
.)ECU&uAR(`Ы+B[: 3ŴY%ZL/< yM<a\R  eD~L1:;"qi̸NKKS}>z".:t$!*S%:")t~}!o-h$G&Bui:CXb>):>.
x DLZT+*
4 #7OaqUrŁ]p@+6TfKAAe;#Hؼb h4S^HU8?kK)W1 "

O&J9ڗJbR  Ep&V2?-*4MBl!+Aŷť!ᱤ$}!JťǂNHϴ< FP9dߡqC f+2 H_uh)d4XJSu%3;RşfſDe)YAs;&Wx&f;6H:K2c[4D~1sRCr%0/8Hh`Ȼ$HԈS()IDJIx j%fY
k%Mi⑁S/M ڻQO@^ K%fW]ļb=
CR} =%'}#9sO8\C09zɄ5R.gtwVH"|i|^A/㒰tGO f.'d
kb (He`k$XZ:LY\Z
E9 \3]`М24as9"O@utk__%ފ/!"H]LqqIC|8]ȉ.ѨKw}V2LEKV%L:=00,M|& 1=(4\wi`!q_NL7,6 ͢<P~0X0"CI6Eas~g= [DJ((>W57B燅""YOH4$%M SZc^47/YAaQqR ͔Xy_)ASM13xÁ\ΞdnrO/w^U>}0.ՠ~C6|Qƌ7~I
ßdؙg,5gť#8Q'GO%O0.̜r\k|<v\$tmitKOZk:xW&x $vsĐ i8?^ NP =qgΒRFEq
/aOLsX3DU`)k*;&Ʈ6ƐѦT?gwrY\>f]_w+߸aP~Dw^{MػEb
{;{ᑫ_a_w_tдΏ}tgS3ݬI~eߙB=rFomqOCl δX>߯qhѼY^_~dߚ̝/[k^ʼ(^tו6ڶ^[mkL+nw[/ZG.\:z"Kk?J(4yg~,^uHơ yRʐ^{̫(3Las= qt툟z)~nyʎs|`΋e.>xmy5]{ز!8qO<ހOZOi?1{=#{T7|ս#<~:) ,w}'EͲ
s3;sxyMG_oyW L} 곾3O,9mOM[.OV8x۸ɵ3Ze?@'ֆsMexn=ٯuZUgym__e;7$-
Իd/]qܸn߾'Ǿίee/<<rK7n(%Hdd͖ѣK3_y~_6onPZTv|ߜ'|?fԨﭜ7/Z{uܩS^{ŋS_e'9yҲxd)r

#F7gxM=<<T^x^^}N\U/n7zt>w{S
8} >z͉meZmgǏgU|cs3&MZޯ
k:Db;c|F|gЕ~?Uo_ү48xSs湘[.jg˾tilo_}Bl%AA}jjZh~]-wszgܸoy鯾z*$G{me̙Q]gO??2
֨ՁA޺zׇ_gT~ꛛ'}g}emx?{)7tVV>pߜ9{sr"=)w5WE^k͚^?ӫÇ_4vlvለos̲mێ~̙_fd2g!:Uv9mΔ)Fz֬8=~":ӳG wJqHQػ^ڽx?䧟|…WVdvް3R~,,LV[ǎw8Ν,(xjkׁA}=Mj·/X#&N,oz˖[ݳ'aǍO8~qСÞY৬;NbU՜+)ylܹKXTIOww6_}wee?mZ&??8~΅ =>g;:{t8/o[?P#zcξzƦ&Cvr2Xٳ?)6uxlUzhO@hhr wT}߲eߛII۷?`7fàgxFβ}C7.{c; λ? ^Yae_sD7c5-ů>z{G~1xϥ߮~&omij.;r}ŧ.tbʏGNXH;}.o#{Ù]GVx~e?_W?ڲwT|?kk{|/ AV>)?}շ׼w]1܅nԙˑ ~9?QӒw~d.#3<teׯ}H[wo+>qJK\/?~ձCSuS'6r5eu?OfgzZC]z;cFEꄹ]'9?x?'~|wh"}n-$l^*ecvW̕{<iUUUMw7 z:eQw)yҸ[9{=T?䦽>l}j!g){,Io>sx_&>{4'Q؋ ;x޽z^aޛ雟^j>`b|^t]6jcZ/×hIY9
SoĞӟљO;?F!{hj8}NקipK(jw?8o||nD6 /drxcka桝5^L=2j{_o?k'zg_T߮Nn&g<PU_|rU o>UV]tJF.Jmm~357}6k/(.~?S<7zeɛ?`TWq_|=vpK'_?wOhxۤa;63/|L;aNX!wi7-7{Nx{8u8Im *<Yؤ/{ٶgY~}~ٔ+y>߯4N=;gEswϝ?uWC2 /ʀ,7eʏϜzWulʧ%Qim٫￲@qOS7R"[;/n.֓k?_0Vbm?hpѽ/'j<j!M燩
'f၃޾TZ?{ <Ć׾aj3
99wY?=|ck#s&sSfOuŏ?}ao{g{_9{ vJ~$ʽw4ᑧPgdsCڒ}@w:՗\=qsOHX3MjF3o)&nZGeDFv<܀?}$JazvCc'ߡH =}<8GrwYuf='4~ߟrZy{j~>cE^|Șolş-W;s9R©+uOoja_uE ߺ{zMx'_9mcmk>jx>k8yG瓝<LYAQwɦ
ڳapnПgszO]s)fboGΊ]C> <i0}[M{GyԎ_!֙K~'㑿<7|ʢW?{eI7j|1ne7f|w݋W-o>XtM~=n >Reny񭄗W+ۊn>6t?ۿ}7}6qSc6<Ce}u˧|7c^!CpW
#}ƾnr>O0B3ѶuնQϟm=fm^Wյx=T}AKoZ3NZK޾85Œ~(y_'ɕ>vb.} H|b+Z_WyOnuuyۏgzq=^OߤY~ ,*B3~Rxůd6~q,Kc+UtBnG7웤Ρò_k<-"J<?wN1>躚޸k`VU?-?
m2'p{wۻۻ[w(޾;TOjed[L$W@Qd]97W73K
R֖aDڿbd"~S})h?<: b4HHnwSEu3 ?k`/~
:zد Oӄ M+Ʀ] ^~z{OP`!o&k:9Bsǧp>FzȺa3asA=9T?'2eif82b"EI[\PPn '/(6_>5U'[̫- = b+kQ:~Űژ`V[9I^SWqyb_+lP(E
6.@F?w-7 &#@F䴿&˼9#3eaT+5Z
ilZ|e#W5RC
FhX6JUv#efDr6CabW|+#j~\e O)uv-2hK86' ZJFTg ^Q$[EBibO~yvo^Pf2@)uff6
6]')o0`դʓZ 4
K3j Ĝ/v3 =Ys9dwcS3^a>p\q2|2!&zʨ7b*iy޺[)TQQy6&)h&93@pD 6O#a8"E(
e]22Sz&
o#𔠶S)c
Q,a:7=<F)u0[dvgmm4q=MHr5[ 6QЃ u5Ɇ\z8WrHkIƴ9mc۱JS'#îSUu
/PՍAz@I-eՍe6 w5!jk6 udu̵|Llo-Ed)gY:Wss%ʮ^%DOݼt@Qyk~"=AMw u<js)miS\2~No=*x
S,C{['fV5Dʜ4" Nxe$ q5s UBFGF1`tiPcA)HIau8;V /:j\b˭K|(>wR"w$qbMZދEw^'1nu^0WCmqru9̌z[VUzBMmlT6ȖVhjW%q)ꄵ$ ?۔tq=Yg
e
OhF"M;KUT2Xj$ZUN_0F&Ls=I=IȾ<F˨-FjjYgRt) k/s[
ۂ (Nr OQ z5m)t VJRsı< ]C2RICթR@j/ 􅉬hUUAnRD@Cc $Tj1-GA&#RhwޙQ
A2Dw~b]MtaP?
="2:0$"ˮ$%Lіf@0W=VBnZT R(yr{T|Oۃ^؃2ɨ'tC4Ir<锏6] 7A}[@ƩkzUuYҊN
᫽jKa2
(b MU,r|wC>L؁‹WUe@z U`[WfHYZ]hpTDuf4 7蔣<8SU!!{x
HpN [w"=@݁8R ዃ NoE*V)  'eae5=gZ\s|h5tcoCj} (%m<ҞhT҂P:2܊cujgUd s@)2N+MbwaL&(3C k1} zٞٝ^ S!]"*E
b엨|4tkNQrLJSczGð $KLOA !T{Xg"]i@ P<\)1F.
]+9nKoEZn QO.ec󲮖SL_қe2)n7o=?C7rR";ABAAb,z0V3
i嶃zD0[3_
̠'Ns`)
D1iVRpC
4ؖu
yH>?IxQ%$ EFWX36(7'Ǔ=`A`m'waDh)Cd(MajR㏥8÷pM~PeFNNjsH6fQ/nFc./
@{bOwkcO'@{ ^ 6q<T=bc:DklL'5t{FbY`QVtEBWxGr5qM6s!@ql.3f; qHST͂7 JQC W `~ ]ڝ34- T 2/ ֝u-t^VP w XMA'p~9߅=] Xg9ͱR׻AFs=]nl=} L4"-M+t{6頧3ʹ7>Srs0Aj2Y,(b8K0ӚB'IMyɶ IXvi<sK,D';[@(Q;]B%&-J=ObB&%*9$FBz3-.N 0
"z^z Fjح$%/2v-2څ ab\d#̨QdO$$qX_q*|4e[[ rNE?1KM¶{2$;pP]p,9OTNl*q]
r W{;ԚxIZ4O(C4XH~R_s/PFM~45Z*zz'^_M#[Wj1=Ų4k
AB]ȧ
 [J`bQ`1oOMٹ-j{ЛeKz bŧv[gZ@Pv:6$1PCVQ5k9O.WjKrDQL1?hJZl_vG{J,6J4'aF>dr6_9ǗQhե@J{ -W„d` 4cEalHr%;w
xbݓU+{0
UgiVN|Ju kPR\ެq:d^%N]`qIx80M|H[Bw_ xs'$x~`/I@ZW)#e mNڴDMܖNl/Ld͑$`ݣKa/urݨ iPPFUt;5*j#6<oŨ W)oM?Y+nKo)Sؔl@iGmPAwk- {j(wl{TYV]|6qڝȳli.[rg;_6s.b5<fK`/-W@Kv}XŲin46MԦ)W[Ճ)1n
KVwU z[Xp}Sa)CnrRЊAGb[kSIXm 0es979S=Q a``|mU5P`OSHl 5 |-n¢Fish0jN:)m˭2poau{3Sn0NW Gfi=g [iн'0^><S@'KL-}-}-}/mt/㒷iKZuGc\@D l@$  ;p]@U}Q> :$ $
jMhu"c- b`6vG`
SPc_sؖR[ 6jEZ@ZAvjc``l+K^Zha ,$0Izք`F3?B6pnJtI执]
-}:-[hDV*Y9[U,-!Uտqrmf-A`>
J/"0,xaHBvRsp݂vOlY 5xaY;6^3 G;W=p- 魥,k08"N5$TK{/^J*wp; s1ܪ;)l
J- (;J\yHF)J[QG6LkUU[zqʮ;=u->lʂUE:DZ8 6 v4cn]كh'a.HIŲVY7y2M=tH &6nn˶#+Ԫ!=+919s֊*#1kE3f6"e:]W'}*h0-[.l`. b7
pΣ4;ȔL^~Ckڱ[ HW7Qhio0]' v 4qa"MN!٠k %䵃i}(`C֝~{ [wqqXD4A; 9Z lOWMH6r e}),8,V'qD0"8V 6 n>P^U:TUqfTU1#*ڳ!UYLLϪf UO5p1>ڛ2XnMDOCPcpW=,@z8>vz SqK IĶvpZŵ}p:9&T8JvOY6ji#6qR_'5 /& p_^C=Od["@6+CAmt`:YƃI*xtprHYC^wKbg0ӎ|KIb .RsQuBK.Hεߠ 48Ԟ$@|qz<d;<ukVКʡWhA 'T?57}]ڳ̬V|2CY|(B2ҳoPEOPh-wA#:˸
˶0lWm0RpD2\Tq 6^
v͢v\!\ aއW&(l:enB/cX BF@WkulQ.9 FZW*@afQvPhmf"tr.p7GW
b*5E{ є` |Fk9R5ku-.E׽E/aD g1<]+lS| *CSύ  #2r
HI';v2#ڃ}Tқl2 ҬޠCS k\\`Ô& K$($ ; 7
Ա+
Y (rS;wuȘ K vA(?|B|ʥajxH+q[E 9zxl"!PDÛ.iڳ]RP?/۷6Mh^%~nxʤ} #3Q^~E&Ao2V XMpʄmL7 -_iju9SxTЧ80WXK%odO╿iiߠ0n /6$[
XFЖyǀE
7 ϹD;[RwЄg. =3X400YMLZ+}sasm2?յ2sHVjRA|m~htXmqnD :f_j~u!OޔѪz$Ʃ(`Rڢ@VeRNa5 ~SPznt hdbS˲:kA8dł!RaE' %PjZAt/Q%wk6]pC(ުfRnZ)Y«yZt_u1?%7D2XfJB_@e`IъsS'iޅ)X݉O0]F
hf$cP;${R]\UVORռ+:Bjj[l:wacko:7"UsS1nI::w߄:kay;Gz=Lf>&C \[AGo/ o!4Ls7̇
^"Opd)4yNZNuvu"|\: Cџ`ʁF(mlZEqedRP1SK26Ld hf( (9#Lp}NuX4^I􂑭P) Ճ-Q$s5qD;8o*m~}\(D5U{ SM_yF& M`Q4eA }0ZL6On!s+J
mj6_mA*6<ޓQ]eQ?j_cdJ/ C@?Tݱ {GXo6 2x5{ޏ'o O
Qլr \y5T+۞OLG)(
6ߦhVg<5lt ۦW6Zb_(*5Fnh;xL~OOqr2v'F.[hBF%@?474ˌ\#̰`0ru8`R(%_C
$mKَtLZ ֏HEG-ߗ?Q\௦}U6="Ē1FǬ9L/PPl`!59[*n!+oȦMt um<ttZP%IEvVMp.02[FFCm:Y]RN0wOL"'l>zQ7')<>p"IHqO&NK9/UdGІ'ffp,E~⍢
Zs}1anq=qVcGsٺHhi|qt>w<zz Ũ RK
F\羒п$|J=-c{Xb#7/@ʒs]q_?Eq@`J=z*H Mσw
wvyn"<DyF&W(ˇHzHr 7~A[fxj;-e`H98D\Ac݃݋Y>^{cMWU=hUH\XItٝ <18P~e{WmtƔvYD\
}S}a󜭡峽U#w̧ ~݀#hU
G
(=`}$W+b]o:2#^W|.uCZ /jSux$5p
&.B2P{@!ll:% VBBmq=w#ySET7x\M]*[(
{䞔t@?^F#uv7D'N w/#?6V aʩFz9Fa+\5byԠSDߵM8-ٜxQpș";q̬gC 2OA(s H(PocdKB$#9g,"D^+$Lf=9r!ҋ|x%#~<4)P$1r L[WB|lPl]lz_ȁR^lNLl[W)ynVvbQėVJ}m rmܶ\{g[<~KlkKvL9SúGmLjtsqr^n Qdrr'%_wo)qu .TD ;%EO ~k'ՃP3fM7y^o&j]΅J5SA4c\cm,4Vxs+ w'@FQl$, Dkx\QK ?>2q`KlFT[ #5q&ү 5qA.r#=tEp^a2$=w& ĥw8:;N/wc`OGd'sY&3v 6$=OUE~VUgqt;Fn4k+R#JmEHH&@
LvR/GI?e6ׯqSEtKF|*85$d' &bp
fS _6&6]DQt(zÜ3rXvO#9DZb{3:9-59Ps~r^2ZsrI<U6)L//(G]ۼI(,/ $NPkjJ[Rm lP<T<J;!B#<?q=J
h*AgEA<,rG0"'$jFn kʟ-q"U!m3"gbH؏bA9q
O I(x᧶E
'4Mo͔o!gD8F jupebH8/<q@[L{_
o;}K-
&vb~ƌ^NaP(
\ Af ^l kjO&o@,|M(T ?KH}X )Ljr!9HL
$'DŲI<wO2loMz^ hB⫟&X i5!%<(^I{[zuOpmM\%jū_"C% J?m= Дo!t}00>674`( b+;%?W\ (ZQtVV^\N#*Qr3=>:;
8>mܮ  /<m\
t+ KB:C_6Ap r#*^ s}WCO3*l8
kVވp޵i1r/dFnX=H^u=qg;x]۱{>Y{w0Q=K^bO
) U<Im 9bS/F
$kqVBf앇Hh/b z'R\v@m'}+\PM cS' `$fbI &t C'Ax~x)Sl)nQQ|[%[ y~wB)Qii ?i}VGOLv!.W'zJHXcO84";ĮϗCp!oSU)~.âTձe&qpUQ~nA]lCP` Vz$4@{/ThsR>PPߪGbw1 Y66uJ/~2WMG}tS}JC"]Ln[Qa(:(JUӇ\zH<rom :47,jk:PO?7_w&#![MßA*@pM%h(_2B`D{I'cp]d%'K7&LU팿J?B]{W]di%ؚч洒/mr2`p BE:;x-O)eGjvk{ sot]+z'&Amu6V&>AO%K{ae>&޴Pv^ *y} Lr=OR9 Z@7rpN[g
S}dbcK jC*ɚayjhQ;n8 l d)o Ggj{SWU 9kE=8,YH"ۋg<#?LdfեZwGՋqRF+ZooJ8/e
EЩ0C8Y!)H")h$ Փ‰ʦ

}
h4=
dQL$$IYӨht{6<l6e 8M޸]:Ehfe*]7~䊫ZiMJG\o>$g.NWnMjNTUWNXXLݸHLtN[ӶEJ)am>]ƥwZv1 ¸1i HRo֋!y96^*u!6N^W&8EN*˺U6}{ˁw]ѫ  cr]1(Mb⧓/+_H nJ(xu-X2~
5וt<U|X-Bo~VQEX;d`y[(/`]/0{b
.~$:QJ}6Jw;}S;>@;.{IX+ +4ҟ£J_+=W_@t(<ȑ_gKr=r"Nڀ/񵁭-cBgE݄{rB;Kowtxyz/;71q"CzD4t:i/l\o5ǭ}pKO<޳NvėiY< %$`&\ @MWqK m=Qe;BXH+ﱊ#ȐA䠣|fJt].,]-Jw;"QX0~x~$)p$2Sӯ۽
L t0}}ATlĦ ܓ7qX" 7¥@Z TS8a@nt%,w%7w%r43c|%>,F~%'+Lܦ&nF\ {XJ W C. nN;/;@#+l.XhIjB?&*kCI'&w-g$w|
5W\GOGу>q < A£P
&zS頰c?k3^,`c}h_
ha+^#S&l'x}$Ľf .m9"|,X# z㿎_K?9'qo"rVl/^ &%Φ!P܏&H}!فM׬>F%J6R>ckb '3p_K G^Mihе$^ |-䗹$ǀ|{wU_[/|HeӳObMwZUF:d6
z
ӵp9:[/YY90jc zx-q(zoQy*f37G"7sG}/g+x~[{a-E`#➮͵Ӏ9,(<Ѥ^bJ'T|T;~t y:#bI6m`c?s
a~L=aP]%
rnȧ+~rLۇ)#7*!fì+HmEG~t]Gg$>(Z.#.d@iy&}.?l"w?F!gt}:YO
8pµ}ptಅWģ]'׈ΨP ?)Y;!OA'pKk'LjvDx
"'T _ chpꪺ_hPB[sйnP㕡)uM* {Cr[uMbK. ~VeLO#Y7ENn0
R$
-C9` rbdftߪWLϸ$}z?PٵѭB3Vqv23IZ:PPHgC~0f-⽃
?pm O@?EV4p&;d~M?2F1od%4hpǑČNrhFIX C+fO{D Ej .]B.瘕wtn>螹2ǜԚd6JM{#m3
@'zAj _fukW2UMW_kxֽ>[˸?uhMjuin1ܛ4*
; =x[y~{q{OdjNS{t~T\{ P,9|Wf +
Pl9c8 _34ϔLx&+$T7GJB|/7Z+t8f]kekw3|Opчɇm}gi/: hς;+8m M+}6 L2?h.-D׼%zU*T$; 䃪~\a lܭDG\ .߳^UU#7F5~o)r;}vRئ_7D' Q.e"KVKk{ !p-'.!}AV੹
@! "w>a)
:Z1½),atIML >3 $6?7
p\aGKA[IÐm SZ~5l|./@jצOsљ0 ]Kθ,4׀U]a8$gqT4hFE`2D fH 1!$ sHԀ(T{{m{}Vz52AgHj4VzDC4M3o{|k*-K6Gi2{&lvS"1}=rR\ ݙKH|b;BٕJPG E(V2-Le)0/zP`$XxxX}AvU*tG#^1v< Iѻ%L9
Xk0QvNYxfxY^,=5h[ʲh/wPLrw+*}=QMMX<
]}J՚1[E }t#gn3KKEzȼ LYsxpkK!eL,̡DsbCßUMOlX_h]fFXF:i˒Ez|Rk؍('VEcR-:thumbsup:@yǰqDw j4y}7"5xA WHcUԸ=>TESU ^>eHc,Е͸UQz#,|؄$nM ϐ7 Џ wZ"glŸ*%CH/V^l$_=$Vod~Z10X}tS }uaI<#ŅV;VTy1*)WۏdL݉ Y \Px6P.tZҦƎo k񟀻90 @y?0ID
Ѣ3[ݺ8JOҦ9N#T,*Ykz,:v!%N/}WsSFrLtG1v+Q{9XxJr Ofu.uG҈=B쿃E6(SexVQ$|cjST@$
y*6v2k]pMPV،Tw0X7>RۙPϡW0OnB7RIu訒ߎr)o6s[Rp윓7utth7Úy)-o2>WcbZ܂- MVi e3TPn1sCBPRhڄsM",+o{WGX `n>3߯N( Gɣ˛FR>r.=@G3$^%Kի
Ӄ=Ƥ^xiûC"h! <DIc | ,rŸDcSլ^
~~Ťbg_D4I],#U$orTR|ʬT}UJ _UnV>ok\@8&L</N,HKʛbt7N.u͞hRm_je{xÇed_跣?_lfdͧ}fO-V@a<c5ݚVI :eE94~(%
EnZR׳TrXOLkĈ\0 ;CQ7(eWRu0'dȉ3$̐]͐vSZuaJު>8Å=J [&*q<Ǫ
Cj^D!rr?Zd:Zq #1
]06ZQ('ˈdĤu c(kn .H1FLېu9:zܠRVϣt/0FCit+ΏpnI#+V :qe (l1]1 H^}Y; e4u"ԐADLPKiD$3Z(&=l&՚PXbj̙,J>kYK7GPqF{Hj#SAa /çP*>eMAܚ\A׺I3oAO~9D\|s>0[}FiAl+ 
׳wG=@08_@IAY k{j_k'1LYmd1mlC.j\6]+Z(0֡Iyaht88F
+S\2.câL3ʔD1r1%lV9>Q䣉>nsT\kRFb-&^a N=Yj3F)>(Q&
yZy
%aMxUSm|؍Un t
0/4v^.|NW<hݸ_:R 38h#g8瀓"lx"1soخ@ gYsPVJyX;(È<;o.r7e
>D3mWzƴ0azxnK
*=7Q}:Hț1N<X׎@sU{r~l1VsRSA0pNK@'lSslޑ/ejL~$fIјmE̶:fk:b61fkb̘-+fl1[n̖llE1#f+*cl
1mS̶9fbbb(^SR\nIJ^p⾝Q$Fo?苑޹rQ'] KakT-'54=oc'T>!3& !?<?Ņ}mfd|E${}64LX/E:8((J)Wwtq(9*(O^d=K<TϳMeTC.ACĕ BNˢUJYVyjӂ:1B/%PXR4eHѠj6$`yB h
E{T<JZmӥ0ň|<99ٍZ)|<mJ _Θy?'V{swB Quko;^<< ՝uGJA}>QT*
RT*yJERaV*,Ji8*vʁ^iq7#ZqknJyܟ i.8N(3P[
ް
k[HgMW{'чߊ!lv'2&ضŨeTMRQǀzm3|ÒQum@Z|=#c[΢hy0=ZtB`!xIJ(l9 jޠ]APIvḋe&9RIiwMLcJX;3S#+Ј\;Wu,
Y>z2lՋi${u VI,sb
3d(}c6Ay +Kli|ÁT[m`\0* {T@Pxf}QOhgsL6F|F!*ϱW)hi"n :uwڅ|e['ԫ4Ճ(?b'5NuHӅheN4 jʞ̠=ٯa4j2R*ȇٮmNLr(-,Uؔ)ͣ."((UD;-l|%㽪GPbYChmM"3K“z }!)d3z2mOWpm :0b瞅11R'1ynFP׎9ߑ]{GSϘИsL3'FuLlehvG4~vDKdLp|m"$(sHZGos#ս-Oŧ4ĜМk~ϪkFc:FQ38N;b_G8&Eg<N99ĢG~@5>`vb #Sхc8γOӓ,h[XKRDljD4Ré
c!y|zx5G#%w_cfW3E@[!RM%NNt+幨򃩮u'0
+FSlC8hL|T)KOrLakyTK y#
ZG/~3yP>%dJC4v
m;s1xQ(eq9gnK.߱Ki~GE>wHE]]nӄD#cM 9JҔ4i]P^$gxdmHmAݾNe2;!}j+ñuH;l6yabLL}e{':Mw`X}8
FnziV?-
UppyԜuLul:}HsnZ J)B#%[vVyibphh NhLEPcK5*f q41ʈm&I$hF*# =䠡J:NNs#N =Opn \MпpxpFB("9L*xvfCFʖmt&kE%F :*d+ r&P8 \VKlV-ŒZK6T1%ϡ3+luN4*fxﲥ'`1ǚnPJl'?~Bkgi,;sjl#
wZX
̂H9tf񺾂;}t-oSRޡ k2If
(,LRrݟX}&5~@Rk1͌C޲P {'VԘ҂R|XŋȀʀqW\4>IcwG}juעܥM #/{jAZ̒Х,}}-+Iږ
G@YLJW[rN^l\쁉=0 _S!|}^%Ik3:Kݛ0GZQZ,n(H,*hYwﶢ̥b1x_Qu+A)2,(,C֦_dzEr xM">tO~qS|ViR'"ňI<3e*U+ӈ* qZqcE%okײ V|A 91|0yĽ6s!BZ E<L^VhcL9 oəLfʗYEQzQ<F/O*R&UJՄA$|-X"s 
YPLBĠiӹK2Y9ySa
:y#*a22< `˜}*Xc P
L2twPRR03Z4_Ҩ^Hke6陛xyiCLn#!5# '/mx 5ĉ^BTz_(a"_$`"nۤJi&Qk7zqp%c>qZOD侅J x諜a/S}}PV2.J"ط)mJ^/۔R۔.]ַ'emJ[%۔)6eH_95hRuK
w.BLu)vĔRR[߅ n6 2"&cb&"ЙU-yW1>;VjGuݭs
/-ARN} Q-Mį~BM3LhL bB)=<!_nPlyx#. >/C/^X% &_i
^w_2O46~>А4EiC7РWHG@ljHŤCyOΰOVb g{b~CTw#ԐEeG}wԖHjCEm߅ws|<I!~ *G:;P4X)h
Tw:Ҁ(v.nSW"ݙT'wAw!z^?<`Op%
gcA]z9`i|?V{K l~^p 3} ^]G({IwG$
[(Bp]躀ʀ3pUg11k8C`%<)ڀ$Oqjބ=̜~r^O,c'pLjC"P8^qSn?9S;B˅S ] (O>

wn"ޓg{|2Q V ޓ=coaSt8-X 5Ҿޤ V
po
Pqeʷhn]
z&Iv2*Mzbx@@U%t2P8__p:utE84 X? 1>яC[@w!@{pë?P9<xcpu %`,,_Gm|7.2O`iHctsne1+GcKM>dhJ*LaQ[H#os)U(?/]pm^0U@h~\
iڀ</n)"'lCKןXxo=/䈎Yy߻OLRq6vQ}Zq kUqCXF*gwq
׹z%qCF/YRgm(z?4Dŝ_l$Z\5?Nl筄u>a Λ˷;VZ[byz l֮?/%=˼UDCQ1pH >g滸s_ǥ
qT,+0p7J{j;T"m7#u؁ m_1Ho {|f<CHvb>G 4Cиi@Rp-Z9ΜZ  |× n<tZ*z/o&% N㤽 3~|z >fpw!ߍ~.ojp?
&'b->a?λ9(RAGI{ `_~Lone>
% !· y~L(`ڄ5̀Z |0K`lwEk;+>a_?U[ϵ?3I:|I۩ |q09}DkF.ڿσ|UfXkxhX2|ik >i7|Pioj|P4Xex4+OjLik;|WV'_9?ڿ>h=7w-_=bp21e20e2?ec?:e۔ܔ?
)?MO2k7צNN?2:ei))S)S0wM2CSS So)WS'SNoMNa22M?2ߟ2<eG8S;?Y<(Yg]3\]s%YdNLeLN.L񳓷pȺ)9 o`zˌTLr^JL”lzsu>of4LogL\*ƥp\28#9qcnU:;[VYHXfɶwl_:k.qU-Y
YkVvfݶFJ
[׊-+ۯmoY
j1bee(<7hj9!{V3xCg<k]wmC{$8@»fooXuG4^b8 hn7lZ{ ߱~o]GgKW
ֵVGE뿵eh d]h͟g*qg[Ŭ
f~^YU+;*^`w
m
-,@ŝ]r9s%\-d0!gfjYϬ~&n2}4Hyw)wW̭p~Nۢ%:.E:΢8l? .߅~~a==[[:mҚ5PA-:Y}wUk[֋6tIO{,u-+}֬ ѿhZ{oiνJ+56cLw_7^㽇ȞHξt
B<
I6r3
CBlWyI.KAU'C=
}@ sExٻ[:Gtpsÿ!02vUL_,}[xKfV@cL#}{WT`n :(GhW*\JE%b^3
Ǚso&=WW/?]>ϟONH>jnSC1PMQXn*G-=˽N> E"w)Rz-RC.쵢+V&Yy * hJ|6|ٌcV2{RMCdAޮS\&,N8Ӎ!7\ Mf6Ѽ7o;MXae`jڄ%eKQɌ4j!Yc@wLۧ=$,](ImD[45}XW|)5ϖfAl->OYemBi)ȭFw,QAe(KcpNYQǺ1YΫ
c'9_#]5DJo^f`tHubIu}+YRK GC -ٔWy`79
pR:}c= 3`*'F2ԒzJ+Ug"p[:^EYm
Z Yk\,=J=jZ"V/{5sR3Ꙇ/M]}Bcqr#:9˯ <̰OvGy߶9whQ٢RI0lxga ?3[AW<i^?F)f;bdCI4ܢ)sPg;9*pѳYה0+^Bka.y2GlCyȢ.0D0<ˌL,[~4f#ޜD%Hw$C|cD y]>?s<jt9>=3uc;%Ȱ|X'˟^Ylؤ5?D—?K], 0wа a -AuQA['$0Ɗg`x,X5he|'ç^`7%`e:PmxjI!>lۻSv}CB:NM&GVM=q *T Hk+zUc azMG_><J'9dXY\{hv!7@?X1O4p&G2Xj_͇.AyIߣ<yJ]Tw: AlNykוtq0R{hj~\B}R^1ط/׹jyf;`W?g# EaY8r3~Rg=6j}
)ȗnubq%P%sa iHxfulRx@"VA _a=m5 9u5mN=87
C`
Xa] `ހAc0g3'|هh bRW;lez08(11 J|f *b}!ۖu G;ևJ|ũQ ]_ $u2q
=P?W9ZG,^
Nx~}/"Hb];$}C{A/Mk˷M"зZ-)#oRh8F+oGt.
7jhAؗq\#I}{ԁaJDgPd,N\eՂΥ8ZpJK4Ve (يR EgёUJ 5l$ #H%ġ)$s
g 1Km A3#z0 9
Bۯ
cSPxR"`
HkݫۆI=ͭ+|"!ULـg1`ْ xQK&hюEG?bZc~Rg}ɫ+WsHP+x]
'-vCt7so+w0LGX6v}M>Ʈohcl?5mۈǭZ1ftr{
iF[\JX F%IdҮPkťݓ?ib6'-@|ttb
R^
OQ5Nn:3sFBFpai]쀨Phʁ`e/em1؁@:EM]=o@";xڭA۵q 8-IrJi.tfrd+lcaS qP5c_!Џ
bX03ʘׄn؞d<s8-0wWPOƢF—mC6/.dr)6O0p: MZzY.hŚ ˭E)8+XD nYo֜&n=k23ŋ H6gۗbi}&܀!mena|PˋŽ\2 T ORuљ:ʍa5t/Q&ٻzwā):Skk\GNP߼[®ӕ EYDvU2EA^.
͍f08˵=ǧzڪ"c/iLRbR?Mojn ƧMax}E
GUӓF:7XfTCdw'-?Ą(.aitI zX,މƎ8"؆
!Mwymo
]7nPA~#[Q=$%~]hF> ۗ瑣-g/ sj7.Sa\ uh~* [ҘLy x*M/+vCZn%Ed
r(:;Gҗ%;
x]W@ BXG|wD%J̡GfRe a49 T^hӛ ZՔMH|cgЊ[6ܨմVz6$Rb'JFjTӪR8rYhosNcQVv&`|
^;!*T,y
 ɭVUӅRզ[,k,lXԳaجuťrs?GQ`1v
^9נ?MqV[]9R$VwvO={%j-|-K\nu(l>aֽjp<d̴0\gtuPxƤ߹e8ulES?%I4gQHfI)30]-E?"`ǽcan^_jߩOGȐ]lBr)I{dۓ^tzri[Bm a~)<<LLf43Y3S43U3yLtLfN)H ^ cRR'p~giS\ ǾIw+en𫆇GEDqEjoSNoИ cbB9;k8
dLx ٷ|ObX
]svB%m)̳;n 㺓A&|
͐W!sduN}0>a}+VW|\^u2oug4[#VV|8o<B"
Iil^^ yF5fzҍY&~+ (\h5_<vpehVr49)M'] BLh49> a2((dv+ٻ) ݰwhEK1#(Dh50VDQT+
P&C{( ->n SUxΉk&znPu:_]];Vpk$(C z80SyA`E(P!B]6Y2>|yMx,ۧrDsE^sqW!)<7+:
Lr7]³#= Hk 5sX<Р5`&F^̮,Hd.bȗQZǧ>3>lZ{lyVB$nh"#=W"Fy` 1J}fKi]%6ς!Cx,{jώtIVډP7 EA1v: A x3 ץ> )g$eWo>sC
XW]ΐ뀊>>U!.4jllfM؀0>D–:v,cCC_}(it!fE}pOVkqΊރZ
Z ΄™wl!LC@3BLI
9_
Aբ6.0 v*#.t[=itH/Ze'&0Q=V)$5P@Ww,3,29u:3ME" sIE.;S"\U .paU!
-dStenv+^U( Ov㹋.ć7xA O ? {GxX {%'[Onwrآ3P ]js.kx(z! fZ62 Lˉ8~˜x~vN:\rNkũ蘊hҿXẼ@]шvcXCB7AZya%
s&_${]]Z wa,[̟yB(A 'LЪԃ Z {pb$܏vkpaωe? \ yE?_ U`
@]r E W=9CQ;1Mm5 gKc]ЦNG^ϩf.b sډ]T'u/OiCQHeb`6
K uk3%D%p\!#\A~G'PVgPF<SsZ7Іx+P:yT[Y_i<}>$ө &yH\) ϕB6v<=K[ K0)JN>e [
UM50?)uEޞCϩSt2RlS@2f*&zVcP6P 3a:'cxh$ǓŞBLM_lЂJz]/t_>oU'}`Q+*û֭lo5-jAs*.8K-jXڢM)02ëtWX.`f9Ys1cP7sܫ>]*ßq}>s# fCp 7#ͼBym&Dž!s!0_iq<LTB3WkffkffI37}(K"( W a0(V0wB~PY
yMc`>`N@P
ʰ
0_1,{̥`,V+0 s]0q'`v`rZ|#*&0is0)0|L+`ff50f36Ẏo5
` ft.BCP#?>$cmM
0liE5+4
!'泱4(tވc
v]޲E~ ?%铔:]t=Wp\E591BUȽFCz
o1K5%I vuCz8X4N^Ē|ҔKJJ(='HIqUƔl|u5Aȝ^uBc4I3!V.-٨x+?t SfRfrC;R?20y(G)5RDaUlksSʭ%3ьs8qT&eJ<Œ '{2ϝ,t\b:S-Gig;{qbZaOߌMB,(qzl` 8wZ>4}F{9pΚp8gY De冀ʀ3aukΤN=12)w'i^-8_دnW}
 ށmށeU5 | ߵs>A|GEY n;!e
uA!%oZp^
\krĿ e+expps><
'V(>]W~K\
~ QwlI|:; :8Ð&\in4߁4쀣o [E71|ZD#țLmO̶
لe3ٖfB4JӅž'
TSBԲME-CBvjyZZFtLcegԲ\NyGT/J\,HXr+R?(^J67؆
[|]JEEOO(%f|J)6$8,|Z)RM+\|Y)#JI>dOdixq+"uQrkՏO$}T"jZe)"-מIi9޷(}T
ZX|Ġǟ:HJU#rz#-wת!%$3|XJ\Hw</Dyv~.:WɅSrt^\6VP
L)\Tp435CLb*Ҭ]k*sbL'If3/ށ9
tM]qω؛vJII>Nx$7*^__UUov\ZqN/(F<%N81h0IQXrXDŽ+چ+pAN_e3N/fxO
>D P(\$tKN7W@PBA,wD҅v6 {}gCI` =0JN0'F6gnxp98s_TJYZVYd0}7ttQfپ7j\f*NB\M
WW̄"ҝ N*dw?Jo{
RHL/#1Ux
a0 b 7A(N~<:9ӳ,H7PjNxAoiexh2I) Q05̠PL
ե꥙e~U`*He,͒ BxQг}4 ߿C:Jcɮ5bby 0WtqOϭhsƴ(
bFU|_HS)Mj
K"ԅ86\nmB鞗iS{b3[c%oS+qw` 94E5473#- OD/Mq}V9^@*L5.'O#TSLW΁
_AJ)=,Gs2@ 6ԯ.lrK\ڗc
3Jy&t
cˡr
S\e81 [3s2NM}S}|vVlHȎ<]?Ч Zӥnġl)FȽ愂dтY\*
"T_5RgbA#]@#Ghfԗ0|i&'UB&
PñBGoO X~\
s;{ 3sijrr[uF7h]Hʬɥ8;R+L:4y밦L̐1dE|>z`CrZ']m\i3jZqvCPVQ/f"C%ks1ʴ3a;y-<Pn Զ}x͟cӠh# ;f% V3=ƶ: !6WݚȂu<Rte'"ei:>MV#_ӐOf&Mm"`QUeB)R5MG%f}+ M6[Z- Ip~ @bEm˭&q|zJ-᧶pL.'ɣP̤݀q)YAe"(ZӆsUg}1Nv,+l4ɦHa"T0%zz5M@}a %&䞮3Ne ̈sbgO7W)6Wؑ+;>yM.Gij?z&jԏҾFZk‹͆[tǖH9b {BtRڪMr_v;r [9X
iv-U1AUJҵCdw2n_Q߅<0L9chN<}b;Y68B9PgNaq[! Gċtڂ D(>|#tA roiz[vzHҢJ!XF DMղV+1=w*tzT4^z$;^QO |VG/+LATI/Vbok5(ߌziۦE%ʚiȼP בV밈fRnT2#55Vk؊!Ti[jll=WaDp206 86VrK][O5 ,gXMTʛF6L_.TɗgM"vg-fq(ӥצ!$ +GgL4Z*;VCr,>lہj
Z@)Nbjt

{@-c7A. Ŧs
;7Y dA2֟Ft$f?I?&p)<6pqBCKAwUt@w B)0)Źd:;
+n_c`+j(fm*6СBQҥ´#S&#!ZHN,] ~аu,QmPN0jCä1W.t| jPCgS#8+Lm([F43I{4x{u)f|+6uIRl_a4(.Yzba3'rdaaPfO5Kq!GRR&) rn3ꇖm (ITVN[ rQ+4>ynS?Ko|SA*Er3<`S$ :hf1!cA] 2M7[]0jCś=9er ⥄fG`J s"U|]-N$o)Cna+Tl
*ivP=R PP@;Rc;
&Jo)ݴ)](iвIskS}%8TEOb916mJ#5Zl1-;jSa>""M {]"g/
<ѷ`!T{D4{#V 8'1=adx 7%
}ibzx:5&:"VaD}!/X_/mfv#B͋B{žG2@^*xUêS%U^\pFub$t8-Xa
Cm\ꕰZR
\=n2 ZLubn1?!]r|@M}T2 5/w/ɐ/+%S D,^XR-V0
dWncøϤ W
:DR<dPzN:}庾KY}o6<r f-F-MѦע(Z:F0yB҇
3TmHn^+W}nNK<^Ŝq("񛟢WU} HrtP~4bp~ ozQv(%t-A^\Rm@U@ԋ߃uvVI
O tzoiP'o4 NϥxTU0E!nio$( vג*[Tx eӇ!m}$04P(0!h_fJQ՘=Poa%1)NS✋S(l
ess`)^4ttORxHH!A)捾:
MK9sZQ NJ89@XR/21}(0
;%_꜠jFB:TL''t;ƦUJ}Wb֓*5:Ɖ@ś bJҩ6ٍ'` P:ASv`K!/a%Ev$CA)
9OU `\0Q2wmIOk<14ZI]_Y1TÐ/!%646XC^(
&Mrs$37P5kzl;nvؿ*yX}Gcw|;)er :0:xrl2=f;yE=pզG"
?U|f;6wllP%
Q=b;O;ؑe%
Fs ::3ۨ>k?{O~tYĆ0 h6}
`4W/4dYeyĠ؀Dpٗ!k
@rղ<y쯖`7~,y楷+_)K>lCw|,{˯|= zC7|dv%'d NJcȿ=
o=mnt
m{GUd<̨14BF7еҤ)!׶-d3?
?~S`Cz3;S`rb
,)1<ᯱ7"ZhÆylB'oh6ABRGزWH"|Uif OCgV
r{gPyY 17:|?wʟ#a El=X/aȻ $ՠ#/=J6$dnqLl-xww?'o޴ջ2}?pŭ/D4~ʆTGo뼎l]5߿3M9dg<@Zv*SAEG(ȴ`,'9޼co!<eeF:,aHg"=o
w>'"qdԠ5;??NNaߋs›c2=&h-h}[M-'^Fo=mA}:3_zU'(Po=Kt Ԛ{Ws  gŸp¿3#+ }x鲖Э _^5>8z6@9q,Љ_6=mN^j{@C ןwܳt|~͌1IPPc/A?qo:3jfiY={{kO=VƸ4;|/^ӡgm:~:}o]M-r`mRaH;
ZaJ*EoV/DYO%)3QS1lQM]̬#~U/Z(.|u@UYfSϒu5q0iZjkԍ%rS>s&d`9ŷ)&d09kղ<Qѣ~^~!sVN:䩗jH b5_]幅Hxzjڸ%͘^ǭ>ᝃ CF2Kpn"f۲ĭ:)LyMv~3*Gu\Gof䣭nB&'+@|U㫳f. Bǥ ! .4 "|Vsz%OS)Hoq/QQuy$$Ug5v0Aw.o&'ꜾAWvv cLc>o=<zoh 2WZ=~۹H45CSoekх^y {j]jw1xMMRf"qm'
c^f#ոTBKɍQRj}KS RrJY oLD&(Qsfc4u`imu[c8A3UZT!E
b:"?KF5#VgD*d#:]1XLW\u
̀iR9~79ABox^w̵tKiPzI
rjBh-nb!,O~tvҼllm
EoGwscX''OR"ov'l/gM2w2rPy3욛!-߬ukt(t{ZhCa&z-حVYU{lBaw@|N.LC\S
~;pGuCy#͐iˈC+|G3X])`3(^5}lkM 'bMG4O"d8 5RhoJE,2vSh5X6B'lUi.qjM[NwA%5a2ܖ$\5<Ofi,ZyhI+lR9r˘z]YtG"cٻ-/i^e'fA@A40ޓPTw-}ZD-fu@mq of|UL11Gj'y *"6X׵HRiޡt"T9K\A:e:9p&
ێ*s2 f՚<<DD~A㍐l þ.ގjik4}׋nBŏ0w
/[Nޡlh!aVҸէBz[v7Iza
~]齷Gزd? jÅzcILW_-zahnmY O% otعk} aZ<%POj+ f)32I
pz8HLc} Kn"7\J?/5Z]UbNJKoM#"<`- (qxt"eε'gP2))ߜ`N"Ѣѿ-G~-L(IdI<@}Ua}[0-Qn[K쒘VG:$S7St!MGmeא1B<$`, X>rкVNV$De DIe?V! U_ ը}2EAB/؆ 6ȼ#)^^E'&6YPigxja†Z
Z{0yт6+E]@¬չle{ũ-W1#5@7@ƷqG1A;
#NhcNFQd4Q0QP;"c@(3ŬdJ+#-jC41+ۊ):֚ b>>>k^ h0cЭZ3 - u8|YSpU?mTEXO$c]v Os4+Mpߠk,Ѥ90T݂W,[^lcCIyxl\KYAjǫv wE1r!J :KPx[>F- j?Phd
KXRXe7^eƬ WXaw/
c;Xɒ6T%6KU+Q4X5
1jИT+.elE檏ڕmF nEWqV9Qf܄')Ygr3TK6DO*S<ZEmHwEܠ]qd-HNI4c-=]4̴y)*AP+w
`zq0L9yjuCqT)>Uѻ4`><Kg,1S6`ӤDJ񸇜+597~wOQzR6bUn_~^0zObcW)jZW66GGT%y˥u @iI~
~%JC RYͯ~OݚX[S-9;F#kA[!de(
?̷\r*s^kՃC)'xE*}Z7ԁ7P~+
Ď lN叙uL 2-Ōi45!Y)G#N4Dv`VRx@n!f&zJU}Ӑʦz1CEG7ye]=9\
.AF>_PZ~aC@+kCy8Hno/8{=Rr۟OL<
З^寸^q[YYl Ta`tE/E-!Y~$x||qz#lYl2$OP?-u4o 1O#Kuf`w3ςBJ#a#D]5s Ӱ+V3jE5T[p_gV_JU_7e0۱ą3_6@ !\8#gB(81ms[P TZVi]e4DB
r?Ubv()D=FEO@m1>,9PC0
["5d4՟
˘SDܵ^DgǦpop{*4.ΝyE ~0T9Ҋ%;VKWPb7P =,-s3Yǫ;Fz %0k:(U 1)\+YONT{'96_d<~7eySZvAb /Nt2- BFKLIWvqRSIgt zK~e-кwct)'̷WvbC!2)"ZmE`~qJB
M/5o!_g|gb9|_#xSjh2F۳7پKƩ~>jkX4d
+c=JhL֢w18 ͕1jw2Wvr';M !A4xVm6HӘ?
_ԭS~5F8bug?h`5lr'6"6]=2^$jyDDI?ϚAY -YeMaT+6_dA
f3{`x`i ϿyLX y N)j4xW!f*:;Zgӗ,T犆k | /HZ*Rv ڴ:nКjHW{loEb3|b&eRk:%%ޝt'tCWEMx`)&%Am?aQQ07qMϽHg9'|/Rn8RSԭ?f)Ɵ\GՆSg<d,eǺd[r7ӿHOC_0Szp+ߞ@`Vq;i-w<҉{+R}'%J V\ڟJp1k
u;N~l 1C QIQ}NǨy

R'+{›Q&k‘Vcms9{&f!,B~a/YlCب9GA%픯
_Ch]Ufw2a9 eZq0 {vn,l\j#t<u<wBm^hW/9/Taqi򌹠\@(2O];]rNoOKs[H~ko5s]+dUF<\4"06#NrYabxٽ&pۦ;w
M14i9aB+_H҆Iy{CQF؂i=/%X=l"KWә|M{En?ջ"fAl;×VyMWUyYw#%gh5rU9%=~],mxА{[v{}>f-~No|<Oւyx/LTOfar=jrZ'W9 1~F$GyVWǰhfHv=
W4ПOaO|_Gz+54-/vVNժaGl9'r&«gP']ǯː(iM8ȿabFC<S !6vb
pҀ4@=,v&0L^gW?OCW@)8R_؉ZdO>v^Lm5 鎲UOdv8T~!Z&5^\wZ
xÞxkihSwާ ÌiٮluBsCDK^2->"; =/1U
vhhSh?4[vG?f74>R L_ы
s*1PGKjOoM_eMVlR$fqoo
_ Mt5ug||)ث]y Sġ½?uq/k
=-!.6Yǚow=E_F+_t?^/o%
?.{ThO]AyOKgCVw-NoKʇfqP|rjtl/i?+m+^d' %CMdNԆ{ZdT)R[9mLEgșVJt ",(Zʮz,)T:&^LC ^V)
-[W.٬v.jqIiXޛLI
[|&G#.!diMjԣa4k^?XCz5P%ݏ* 焔N &UuK59LeG=0FkTv6!rGɰpD疜EA/
,;0_)HVoȕ6I|?6zv&VŇ͛\aF?OׄFz#JuΏ
)a3~}goj_B:õ~bo{m`}|N
_/yue%оl#򝽻g+G7~MjF>Jbjs kƧ:k&.Q 
e">Z*]mܬ>;k 6WsMW×@{[hq'{Ȓ.kZOy>uS#/rduF +&GW%OUz=К_d-,-%AT?+VHjWH(/Fܭ:^< ,=]z.K]fFe╦ڈ?Ptp7 ݆Ρ!GoӞi{a}QV(2g$|@i;^\ۇTs5\[ xa)sMQU]4?͏lbVGdˆ<Y;t'Q@[8xǵ? Y\W[qz^2V 6]'+zoe.;*5EEt3,oiWN%rl#s3ڊ 4"DCHgZb8! 9_$8Ga6/APgwhƬ͏WwǍ&-
@*F^COVN =y^&bK:w;']^)ʗ}2*iq$16^vk8-bx7?Aơǘ~0*>!Ȇi9(x*LuSRg8<Ѣ}ҹD=<?jUK(MD=QʿgqɺhdƚqQoMaXmǕi4U[9]_9MS9[S9[kP|`m=h5P 1.%OZZ2%xՒ?:QQo^DSD[\Wm遂j+SBqUcTMqIW v V>=)uJqDh^^d"dӏiL



the above came from combo fix...i will try again for the combo for the combo fix file

#6 kklynn1955

kklynn1955
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 04 February 2008 - 11:47 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:39, on 2008-02-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\aaksrv.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [combofix] H:\WINDOWS\system32\kmd.exe /c H:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [iolo Task Agent] H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: system32\aakah.dll,H:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll
O23 - Service: aaksrv - Spydex, Inc. - H:\WINDOWS\system32\aaksrv.exe
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
O23 - Service: Diskeeper - Diskeeper Corporation - H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4774 bytes

#7 kklynn1955

kklynn1955
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 04 February 2008 - 11:55 PM

the first time combofix ran it put the file in a zip file and when i opened it i got the first odd looking one when i copied to note pad! so tried to run again and this time no notepad or zip file??? can you tell the difference in my hijack this log??? no popups but it does take longer to open from restart....looks good !!!! and by the way my weekend was nice thank you!! i do hope yours was also!! very grateful!!!!!!!!!! kklynn

#8 kklynn1955

kklynn1955
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 05 February 2008 - 12:05 AM

how can i get another combo file???
this was in my combofix file and the zip file was named ;catch me;


file zipped: H:\WINDOWS\system32\drivers\core.cache.dsk -> catchme.zip -> core.cache.dsk ( 167545 bytes )
error: H:\WINDOWS\system32\drivers\core.cache.dsk is not a PE file
PE file "H:\WINDOWS\system32\drivers\core.cache.dsk" killed successfully
file zipped: H:\WINDOWS\system32\drivers\pschedd.sys -> catchme.zip -> pschedd.sys ( 86144 bytes )
file "H:\WINDOWS\system32\drivers\pschedd.sys" replaced successfully
file zipped: H:\WINDOWS\system32\drivers\core.cache.dsk -> catchme.zip -> core.cache.dsk ( 167545 bytes )
error: H:\WINDOWS\system32\drivers\core.cache.dsk is not a PE file
PE file "H:\WINDOWS\system32\drivers\core.cache.dsk" killed successfully

also when doing a restart it states can not find home file???
is everything ok????

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:33 PM

Posted 08 February 2008 - 08:23 PM

Hello,

Sorry for my delayed reply. :blink:

Please delete ComboFix all together, as well as it's accompanying folder, C:\Qoobox. Then download another fresh one and run it. Be patient and let it run, and it should produce a log for you that will pop up when it's all the way done. Please copy and paste that log here in your reply. :thumbsup:

How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 kklynn1955

kklynn1955
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 10 February 2008 - 09:48 AM

here is the log ....thank you ever so much!!! it seems to be working...



ComboFix 08-02.05.3 - kklynn 2008-02-10 8:22:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT -6:00]
Running from: H:\Documents and Settings\kklynn\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-06 14:55 . 2008-02-08 08:02 <DIR> d-------- H:\Program Files\Mahjongg Artifacts Chapter 2
2008-02-05 06:15 . 2008-02-05 06:15 <DIR> d-------- H:\Program Files\ReflexiveArcade
2008-02-05 06:15 . 2008-02-10 08:02 <DIR> d-------- H:\Program Files\Mystery Case Files Madame Fate
2008-02-05 03:51 . 2008-02-05 03:51 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\uTorrent
2008-02-05 03:50 . 2008-02-05 03:50 <DIR> d-------- H:\Program Files\uTorrent
2008-02-05 03:50 . 2008-02-10 08:20 <DIR> d-------- H:\Program Files\PeerGuardian2
2008-01-31 20:14 . 2007-07-02 15:02 3,073,320 --a------ H:\WINDOWS\system32\AdvrCntr2D6E0B790.dll
2008-01-31 20:12 . 2007-07-02 15:02 996,648 --a------ H:\WINDOWS\system32\ShellManager10E2D762.dll
2008-01-31 20:12 . 2007-07-02 14:19 638,976 --a------ H:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-01-31 19:52 . 2008-01-31 19:53 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-31 19:51 . 2008-01-31 19:51 <DIR> d-------- H:\WINDOWS\cache
2008-01-31 18:46 . 2008-01-31 18:46 101 --a------ H:\WINDOWS\wininit.ini
2008-01-31 18:23 . 2008-01-31 18:23 <DIR> d-------- H:\Program Files\Spybot - Search & Destroy
2008-01-31 18:23 . 2008-01-31 18:47 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 14:33 . 2008-01-31 14:33 <DIR> d-------- H:\Program Files\Trend Micro
2008-01-31 13:56 . 2008-01-31 13:56 <DIR> d-------- H:\WINDOWS\AntiSpy
2008-01-31 13:56 . 2008-01-31 13:56 <DIR> d-------- H:\Program Files\DefenderPro
2008-01-30 08:32 . 2008-01-30 08:32 <DIR> d-------- H:\Program Files\MSXML 4.0
2008-01-30 08:32 . 2004-08-04 06:00 221,184 --a------ H:\WINDOWS\system32\wmpns.dll
2008-01-29 22:14 . 2008-01-29 22:14 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Big Fish Games
2008-01-29 22:10 . 2008-01-29 22:10 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\PlayFirst
2008-01-29 22:10 . 2008-01-29 22:10 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-29 22:03 . 2008-01-29 22:03 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Gaijin Ent
2008-01-13 21:16 . 2008-02-09 07:02 69 --a------ H:\WINDOWS\NeroDigital.ini
2008-01-13 21:14 . 2008-01-13 21:14 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Media Player Classic
2008-01-12 23:11 . 2008-01-12 23:11 <DIR> d-------- H:\Program Files\Defender Pro
2008-01-12 23:11 . 2008-02-10 08:34 3,636,000 --ahs---- H:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 23:11 . 2008-02-10 08:33 349,216 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-12 23:11 . 2008-01-31 10:50 91,700 --a------ H:\WINDOWS\system32\drivers\klin.dat
2008-01-12 23:11 . 2008-01-12 23:24 85,860 --a------ H:\WINDOWS\system32\drivers\klick.dat
2008-01-12 23:11 . 2008-02-08 15:58 47,372 --ahs---- H:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 23:11 . 2008-02-08 15:58 32,924 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- H:\WINDOWS\Sun
2008-01-12 22:56 . 2008-01-12 22:56 <DIR> d-------- H:\Program Files\Common Files\Scanner
2008-01-12 22:49 . 2008-01-25 18:02 <DIR> d-------- H:\Program Files\Google
2008-01-12 22:48 . 2008-01-12 22:48 <DIR> d-------- H:\Program Files\Java
2008-01-12 22:48 . 2007-09-24 23:31 69,632 --a------ H:\WINDOWS\system32\javacpl.cpl
2008-01-12 22:47 . 2008-01-12 22:47 <DIR> d-------- H:\Program Files\Common Files\Java
2008-01-12 20:23 . 2008-01-12 20:23 <DIR> d-------- H:\Program Files\Universal
2008-01-12 19:55 . 2008-01-12 19:55 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Yahoo!
2008-01-12 19:40 . 2008-01-12 19:41 <DIR> d--h----- H:\WINDOWS\msdownld.tmp
2008-01-12 19:40 . 2008-01-31 19:52 <DIR> d-------- H:\Program Files\Yahoo!
2008-01-12 15:23 . 2008-01-12 15:23 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Defender Pro
2008-01-12 15:20 . 2008-01-31 13:56 137 --a------ H:\WINDOWS\tsiwinfile.dat
2008-01-12 15:12 . 2008-01-12 15:12 3,120 --a------ H:\WINDOWS\system32\DRWSJLAD.ocx
2008-01-12 15:12 . 2008-01-12 15:12 3,120 --a------ H:\WINDOWS\LJRGKDD9.ocx
2008-01-12 15:11 . 2008-02-08 16:00 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Defender Pro
2008-01-12 12:57 . 2008-01-12 12:57 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 00:49 . 2008-01-12 00:49 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-11 23:25 . 2008-01-11 23:25 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\vlc
2008-01-10 23:32 . 2008-01-10 23:32 <DIR> d-------- H:\Program Files\DVD Shrink
2008-01-10 23:32 . 2008-01-10 23:32 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-10 23:31 . 2008-01-10 23:31 <DIR> d-------- H:\Program Files\DVD Decrypter
2008-01-10 23:30 . 2008-01-10 23:30 <DIR> d-------- H:\WINDOWS\system32\custom matrices
2008-01-10 23:28 . 2008-01-12 19:29 <DIR> d--h----- H:\Program Files\InstallShield Installation Information
2008-01-10 23:28 . 2008-01-10 23:29 <DIR> d-------- H:\Program Files\GoldEsel
2008-01-10 23:28 . 2008-01-10 23:29 <DIR> d-------- H:\Program Files\Ahead
2008-01-10 23:26 . 2008-01-10 23:26 <DIR> d-------- H:\Program Files\K-Lite Codec Pack
2008-01-10 23:26 . 2008-01-10 23:26 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-10 23:26 . 2002-07-08 00:14 1,294,336 --a------ H:\WINDOWS\system32\vorbis.acm
2008-01-10 23:26 . 2004-01-27 13:53 1,024,000 --a------ H:\WINDOWS\system32\3ivx.dll
2008-01-10 23:26 . 2004-01-27 13:53 286,720 --a------ H:\WINDOWS\system32\3ivxVfWCodec.dll
2008-01-10 23:26 . 2005-12-08 13:56 65,536 --a------ H:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 23:26 . 2005-12-08 13:56 49,152 --a------ H:\WINDOWS\system32\QuickTime.qts
2008-01-10 23:24 . 2007-02-02 02:47 45,056 --a------ H:\WINDOWS\system32\WNASPI32.DLL
2008-01-10 23:24 . 2007-02-02 02:47 25,244 --a------ H:\WINDOWS\system32\drivers\ASPI32.SYS
2008-01-10 23:24 . 2007-02-02 02:47 5,600 --a------ H:\WINDOWS\system\WINASPI.DLL
2008-01-10 23:24 . 2007-02-02 02:47 4,672 --a------ H:\WINDOWS\system\WOWPOST.EXE
2008-01-10 23:21 . 2008-01-12 00:58 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Ahead
2008-01-10 23:20 . 2008-01-10 23:20 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Ahead
2008-01-10 23:19 . 2008-01-10 23:19 <DIR> d-------- H:\Program Files\Nero
2008-01-10 23:19 . 2008-01-31 21:11 <DIR> d-------- H:\Program Files\Common Files\Ahead
2008-01-10 23:19 . 2008-01-10 23:19 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Nero
2008-01-10 23:12 . 2008-01-10 23:57 <DIR> d-------- H:\Program Files\DAEMON Tools
2008-01-10 23:07 . 2008-01-10 23:07 <DIR> d-------- H:\WINDOWS\system32\QuickTime
2008-01-10 23:07 . 2008-01-10 23:54 <DIR> d-------- H:\WINDOWS\system32\C2MP
2008-01-10 23:07 . 2008-01-10 23:07 685,816 --a------ H:\WINDOWS\system32\drivers\sptd.sys
2008-01-10 23:05 . 2008-01-10 23:05 <DIR> d-------- H:\Program Files\MSECache
2008-01-10 23:04 . 2008-01-10 23:04 <DIR> d-------- H:\Program Files\Combined Community Codec Pack
2008-01-10 23:01 . 2008-01-10 23:01 <DIR> d-------- H:\Program Files\VSO
2008-01-10 23:01 . 2008-02-06 19:17 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Vso
2008-01-10 23:01 . 2006-09-29 11:24 217,127 --a------ H:\WINDOWS\system32\drv43260.dll
2008-01-10 23:01 . 2006-09-29 11:25 208,935 --a------ H:\WINDOWS\system32\drv33260.dll
2008-01-10 23:01 . 2006-09-29 11:26 176,165 --a------ H:\WINDOWS\system32\drv23260.dll
2008-01-10 23:01 . 2008-01-10 23:01 47,360 --a------ H:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-10 23:01 . 2008-01-10 23:01 47,360 --a------ H:\Documents and Settings\kklynn\Application Data\pcouffin.sys
2008-01-10 22:31 . 2008-01-10 22:31 <DIR> d-------- H:\Program Files\ffdshow
2008-01-10 22:31 . 2008-01-10 22:31 <DIR> d-------- H:\Program Files\AviSynth 2.5
2008-01-10 22:31 . 2008-01-10 22:31 43,668 --a------ H:\WINDOWS\system32\xvid-uninstall.exe
2008-01-10 22:30 . 2008-01-10 22:30 <DIR> d-------- H:\Program Files\Gabest
2008-01-10 22:30 . 2008-01-10 22:31 <DIR> d-------- H:\Program Files\AutoGK
2008-01-10 22:26 . 2008-01-10 22:26 <DIR> d-------- H:\Program Files\Windows Media Connect 2
2008-01-10 22:24 . 2008-01-10 22:24 <DIR> d-------- H:\WINDOWS\system32\LogFiles
2008-01-10 22:24 . 2008-01-10 22:25 <DIR> d-------- H:\WINDOWS\system32\drivers\UMDF
2008-01-10 22:23 . 2008-01-10 22:23 <DIR> d-------- H:\Program Files\WinAVIVideoConverter
2008-01-10 22:22 . 2008-01-10 22:22 <DIR> d-------- H:\Program Files\VideoLAN
2008-01-10 22:11 . 2008-01-10 22:11 249,856 --a------ H:\WINDOWS\system32\aaksrv.exe
2008-01-10 22:11 . 2008-01-10 22:11 81,920 --a------ H:\WINDOWS\system32\aakah.dll
2008-01-10 22:11 . 2008-01-10 22:11 33,152 --a------ H:\WINDOWS\system32\aakah.sys
2008-01-10 22:11 . 2008-01-10 22:11 20,768 --a------ H:\WINDOWS\system32\aakbdrv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 02:40 --------- d-----w H:\Documents and Settings\kklynn\Application Data\.BitTornado
2008-01-11 00:48 --------- d-----w H:\Program Files\Diskeeper Corporation
2008-01-11 00:48 --------- d-----w H:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-01-11 00:28 --------- d-----w H:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iolo Task Agent"="H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe" [2001-10-25 14:20 41984]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00 158208]
"NeroFilterCheck"="H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"AVP"="H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe" [2007-08-07 15:00 941120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"System Mechanic Cache Cleanup"="H:\Program Files\iolo\System Mechanic 5\SysMech5.exe" [2004-09-08 11:10 2863616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=system32\aakah.dll,H:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=H:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=H:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=H:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAK]
H:\Program Files\Advanced Anti Keylogger\aak.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-aware]
H:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 19:03 152872 H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-16 05:24 167368 H:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 H:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 H:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
H:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Mechanic Popup Stopper]
--a------ 2004-09-08 08:21 491008 H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe

R2 aakah;aakah;H:\WINDOWS\system32\aakah.sys [2008-01-10 22:11]
R2 aakbdrv;aakbdrv;H:\WINDOWS\system32\aakbdrv.sys [2008-01-10 22:11]

*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 23:37:00 H:\WINDOWS\Tasks\AntiSpy.job"
- H:\Program Files\DefenderPro\TSAntiSpy.exe
"2008-01-11 02:23:32 H:\WINDOWS\Tasks\WebReg 20080110202331.job"
- H:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe\/TaskName 20080110202331 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 08:34:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 8:36:01
.
2008-01-30 14:50:04 --- E O F ---

#11 kklynn1955

kklynn1955
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 10 February 2008 - 09:50 AM

:thumbsup: here is the log ....thank you ever so much!!! it seems to be working...



ComboFix 08-02.05.3 - kklynn 2008-02-10 8:22:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT -6:00]
Running from: H:\Documents and Settings\kklynn\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-06 14:55 . 2008-02-08 08:02 <DIR> d-------- H:\Program Files\Mahjongg Artifacts Chapter 2
2008-02-05 06:15 . 2008-02-05 06:15 <DIR> d-------- H:\Program Files\ReflexiveArcade
2008-02-05 06:15 . 2008-02-10 08:02 <DIR> d-------- H:\Program Files\Mystery Case Files Madame Fate
2008-02-05 03:51 . 2008-02-05 03:51 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\uTorrent
2008-02-05 03:50 . 2008-02-05 03:50 <DIR> d-------- H:\Program Files\uTorrent
2008-02-05 03:50 . 2008-02-10 08:20 <DIR> d-------- H:\Program Files\PeerGuardian2
2008-01-31 20:14 . 2007-07-02 15:02 3,073,320 --a------ H:\WINDOWS\system32\AdvrCntr2D6E0B790.dll
2008-01-31 20:12 . 2007-07-02 15:02 996,648 --a------ H:\WINDOWS\system32\ShellManager10E2D762.dll
2008-01-31 20:12 . 2007-07-02 14:19 638,976 --a------ H:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-01-31 19:52 . 2008-01-31 19:53 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-31 19:51 . 2008-01-31 19:51 <DIR> d-------- H:\WINDOWS\cache
2008-01-31 18:46 . 2008-01-31 18:46 101 --a------ H:\WINDOWS\wininit.ini
2008-01-31 18:23 . 2008-01-31 18:23 <DIR> d-------- H:\Program Files\Spybot - Search & Destroy
2008-01-31 18:23 . 2008-01-31 18:47 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 14:33 . 2008-01-31 14:33 <DIR> d-------- H:\Program Files\Trend Micro
2008-01-31 13:56 . 2008-01-31 13:56 <DIR> d-------- H:\WINDOWS\AntiSpy
2008-01-31 13:56 . 2008-01-31 13:56 <DIR> d-------- H:\Program Files\DefenderPro
2008-01-30 08:32 . 2008-01-30 08:32 <DIR> d-------- H:\Program Files\MSXML 4.0
2008-01-30 08:32 . 2004-08-04 06:00 221,184 --a------ H:\WINDOWS\system32\wmpns.dll
2008-01-29 22:14 . 2008-01-29 22:14 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Big Fish Games
2008-01-29 22:10 . 2008-01-29 22:10 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\PlayFirst
2008-01-29 22:10 . 2008-01-29 22:10 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-29 22:03 . 2008-01-29 22:03 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Gaijin Ent
2008-01-13 21:16 . 2008-02-09 07:02 69 --a------ H:\WINDOWS\NeroDigital.ini
2008-01-13 21:14 . 2008-01-13 21:14 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Media Player Classic
2008-01-12 23:11 . 2008-01-12 23:11 <DIR> d-------- H:\Program Files\Defender Pro
2008-01-12 23:11 . 2008-02-10 08:34 3,636,000 --ahs---- H:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 23:11 . 2008-02-10 08:33 349,216 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-12 23:11 . 2008-01-31 10:50 91,700 --a------ H:\WINDOWS\system32\drivers\klin.dat
2008-01-12 23:11 . 2008-01-12 23:24 85,860 --a------ H:\WINDOWS\system32\drivers\klick.dat
2008-01-12 23:11 . 2008-02-08 15:58 47,372 --ahs---- H:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 23:11 . 2008-02-08 15:58 32,924 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- H:\WINDOWS\Sun
2008-01-12 22:56 . 2008-01-12 22:56 <DIR> d-------- H:\Program Files\Common Files\Scanner
2008-01-12 22:49 . 2008-01-25 18:02 <DIR> d-------- H:\Program Files\Google
2008-01-12 22:48 . 2008-01-12 22:48 <DIR> d-------- H:\Program Files\Java
2008-01-12 22:48 . 2007-09-24 23:31 69,632 --a------ H:\WINDOWS\system32\javacpl.cpl
2008-01-12 22:47 . 2008-01-12 22:47 <DIR> d-------- H:\Program Files\Common Files\Java
2008-01-12 20:23 . 2008-01-12 20:23 <DIR> d-------- H:\Program Files\Universal
2008-01-12 19:55 . 2008-01-12 19:55 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Yahoo!
2008-01-12 19:40 . 2008-01-12 19:41 <DIR> d--h----- H:\WINDOWS\msdownld.tmp
2008-01-12 19:40 . 2008-01-31 19:52 <DIR> d-------- H:\Program Files\Yahoo!
2008-01-12 15:23 . 2008-01-12 15:23 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Defender Pro
2008-01-12 15:20 . 2008-01-31 13:56 137 --a------ H:\WINDOWS\tsiwinfile.dat
2008-01-12 15:12 . 2008-01-12 15:12 3,120 --a------ H:\WINDOWS\system32\DRWSJLAD.ocx
2008-01-12 15:12 . 2008-01-12 15:12 3,120 --a------ H:\WINDOWS\LJRGKDD9.ocx
2008-01-12 15:11 . 2008-02-08 16:00 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Defender Pro
2008-01-12 12:57 . 2008-01-12 12:57 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 00:49 . 2008-01-12 00:49 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-11 23:25 . 2008-01-11 23:25 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\vlc
2008-01-10 23:32 . 2008-01-10 23:32 <DIR> d-------- H:\Program Files\DVD Shrink
2008-01-10 23:32 . 2008-01-10 23:32 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-10 23:31 . 2008-01-10 23:31 <DIR> d-------- H:\Program Files\DVD Decrypter
2008-01-10 23:30 . 2008-01-10 23:30 <DIR> d-------- H:\WINDOWS\system32\custom matrices
2008-01-10 23:28 . 2008-01-12 19:29 <DIR> d--h----- H:\Program Files\InstallShield Installation Information
2008-01-10 23:28 . 2008-01-10 23:29 <DIR> d-------- H:\Program Files\GoldEsel
2008-01-10 23:28 . 2008-01-10 23:29 <DIR> d-------- H:\Program Files\Ahead
2008-01-10 23:26 . 2008-01-10 23:26 <DIR> d-------- H:\Program Files\K-Lite Codec Pack
2008-01-10 23:26 . 2008-01-10 23:26 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-10 23:26 . 2002-07-08 00:14 1,294,336 --a------ H:\WINDOWS\system32\vorbis.acm
2008-01-10 23:26 . 2004-01-27 13:53 1,024,000 --a------ H:\WINDOWS\system32\3ivx.dll
2008-01-10 23:26 . 2004-01-27 13:53 286,720 --a------ H:\WINDOWS\system32\3ivxVfWCodec.dll
2008-01-10 23:26 . 2005-12-08 13:56 65,536 --a------ H:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 23:26 . 2005-12-08 13:56 49,152 --a------ H:\WINDOWS\system32\QuickTime.qts
2008-01-10 23:24 . 2007-02-02 02:47 45,056 --a------ H:\WINDOWS\system32\WNASPI32.DLL
2008-01-10 23:24 . 2007-02-02 02:47 25,244 --a------ H:\WINDOWS\system32\drivers\ASPI32.SYS
2008-01-10 23:24 . 2007-02-02 02:47 5,600 --a------ H:\WINDOWS\system\WINASPI.DLL
2008-01-10 23:24 . 2007-02-02 02:47 4,672 --a------ H:\WINDOWS\system\WOWPOST.EXE
2008-01-10 23:21 . 2008-01-12 00:58 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Ahead
2008-01-10 23:20 . 2008-01-10 23:20 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Ahead
2008-01-10 23:19 . 2008-01-10 23:19 <DIR> d-------- H:\Program Files\Nero
2008-01-10 23:19 . 2008-01-31 21:11 <DIR> d-------- H:\Program Files\Common Files\Ahead
2008-01-10 23:19 . 2008-01-10 23:19 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Nero
2008-01-10 23:12 . 2008-01-10 23:57 <DIR> d-------- H:\Program Files\DAEMON Tools
2008-01-10 23:07 . 2008-01-10 23:07 <DIR> d-------- H:\WINDOWS\system32\QuickTime
2008-01-10 23:07 . 2008-01-10 23:54 <DIR> d-------- H:\WINDOWS\system32\C2MP
2008-01-10 23:07 . 2008-01-10 23:07 685,816 --a------ H:\WINDOWS\system32\drivers\sptd.sys
2008-01-10 23:05 . 2008-01-10 23:05 <DIR> d-------- H:\Program Files\MSECache
2008-01-10 23:04 . 2008-01-10 23:04 <DIR> d-------- H:\Program Files\Combined Community Codec Pack
2008-01-10 23:01 . 2008-01-10 23:01 <DIR> d-------- H:\Program Files\VSO
2008-01-10 23:01 . 2008-02-06 19:17 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Vso
2008-01-10 23:01 . 2006-09-29 11:24 217,127 --a------ H:\WINDOWS\system32\drv43260.dll
2008-01-10 23:01 . 2006-09-29 11:25 208,935 --a------ H:\WINDOWS\system32\drv33260.dll
2008-01-10 23:01 . 2006-09-29 11:26 176,165 --a------ H:\WINDOWS\system32\drv23260.dll
2008-01-10 23:01 . 2008-01-10 23:01 47,360 --a------ H:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-10 23:01 . 2008-01-10 23:01 47,360 --a------ H:\Documents and Settings\kklynn\Application Data\pcouffin.sys
2008-01-10 22:31 . 2008-01-10 22:31 <DIR> d-------- H:\Program Files\ffdshow
2008-01-10 22:31 . 2008-01-10 22:31 <DIR> d-------- H:\Program Files\AviSynth 2.5
2008-01-10 22:31 . 2008-01-10 22:31 43,668 --a------ H:\WINDOWS\system32\xvid-uninstall.exe
2008-01-10 22:30 . 2008-01-10 22:30 <DIR> d-------- H:\Program Files\Gabest
2008-01-10 22:30 . 2008-01-10 22:31 <DIR> d-------- H:\Program Files\AutoGK
2008-01-10 22:26 . 2008-01-10 22:26 <DIR> d-------- H:\Program Files\Windows Media Connect 2
2008-01-10 22:24 . 2008-01-10 22:24 <DIR> d-------- H:\WINDOWS\system32\LogFiles
2008-01-10 22:24 . 2008-01-10 22:25 <DIR> d-------- H:\WINDOWS\system32\drivers\UMDF
2008-01-10 22:23 . 2008-01-10 22:23 <DIR> d-------- H:\Program Files\WinAVIVideoConverter
2008-01-10 22:22 . 2008-01-10 22:22 <DIR> d-------- H:\Program Files\VideoLAN
2008-01-10 22:11 . 2008-01-10 22:11 249,856 --a------ H:\WINDOWS\system32\aaksrv.exe
2008-01-10 22:11 . 2008-01-10 22:11 81,920 --a------ H:\WINDOWS\system32\aakah.dll
2008-01-10 22:11 . 2008-01-10 22:11 33,152 --a------ H:\WINDOWS\system32\aakah.sys
2008-01-10 22:11 . 2008-01-10 22:11 20,768 --a------ H:\WINDOWS\system32\aakbdrv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 02:40 --------- d-----w H:\Documents and Settings\kklynn\Application Data\.BitTornado
2008-01-11 00:48 --------- d-----w H:\Program Files\Diskeeper Corporation
2008-01-11 00:48 --------- d-----w H:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-01-11 00:28 --------- d-----w H:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iolo Task Agent"="H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe" [2001-10-25 14:20 41984]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00 158208]
"NeroFilterCheck"="H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"AVP"="H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe" [2007-08-07 15:00 941120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"System Mechanic Cache Cleanup"="H:\Program Files\iolo\System Mechanic 5\SysMech5.exe" [2004-09-08 11:10 2863616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=system32\aakah.dll,H:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=H:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=H:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=H:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAK]
H:\Program Files\Advanced Anti Keylogger\aak.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-aware]
H:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 19:03 152872 H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-16 05:24 167368 H:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 H:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 H:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
H:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Mechanic Popup Stopper]
--a------ 2004-09-08 08:21 491008 H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe

R2 aakah;aakah;H:\WINDOWS\system32\aakah.sys [2008-01-10 22:11]
R2 aakbdrv;aakbdrv;H:\WINDOWS\system32\aakbdrv.sys [2008-01-10 22:11]

*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 23:37:00 H:\WINDOWS\Tasks\AntiSpy.job"
- H:\Program Files\DefenderPro\TSAntiSpy.exe
"2008-01-11 02:23:32 H:\WINDOWS\Tasks\WebReg 20080110202331.job"
- H:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe\/TaskName 20080110202331 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 08:34:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 8:36:01
.
2008-01-30 14:50:04 --- E O F ---

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:33 PM

Posted 11 February 2008 - 03:17 PM

Hello,

You're welcome. :thumbsup: Still running all right?

Please post a fresh HijackThis log in your reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 kklynn1955

kklynn1955
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 11 February 2008 - 10:11 PM

here is hijackthis file:
computer running great!!! thank you so much....i am so grateful !!!!!!!!!!!! kk :blink:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:09 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\aaksrv.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe
H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe
H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] H:\Program Files\iolo\System Mechanic 5\SysMech5.exe /COMPLETECACHE
O4 - HKCU\..\Run: [iolo Task Agent] H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: system32\aakah.dll,H:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll
O23 - Service: aaksrv - Spydex, Inc. - H:\WINDOWS\system32\aaksrv.exe
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
O23 - Service: Diskeeper - Diskeeper Corporation - H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4892 bytes



and just in case a new combofix log:



ComboFix 08-02.05.3 - kklynn 2008-02-11 20:47:49.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.267 [GMT -6:00]
Running from: H:\Documents and Settings\kklynn\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-06 14:55 . 2008-02-08 08:02 <DIR> d-------- H:\Program Files\Mahjongg Artifacts Chapter 2
2008-02-05 06:15 . 2008-02-05 06:15 <DIR> d-------- H:\Program Files\ReflexiveArcade
2008-02-05 06:15 . 2008-02-10 08:02 <DIR> d-------- H:\Program Files\Mystery Case Files Madame Fate
2008-02-05 03:51 . 2008-02-05 03:51 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\uTorrent
2008-02-05 03:50 . 2008-02-05 03:50 <DIR> d-------- H:\Program Files\uTorrent
2008-02-05 03:50 . 2008-02-11 20:46 <DIR> d-------- H:\Program Files\PeerGuardian2
2008-02-04 22:04 . 2004-08-04 06:00 388,608 --a------ H:\kmd.exe
2008-01-31 20:14 . 2007-07-02 15:02 3,073,320 --a------ H:\WINDOWS\system32\AdvrCntr2D6E0B790.dll
2008-01-31 20:12 . 2007-07-02 15:02 996,648 --a------ H:\WINDOWS\system32\ShellManager10E2D762.dll
2008-01-31 20:12 . 2007-07-02 14:19 638,976 --a------ H:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-01-31 19:52 . 2008-01-31 19:53 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-31 19:51 . 2008-01-31 19:51 <DIR> d-------- H:\WINDOWS\cache
2008-01-31 18:46 . 2008-01-31 18:46 101 --a------ H:\WINDOWS\wininit.ini
2008-01-31 18:23 . 2008-01-31 18:23 <DIR> d-------- H:\Program Files\Spybot - Search & Destroy
2008-01-31 18:23 . 2008-01-31 18:47 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 14:33 . 2008-01-31 14:33 <DIR> d-------- H:\Program Files\Trend Micro
2008-01-31 13:56 . 2008-01-31 13:56 <DIR> d-------- H:\WINDOWS\AntiSpy
2008-01-31 13:56 . 2008-01-31 13:56 <DIR> d-------- H:\Program Files\DefenderPro
2008-01-30 08:32 . 2008-01-30 08:32 <DIR> d-------- H:\Program Files\MSXML 4.0
2008-01-30 08:32 . 2004-08-04 06:00 221,184 --a------ H:\WINDOWS\system32\wmpns.dll
2008-01-29 22:14 . 2008-01-29 22:14 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Big Fish Games
2008-01-29 22:10 . 2008-01-29 22:10 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\PlayFirst
2008-01-29 22:10 . 2008-01-29 22:10 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-29 22:03 . 2008-01-29 22:03 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Gaijin Ent
2008-01-13 21:16 . 2008-02-09 07:02 69 --a------ H:\WINDOWS\NeroDigital.ini
2008-01-13 21:14 . 2008-01-13 21:14 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Media Player Classic
2008-01-12 23:11 . 2008-01-12 23:11 <DIR> d-------- H:\Program Files\Defender Pro
2008-01-12 23:11 . 2008-02-11 20:49 3,838,496 --ahs---- H:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 23:11 . 2008-02-11 20:49 357,664 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-12 23:11 . 2008-01-31 10:50 91,700 --a------ H:\WINDOWS\system32\drivers\klin.dat
2008-01-12 23:11 . 2008-01-12 23:24 85,860 --a------ H:\WINDOWS\system32\drivers\klick.dat
2008-01-12 23:11 . 2008-02-10 08:41 50,612 --ahs---- H:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 23:11 . 2008-02-10 08:41 33,884 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- H:\WINDOWS\Sun
2008-01-12 22:56 . 2008-01-12 22:56 <DIR> d-------- H:\Program Files\Common Files\Scanner
2008-01-12 22:49 . 2008-01-25 18:02 <DIR> d-------- H:\Program Files\Google
2008-01-12 22:48 . 2008-01-12 22:48 <DIR> d-------- H:\Program Files\Java
2008-01-12 22:48 . 2007-09-24 23:31 69,632 --a------ H:\WINDOWS\system32\javacpl.cpl
2008-01-12 22:47 . 2008-01-12 22:47 <DIR> d-------- H:\Program Files\Common Files\Java
2008-01-12 20:23 . 2008-01-12 20:23 <DIR> d-------- H:\Program Files\Universal
2008-01-12 19:55 . 2008-01-12 19:55 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Yahoo!
2008-01-12 19:40 . 2008-01-12 19:41 <DIR> d--h----- H:\WINDOWS\msdownld.tmp
2008-01-12 19:40 . 2008-01-31 19:52 <DIR> d-------- H:\Program Files\Yahoo!
2008-01-12 15:23 . 2008-01-12 15:23 <DIR> d-------- H:\Documents and Settings\kklynn\Application Data\Defender Pro
2008-01-12 15:20 . 2008-01-31 13:56 137 --a------ H:\WINDOWS\tsiwinfile.dat
2008-01-12 15:12 . 2008-01-12 15:12 3,120 --a------ H:\WINDOWS\system32\DRWSJLAD.ocx
2008-01-12 15:12 . 2008-01-12 15:12 3,120 --a------ H:\WINDOWS\LJRGKDD9.ocx
2008-01-12 15:11 . 2008-02-10 08:42 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Defender Pro
2008-01-12 12:57 . 2008-01-12 12:57 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 00:49 . 2008-01-12 00:49 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\vsosdk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 01:17 --------- d-----w H:\Documents and Settings\kklynn\Application Data\Vso
2008-02-01 03:11 --------- d-----w H:\Program Files\Common Files\Ahead
2008-01-20 00:11 --------- d-----w H:\Program Files\Symantec
2008-01-13 01:29 --------- d--h--w H:\Program Files\InstallShield Installation Information
2008-01-12 18:57 --------- d-----w H:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 06:58 --------- d-----w H:\Documents and Settings\kklynn\Application Data\Ahead
2008-01-12 05:25 --------- d-----w H:\Documents and Settings\kklynn\Application Data\vlc
2008-01-11 06:03 --------- d-----w H:\Program Files\Common Files\InstallShield
2008-01-11 05:57 --------- d-----w H:\Program Files\DAEMON Tools
2008-01-11 05:32 --------- d-----w H:\Program Files\DVD Shrink
2008-01-11 05:32 --------- d-----w H:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-11 05:31 --------- d-----w H:\Program Files\DVD Decrypter
2008-01-11 05:29 --------- d-----w H:\Program Files\GoldEsel
2008-01-11 05:29 --------- d-----w H:\Program Files\Ahead
2008-01-11 05:26 --------- d-----w H:\Program Files\K-Lite Codec Pack
2008-01-11 05:26 --------- d-----w H:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-11 05:20 --------- d-----w H:\Documents and Settings\All Users\Application Data\Ahead
2008-01-11 05:19 --------- d-----w H:\Program Files\Nero
2008-01-11 05:19 --------- d-----w H:\Documents and Settings\All Users\Application Data\Nero
2008-01-11 05:07 685,816 ----a-w H:\WINDOWS\system32\drivers\sptd.sys
2008-01-11 05:05 --------- d-----w H:\Program Files\MSECache
2008-01-11 05:04 --------- d-----w H:\Program Files\Combined Community Codec Pack
2008-01-11 05:01 47,360 ----a-w H:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-11 05:01 47,360 ----a-w H:\Documents and Settings\kklynn\Application Data\pcouffin.sys
2008-01-11 05:01 --------- d-----w H:\Program Files\VSO
2008-01-11 04:31 43,668 ----a-w H:\WINDOWS\system32\xvid-uninstall.exe
2008-01-11 04:31 --------- d-----w H:\Program Files\ffdshow
2008-01-11 04:31 --------- d-----w H:\Program Files\AviSynth 2.5
2008-01-11 04:31 --------- d-----w H:\Program Files\AutoGK
2008-01-11 04:30 --------- d-----w H:\Program Files\Gabest
2008-01-11 04:26 --------- d-----w H:\Program Files\Windows Media Connect 2
2008-01-11 04:23 --------- d-----w H:\Program Files\WinAVIVideoConverter
2008-01-11 04:22 --------- d-----w H:\Program Files\VideoLAN
2008-01-11 04:15 --------- d-----w H:\Documents and Settings\kklynn\Application Data\Lavasoft
2008-01-11 04:11 81,920 ----a-w H:\WINDOWS\system32\aakah.dll
2008-01-11 04:11 33,152 ----a-w H:\WINDOWS\system32\aakah.sys
2008-01-11 04:11 249,856 ----a-w H:\WINDOWS\system32\aaksrv.exe
2008-01-11 04:11 20,768 ----a-w H:\WINDOWS\system32\aakbdrv.sys
2008-01-11 03:39 --------- d-----w H:\Documents and Settings\kklynn\Application Data\IsolatedStorage
2008-01-11 03:39 --------- d-----w H:\Documents and Settings\All Users\Application Data\Symantec
2008-01-11 02:40 --------- d-----w H:\Documents and Settings\kklynn\Application Data\.BitTornado
2008-01-11 02:38 --------- d-----w H:\Program Files\BitTornado
2008-01-11 02:27 --------- d-----w H:\Program Files\iolo
2008-01-11 02:20 --------- d-----w H:\Program Files\HP
2008-01-11 02:20 --------- d-----w H:\Program Files\Common Files\Hewlett-Packard
2008-01-11 02:16 --------- d-----w H:\Program Files\Common Files\HP
2008-01-11 01:38 --------- d-----w H:\Program Files\Common Files\Adobe
2008-01-11 00:48 --------- d-----w H:\Program Files\Diskeeper Corporation
2008-01-11 00:48 --------- d-----w H:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-01-11 00:28 --------- d-----w H:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iolo Task Agent"="H:\Program Files\iolo\Common\Task Agent\Task_Agent.exe" [2001-10-25 14:20 41984]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00 158208]
"NeroFilterCheck"="H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"AVP"="H:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe" [2007-08-07 15:00 941120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"System Mechanic Cache Cleanup"="H:\Program Files\iolo\System Mechanic 5\SysMech5.exe" [2004-09-08 11:10 2863616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=system32\aakah.dll,H:\PROGRA~1\DEFEND~1\DEFEND~1.0\adialhk.dll

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=H:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=H:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=H:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAK]
H:\Program Files\Advanced Anti Keylogger\aak.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-aware]
H:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 19:03 152872 H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-16 05:24 167368 H:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 H:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 H:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
H:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Mechanic Popup Stopper]
--a------ 2004-09-08 08:21 491008 H:\Program Files\iolo\System Mechanic 5\PopupStopper.exe

R2 aakah;aakah;H:\WINDOWS\system32\aakah.sys [2008-01-10 22:11]
R2 aakbdrv;aakbdrv;H:\WINDOWS\system32\aakbdrv.sys [2008-01-10 22:11]

*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-02-11 23:37:00 H:\WINDOWS\Tasks\AntiSpy.job"
- H:\Program Files\DefenderPro\TSAntiSpy.exe
"2008-02-11 03:07:09 H:\WINDOWS\Tasks\WebReg 20080210210707.job"
- H:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe\/TaskName 20080210210707 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 20:49:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 20:50:17
ComboFix2.txt 2008-02-10 14:36:02
.
2008-01-30 14:50:04 --- E O F ---


thank you again and again!!! :thumbsup:

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:33 PM

Posted 11 February 2008 - 11:48 PM

Hello,

And you're welcome just as much. :thumbsup: I have to advise you to stay away from those P2P/Torrents as much as possible. They are a large reason people get infected. It's not the programs themselves, but the things that are downloaded from them!

Please delete ComboFix and it's accompanying folder, C:\Qoobox

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 kklynn1955

kklynn1955
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 12 February 2008 - 12:05 AM

THANKS, WILL FOLLOW THRU WITH ALL YOUR ADVISE...THANKS AGAIN FOR SUCH A QUICK AND WOUNDERFUL RESPONSE...IT IS VERY WELCOME!!! KK




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users