Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with SKYNET trojan


  • This topic is locked This topic is locked
12 replies to this topic

#1 joosay

joosay

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 25 June 2009 - 03:14 PM

I have a trojan that is affecting all search engine results. When searching using Google or Bing any hyperlink is redirected to an ad page, usually ToSeekA.com. IE also seems to be underperforming. Pasted DDS below. I also included an mbam-log. Malwarebytes detected the trojan and removed it through 2 searches, but then the problem reappeared.

Thanks for the help,
Josh



DDS (Ver_09-05-14.01) - FAT32x86
Run by Owner at 16:04:29.90 on Thu 06/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.750.285 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/finance?hl=en&tab=we
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.propertypanorama.com/tourmanager/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244658543299
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-20 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-20 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-20 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-20 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-20 298776]
RUnknown dqzmc;dqzmc; [x]
S3 flash;flash;c:\windows\system32\drivers\flash.sys [2009-6-10 7040]

=============== Created Last 30 ================

2009-06-25 14:26 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-06-25 14:25 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-25 14:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-25 14:25 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-25 14:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 17:01 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-20 15:39 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-20 15:39 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-20 15:39 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-20 15:39 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-20 15:39 <DIR> --d----- c:\program files\AVG
2009-06-20 15:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-19 15:45 <DIR> --d----- c:\docume~1\owner\applic~1\GetRightToGo
2009-06-19 15:36 <DIR> --d----- c:\docume~1\owner\applic~1\WinFF
2009-06-19 15:04 <DIR> --d----- c:\program files\ConvertHelper
2009-06-19 14:52 <DIR> --d----- c:\documents and settings\owner\dwhelper
2009-06-18 20:25 <DIR> --d----- c:\program files\MagicISO
2009-06-18 11:54 <DIR> --d----- c:\windows\pss
2009-06-18 11:19 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp
2009-06-18 11:19 3,625 a------- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-06-18 11:14 <DIR> --d----- c:\docume~1\owner\applic~1\AccurateRip
2009-06-18 11:14 1,073,528 a------- c:\windows\system32\SpoonUninstall.exe
2009-06-18 11:14 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-06-18 11:14 14,373 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-06-18 11:14 <DIR> --d----- c:\program files\Illustrate
2009-06-18 11:07 6,736 a------- c:\windows\coolcust.ini
2009-06-18 11:05 140,288 a------- c:\windows\system32\ra3214_4.dll
2009-06-18 11:05 90,624 a------- c:\windows\system32\pnc32301.dll
2009-06-18 11:05 85,504 a------- c:\windows\system32\encdnet.dll
2009-06-18 11:05 79,650 a------- c:\windows\cep1unin.exe
2009-06-18 11:05 72,704 a------- c:\windows\system32\ra3228_8.dll
2009-06-18 11:05 61,440 a------- c:\windows\system32\decdnet.dll
2009-06-18 11:05 13,824 a------- c:\windows\system32\ra32dnet.dll
2009-06-18 11:05 7,849 a------- c:\windows\cool.ini
2009-06-18 11:05 <DIR> --d----- C:\coolpro
2009-06-18 11:04 <DIR> --d----- C:\amovie
2009-06-17 12:45 <DIR> --d----- c:\program files\The Ur-Quan Masters
2009-06-17 12:45 <DIR> --d----- c:\docume~1\owner\applic~1\uqm
2009-06-16 15:03 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-06-16 15:03 4,682 a------- c:\windows\system32\npptNT2.sys
2009-06-16 15:03 <DIR> --d----- c:\program files\common files\INCA Shared
2009-06-16 14:58 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-06-16 14:58 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-06-16 14:58 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-06-16 14:58 10,368 a------- c:\windows\system32\dllcache\hidusb.sys
2009-06-16 14:16 <DIR> --d----- C:\GamesCampus
2009-06-15 01:14 <DIR> --d----- c:\windows\system32\scripting
2009-06-15 01:14 <DIR> --d----- c:\windows\l2schemas
2009-06-15 01:13 <DIR> --d----- c:\windows\system32\en
2009-06-15 01:11 <DIR> --d----- c:\windows\network diagnostic
2009-06-14 16:48 <DIR> --d----- c:\docume~1\owner\applic~1\Redemption
2009-06-14 16:07 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-06-14 16:06 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-06-14 16:06 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-06-14 15:43 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-14 15:43 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-14 15:43 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-14 15:43 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-06-14 15:43 <DIR> --d----- c:\windows\ie8updates
2009-06-14 15:43 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-14 15:42 <DIR> --d-h--- c:\windows\ie8
2009-06-14 14:48 286,720 -------- c:\windows\system32\dllcache\blackbox.dll
2009-06-14 14:47 572,557 -------- c:\windows\system32\dllcache\rtuner.wmv
2009-06-14 14:26 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-14 14:26 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-14 14:26 <DIR> --d----- c:\program files\iPod
2009-06-14 14:25 <DIR> --d----- c:\program files\iTunes
2009-06-14 14:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 14:25 <DIR> --d----- c:\program files\Bonjour
2009-06-14 14:18 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-06-14 14:14 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-06-14 14:14 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-14 14:14 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-06-14 14:14 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-06-14 14:13 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-06-14 14:11 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-06-14 14:11 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-06-14 14:10 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-06-14 14:10 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-14 14:10 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-06-14 14:07 <DIR> --d----- c:\windows\system32\wbem\AutoRecover
2009-06-14 13:45 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-14 13:41 19,528 a------- c:\windows\002302_.tmp
2009-06-14 13:39 <DIR> --d----- c:\windows\EHome
2009-06-14 10:56 <DIR> --d----- c:\program files\Full Tilt Poker
2009-06-12 09:03 1,082,368 a------- c:\windows\system32\esent.dll
2009-06-12 08:57 <DIR> --d----- c:\docume~1\owner\applic~1\Research In Motion
2009-06-10 20:29 <DIR> --d----- c:\program files\uTorrent
2009-06-10 20:29 <DIR> --d----- c:\docume~1\owner\applic~1\uTorrent
2009-06-10 20:17 <DIR> --d----- c:\program files\VideoLAN
2009-06-10 17:33 <DIR> --d----- c:\windows\system32\Adobe
2009-06-10 16:31 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2009-06-10 16:30 <DIR> --d----- c:\program files\common files\Research In Motion
2009-06-10 16:30 <DIR> --d----- c:\program files\Research In Motion
2009-06-10 16:29 <DIR> --d----- c:\program files\MSXML 6.0
2009-06-10 15:39 <DIR> --dsh--- C:\FOUND.001
2009-06-10 15:36 1,428,992 a------- c:\windows\system32\msvidctl.dll
2009-06-10 15:34 14,604 a------- c:\windows\system32\drivers\pfc.sys
2009-06-10 15:34 344,064 a----r-- c:\windows\system32\msvcr70.dll
2009-06-10 14:58 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2009-06-10 14:43 137 a------- c:\windows\REDEMUNINS.INI
2009-06-10 14:37 <DIR> --d----- c:\docume~1\owner\applic~1\Intel
2009-06-10 14:37 21,425 a------- c:\windows\system32\drivers\AegisP.sys
2009-06-10 14:36 2,732,032 a------- c:\windows\system32\Netw2r32.dll
2009-06-10 14:36 2,209,408 a------- c:\windows\system32\drivers\w29n51.sys
2009-06-10 14:36 557,056 a------- c:\windows\system32\Netw2c32.dll
2009-06-10 14:33 <DIR> --d----- c:\windows\system32\PreInstall
2009-06-10 14:33 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-06-10 14:33 <DIR> --d-h--- c:\windows\$hf_mig$
2009-06-10 14:32 <DIR> --d----- c:\windows\system32\bits
2009-06-10 14:31 354,304 a------- c:\windows\system32\winhttp.dll
2009-06-10 14:31 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-06-10 14:31 8,192 -------- c:\windows\system32\bitsprx2.dll
2009-06-10 14:31 7,168 -------- c:\windows\system32\bitsprx3.dll
2009-06-10 14:30 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-06-10 14:30 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-06-10 14:30 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-06-10 14:30 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-06-10 14:30 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-06-10 14:07 <DIR> --dsh--- c:\documents and settings\owner\UserData
2009-06-10 13:32 7,040 a------- c:\windows\system32\drivers\flash.sys
2009-06-10 13:22 <DIR> --d----- C:\WUTemp
2009-06-10 13:22 191,488 a------- c:\windows\system32\iuengine.dll
2009-06-10 13:16 <DIR> --d----- c:\program files\Broadcom
2009-06-10 12:09 499,712 a------- c:\windows\system32\MSVCP71.DLL
2009-06-10 12:09 89,088 a------- c:\windows\system32\ATL71.DLL
2009-06-10 12:09 33,664 a------- c:\windows\system32\drivers\BCMWLNPF.SYS
2009-06-10 12:09 86,016 a------- c:\windows\system32\preflib.dll
2009-06-10 12:09 69,632 a------- c:\windows\system32\bcmwlpkt.dll
2009-06-10 12:09 44,032 a------- c:\windows\system32\wltrynt.dll
2009-06-10 12:09 1,392,640 a------- c:\windows\system32\WLTRAY.EXE
2009-06-10 12:09 2,129,920 a------- c:\windows\system32\WLBCGCBPRO731.DLL
2009-06-10 12:09 757,760 a------- c:\windows\system32\bcm1xsup.dll
2009-06-10 12:06 30,976 a------- c:\windows\system32\drivers\gv3.sys
2009-06-10 12:06 69,723 a------- c:\windows\system32\SynTPFcs.dll
2009-06-10 12:06 191,872 a------- c:\windows\system32\drivers\SynTP.sys
2009-06-10 12:06 114,688 a------- c:\windows\system32\SynCtrl.dll
2009-06-10 12:06 94,299 a------- c:\windows\system32\SynTPAPI.dll
2009-06-10 12:06 82,014 a------- c:\windows\system32\SynCOM.dll
2009-06-10 12:06 81,920 a------- c:\windows\system32\SynTPCo2.dll
2009-06-10 12:06 <DIR> --d----- c:\program files\Synaptics
2009-06-10 12:05 74,240 a------- c:\windows\system32\usbui.dll
2009-06-10 12:05 24,960 a------- c:\windows\system32\drivers\pciidex.sys
2009-06-10 12:05 96,512 a------- c:\windows\system32\drivers\atapi.sys
2009-06-10 12:05 3,328 a------- c:\windows\system32\drivers\pciide.sys
2009-06-10 12:05 3,328 a------- c:\windows\system32\dllcache\pciide.sys
2009-06-10 12:05 37,248 a------- c:\windows\system32\drivers\isapnp.sys
2009-06-10 12:05 68,224 a------- c:\windows\system32\drivers\pci.sys
2009-06-10 12:04 98,360 a------- c:\windows\dla.exe
2009-06-10 12:04 88,352 a------- c:\windows\system32\drivers\drvmcdb.sys
2009-06-10 12:04 61,500 a------- c:\windows\system32\tfswapi.dll
2009-06-10 12:04 40,544 a------- c:\windows\system32\drivers\drvnddm.sys
2009-06-10 12:04 23,545 a------- c:\windows\system32\drivers\ssrtln.sys
2009-06-10 12:04 5,627 a------- c:\windows\system32\drivers\sscdbhk5.sys
2009-06-10 12:04 184 a------- c:\windows\wininit.ini
2009-06-10 12:04 <DIR> --d----- c:\windows\system32\dla
2009-06-10 12:04 <DIR> --d----- c:\program files\Sonic
2009-06-10 12:03 135,168 a------- c:\windows\system32\igfxres.dll
2009-06-10 11:58 1,033,728 a------- c:\windows\system32\drivers\HSF_DPV.SYS
2009-06-10 11:58 86,016 a------- c:\windows\system32\mdmxsdk.dll
2009-06-10 11:58 13,059 a------- c:\windows\system32\drivers\mdmxsdk.sys
2009-06-10 11:58 705,408 a------- c:\windows\system32\drivers\HSF_CNXT.sys
2009-06-10 11:58 208,384 a------- c:\windows\system32\drivers\HSFHWICH.sys
2009-06-10 11:58 129,405 a------- c:\windows\system32\drivers\del1028.cty
2009-06-10 11:58 42,858 a------- c:\windows\system32\hsfci014.dll
2009-06-10 11:57 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-06-10 11:57 83,072 a------- c:\windows\system32\drivers\wdmaud.sys
2009-06-10 11:56 52,864 a------- c:\windows\system32\drivers\DMusic.sys
2009-06-10 11:56 56,576 a------- c:\windows\system32\drivers\swmidi.sys
2009-06-10 11:56 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-06-10 11:56 172,416 a------- c:\windows\system32\drivers\kmixer.sys
2009-06-10 11:56 2,944 a------- c:\windows\system32\drivers\drmkaud.sys
2009-06-10 11:56 60,800 a------- c:\windows\system32\drivers\sysaudio.sys
2009-06-10 11:56 146,048 a------- c:\windows\system32\drivers\portcls.sys
2009-06-10 11:56 60,160 a------- c:\windows\system32\drivers\drmk.sys
2009-06-10 11:56 23,552 a------- c:\windows\system32\wdmaud.drv
2009-06-10 11:56 264,440 a------- c:\windows\system32\drivers\stac97.sys
2009-06-10 11:56 102,481 a------- c:\windows\system32\stac97.cpl
2009-06-10 11:56 <DIR> --d----- c:\program files\SigmaTel
2009-06-10 11:53 <DIR> --d----- c:\program files\Modem Helper
2009-06-10 11:52 <DIR> --d----- c:\windows\Downloaded Installations
2009-06-08 09:29 1,063,936 a------- c:\windows\system32\drivers\HSF_DP.sys
2009-06-08 09:29 400,553 a------- c:\windows\system32\drivers\del5422.cty
2009-06-08 09:29 27,765 a------- c:\windows\system32\HSFCI006.dll
2009-06-08 09:21 <DIR> --d----- c:\program files\CONEXANT
2009-06-08 09:19 17,153 a------- c:\windows\system32\drivers\omci.sys
2009-06-08 09:13 770,048 a------- c:\windows\system32\BCMLogon.dll
2009-06-08 09:11 <DIR> --d----- c:\program files\Digital Line Detect
2009-06-08 08:50 3,395,584 a------- c:\windows\system32\BCMWLCPL.CPL
2009-06-08 08:50 1,253,376 a------- c:\windows\system32\BCMWLTRY.EXE
2009-06-08 08:50 20,480 a------- c:\windows\system32\WLTRYSVC.EXE
2009-06-08 08:50 909,312 -------- c:\windows\system32\AegisE5.dll
2009-06-08 08:50 253,952 a------- c:\windows\system32\bcmwlu00.exe
2009-06-08 08:50 312,960 -------- c:\windows\system32\drivers\BCMWL5.SYS
2009-06-08 08:50 57,344 -------- c:\windows\system32\BCMWLD2K.EXE
2009-06-08 08:32 <DIR> --dsh--- C:\FOUND.000
2009-06-07 23:37 <DIR> --dsh--- C:\Recycled
2009-06-07 22:44 40,960 a------- c:\windows\system32\ct32.dll
2009-06-07 22:44 34,329 -------- c:\windows\O2Remove.EXE
2009-06-07 22:44 91,395 a------- c:\windows\system32\drivers\ozscr.sys
2009-06-07 22:44 7,686 a------- c:\windows\system32\drivers\ozscrxp.cat
2009-06-07 22:44 2,271 a------- c:\windows\system32\drivers\ozscrxp.inf
2009-06-07 22:41 <DIR> --d----- c:\windows\system32\URTTemp
2009-06-07 22:40 24,576 a------- c:\windows\system32\cpl_moh.cpl
2009-06-07 22:40 <DIR> --d----- c:\program files\Dell Modem-On-Hold
2009-06-07 22:38 53,248 a------- c:\windows\system32\DellSys.dll
2009-06-07 22:38 <DIR> --d----- c:\program files\Dell
2009-06-07 22:00 <DIR> --d----- C:\drvrtmp
2009-06-07 21:59 <DIR> --d----- c:\windows\Drivers
2009-06-07 21:12 5 a------- c:\windows\system32\drivers\DELL_INS_700M.MRK
2009-06-07 21:12 5 a------- c:\windows\system32\drivers\1028_DELL_INS_700M.MRK
2009-06-07 21:11 <DIR> --d----- c:\program files\Dell Computer Corporation
2009-06-07 21:11 666 a------- c:\windows\speed.reg
2009-06-07 21:10 52,480 a------- c:\windows\system32\drivers\i8042prt.sys
2009-06-07 21:10 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-06-07 21:10 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-06-07 21:10 <DIR> --d----- c:\program files\Apoint
2009-06-07 21:10 87,805 a------- c:\windows\system32\Vxdif.dll
2009-06-07 21:10 94,600 a------- c:\windows\system32\drivers\Apfiltr.sys
2009-06-07 21:09 983,040 a------- c:\windows\system32\W20MLRES.DLL
2009-06-07 21:09 966,656 a------- c:\windows\system32\W70MLRES.DLL
2009-06-07 21:05 991,232 a------- c:\windows\system32\W22MLRES.DLL
2009-06-07 21:02 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-06-07 21:02 1,064,456 a------- c:\windows\system32\MSCOMCTL.OCX
2009-06-07 21:02 176,128 a------- c:\windows\system32\RcdScan.dll
2009-06-07 21:02 645,616 a------- c:\windows\system32\MSCOMCT2.OCX
2009-06-07 21:02 414,944 a------- c:\windows\system32\COMCT332.OCX
2009-06-07 21:02 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-06-07 21:02 171,967 a------- c:\windows\system32\Odbcjet.hlp
2009-06-07 21:02 7,348 a------- c:\windows\system32\Odbcjet.cnt
2009-06-07 21:02 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-06-07 20:52 <DIR> --ds---- c:\windows\system32\Microsoft
2009-06-07 20:52 37,376 a------- c:\windows\system32\ReportReader.dll
2009-06-07 20:52 87,040 a------- c:\windows\system32\WebFlowIDPersist.dll
2009-06-07 20:52 40,448 a------- c:\windows\system32\BJAXSecurityManager.dll
2009-06-07 20:52 1,073,152 a------- c:\windows\system32\ActiveUtils.dll
2009-06-07 20:52 327,680 a------- c:\windows\system32\snmpaxctrl.dll
2009-06-07 20:52 <DIR> --d----- c:\program files\common files\Motive
2009-06-07 20:52 86,016 a------- c:\windows\system32\BJInstaller.dll
2009-06-07 20:52 73,728 a------- c:\windows\system32\BinaryAggregator1.dll
2009-06-07 20:52 5,773,592 a------- C:\BellSouthIW.re~
2009-06-07 20:51 6,345 a----r-- c:\windows\system32\DevMngr.vxd
2009-06-07 20:49 <DIR> --dsh--- c:\windows\Installer
2009-06-07 20:49 <DIR> --d----- c:\documents and settings\Owner
2009-06-07 20:48 8,192 a------- c:\windows\REGLOCS.OLD
2009-06-07 20:14 156,672 a------- c:\windows\system32\dllcache\winzm.ime
2009-06-07 20:14 156,672 a------- c:\windows\system32\dllcache\winsp.ime
2009-06-07 20:14 156,672 a------- c:\windows\system32\dllcache\winpy.ime
2009-06-07 20:14 72,704 a------- c:\windows\system32\dllcache\wingb.ime
2009-06-07 20:14 65,536 a------- c:\windows\system32\dllcache\winime.ime
2009-06-07 20:14 79,360 a------- c:\windows\system32\dllcache\winar30.ime
2009-06-07 20:14 31,232 a------- c:\windows\system32\dllcache\weitekp9.sys
2009-06-07 20:14 41,600 a------- c:\windows\system32\dllcache\weitekp9.dll
2009-06-07 20:14 86,073 a------- c:\windows\system32\dllcache\voicesub.dll
2009-06-07 20:14 48,256 a------- c:\windows\system32\dllcache\w32.dll
2009-06-07 20:12 205,824 a------- c:\windows\system32\dllcache\EXCH_seo.dll
2009-06-07 20:11 92,416 a------- c:\windows\system32\dllcache\mga.sys
2009-06-07 20:10 18,944 a------- c:\windows\system32\dllcache\cprofile.exe
2009-06-07 20:04 24,576 a------- c:\windows\system32\xpsp1hfm.exe
2009-06-07 20:01 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-07 20:01 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-06-07 20:01 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-06-07 20:01 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-06-07 20:01 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-06-07 20:01 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-06-07 20:01 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-06-07 20:01 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-06-07 20:01 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-06-07 20:01 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-06-07 20:01 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-06-07 20:01 4,399,505 a------- c:\windows\system32\dllcache\nls302en.lex
2009-06-07 20:01 <DIR> --d----- c:\windows\system32\DirectX
2009-06-07 20:00 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-07 19:58 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-07 19:58 <DIR> --d----- c:\program files\Online Services
2009-06-07 19:58 <DIR> --d----- c:\program files\Messenger
2009-06-07 19:58 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-07 19:57 <DIR> --d----- c:\program files\Windows NT
2009-06-07 19:51 <DIR> --d----- c:\program files\common files\ODBC
2009-06-07 19:51 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-07 19:51 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-06-15 01:16 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-07 20:00 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2006-06-23 09:13 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 16:06:11.11 ===============


Malwarebytes' Anti-Malware 1.38
Database version: 2335
Windows 5.1.2600 Service Pack 3

6/25/2009 3:26:08 PM
mbam-log-2009-06-25 (15-26-07).txt

Scan type: Quick Scan
Objects scanned: 96954
Time elapsed: 21 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\SKYNETlbrxeeusta.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnvxsdepyyq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqqorglhpes.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETaphxvnnqwm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETwmjbkxkosj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEToibiqjxtuw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEThwcippyfvr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETljbbcqobcv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:51 AM

Posted 27 June 2009 - 09:14 PM

Hello joosay,

You have a nasty rootkit on this computer, so this will take some work to remove it.


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

*********************


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 joosay

joosay
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 29 June 2009 - 08:48 PM

Thanks for your help.
I followed the steps of your post.
Here are the requested logs.

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AVGFree8.5
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Malwarebytes' Anti-Malware
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 11 seconds.
`````````End of Log```````````

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:51 AM

Posted 29 June 2009 - 08:49 PM

Hi,

Please dont attach Combofix.txt. It is hard enough to read as it is. :thumbup2:
You can find it at C:\ComboFix.txt
Post it in your thread.

Edited by SifuMike, 29 June 2009 - 09:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 joosay

joosay
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 29 June 2009 - 09:11 PM

ComboFix 09-06-29.02 - Owner 06/29/2009 20:13.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.750.453 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\SKYNETwflxdupw.sys
c:\windows\system32\SKYNETaquhsnax.dat
c:\windows\system32\SKYNETbdqoorir.dll
c:\windows\system32\SKYNETubdulmtt.dll
c:\windows\system32\SKYNETvkbaklrq.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETmovnscij


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-25 18:26 . 2009-06-25 18:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-25 18:25 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-25 18:25 . 2009-06-25 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-25 18:25 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-25 18:25 . 2009-06-25 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 19:32 . 2009-06-24 19:32 127872 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-06-24 19:32 . 2009-06-24 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-06-20 21:01 . 2009-06-20 21:01 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-20 20:15 . 2009-06-20 20:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-20 19:39 . 2009-06-20 19:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-20 19:39 . 2009-06-20 19:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-20 19:39 . 2009-06-20 19:39 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-20 19:39 . 2009-06-20 19:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-20 19:39 . 2009-06-20 19:39 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-20 19:39 . 2009-06-20 19:39 -------- d-----w- c:\program files\AVG
2009-06-20 19:39 . 2009-06-20 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-19 19:45 . 2009-06-19 19:45 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-06-19 19:36 . 2009-06-19 19:36 -------- d-----w- c:\documents and settings\Owner\Application Data\WinFF
2009-06-19 19:04 . 2009-06-19 19:04 -------- d-----w- c:\program files\ConvertHelper
2009-06-19 18:52 . 2009-06-19 18:52 -------- d-----w- c:\documents and settings\Owner\dwhelper
2009-06-19 00:25 . 2009-06-19 00:25 -------- d-----w- c:\program files\MagicISO
2009-06-18 16:48 . 2009-06-18 16:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2009-06-18 15:19 . 2009-06-18 15:19 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-06-18 15:14 . 2009-06-18 15:14 -------- d-----w- c:\documents and settings\Owner\Application Data\AccurateRip
2009-06-18 15:14 . 2009-06-18 15:19 1073528 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-06-18 15:14 . 2009-06-18 15:14 14373 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-06-18 15:14 . 2009-06-18 15:14 -------- d-----w- c:\program files\Illustrate
2009-06-18 15:05 . 2009-06-18 15:05 -------- d-----w- C:\coolpro
2009-06-18 15:05 . 1997-07-18 05:00 90624 ----a-w- c:\windows\system32\pnc32301.dll
2009-06-18 15:05 . 1997-07-18 05:00 85504 ----a-w- c:\windows\system32\encdnet.dll
2009-06-18 15:05 . 1997-07-18 05:00 72704 ----a-w- c:\windows\system32\ra3228_8.dll
2009-06-18 15:05 . 1997-07-18 05:00 61440 ----a-w- c:\windows\system32\decdnet.dll
2009-06-18 15:05 . 1997-07-18 05:00 140288 ----a-w- c:\windows\system32\ra3214_4.dll
2009-06-18 15:05 . 1997-07-18 05:00 13824 ----a-w- c:\windows\system32\ra32dnet.dll
2009-06-18 15:05 . 1997-07-17 20:11 79650 ----a-w- c:\windows\cep1unin.exe
2009-06-18 15:04 . 2009-06-18 15:04 -------- d-----w- C:\amovie
2009-06-18 14:43 . 2009-06-18 14:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Cooliris
2009-06-17 16:45 . 2009-06-17 16:45 -------- d-----w- c:\program files\The Ur-Quan Masters
2009-06-17 16:45 . 2009-06-17 16:45 -------- d-----w- c:\documents and settings\Owner\Application Data\uqm
2009-06-16 19:03 . 2005-01-04 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-06-16 19:03 . 2009-06-16 19:03 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-06-16 18:58 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-16 18:58 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-06-16 18:58 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-06-16 18:58 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-06-16 18:16 . 2009-06-16 18:16 -------- d-----w- C:\GamesCampus
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-16 06:35 . 2009-06-24 19:32 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-06-15 05:14 . 2009-06-15 05:14 -------- d-----w- c:\windows\system32\scripting
2009-06-15 05:14 . 2009-06-15 05:14 -------- d-----w- c:\windows\l2schemas
2009-06-15 05:13 . 2009-06-15 05:14 -------- d-----w- c:\windows\system32\en
2009-06-14 21:49 . 2009-06-14 21:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-14 20:48 . 2009-06-14 20:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Redemption
2009-06-14 20:07 . 2009-06-14 20:07 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-06-14 20:06 . 2009-06-14 20:06 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-06-14 20:06 . 2009-06-14 20:06 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-06-14 19:43 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-06-14 19:43 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-14 19:43 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-14 19:43 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-06-14 19:43 . 2009-06-14 19:43 -------- d-----w- c:\windows\ie8updates
2009-06-14 19:43 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-14 19:42 . 2009-06-14 19:42 -------- d--h--w- c:\windows\ie8
2009-06-14 18:48 . 2008-04-14 00:12 150528 ------w- c:\windows\system32\qagent.dll
2009-06-14 18:47 . 2003-07-16 20:39 403 ------w- c:\windows\system32\dllcache\npdrmv2.zip
2009-06-14 18:47 . 2003-07-16 20:39 22060 ------w- c:\windows\system32\dllcache\npds.zip
2009-06-14 18:26 . 2009-06-14 18:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-06-14 18:26 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-14 18:26 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-14 18:26 . 2009-06-14 18:26 -------- d-----w- c:\program files\iPod
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\program files\iTunes
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\program files\Bonjour
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\program files\QuickTime
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2009-06-14 18:24 . 2009-06-14 18:25 -------- d-----w- c:\program files\Apple Software Update
2009-06-14 18:24 . 2009-06-14 18:24 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 18:24 . 2009-06-14 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-14 18:18 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-06-14 18:17 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-06-14 18:17 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-06-14 18:17 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-14 18:17 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-06-14 18:17 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-06-14 18:17 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-14 18:17 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-14 18:17 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-06-14 18:17 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-06-14 18:17 . 2009-02-06 11:06 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-06-14 18:17 . 2009-02-06 11:08 2189056 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-06-14 18:17 . 2009-02-06 10:32 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-06-14 18:14 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-06-14 18:14 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-14 18:14 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-06-14 18:14 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-06-14 18:13 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-06-14 18:11 . 2008-10-03 10:02 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-06-14 18:11 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-06-14 18:10 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-14 18:10 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-06-14 18:07 . 2009-06-14 18:07 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2009-06-14 17:45 . 2009-06-14 17:45 -------- d-----w- c:\windows\ServicePackFiles
2009-06-14 17:39 . 2009-06-14 17:39 -------- d-----w- c:\windows\EHome
2009-06-14 15:44 . 2009-06-14 15:44 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2009-06-14 14:57 . 2009-06-14 14:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FullTiltPoker
2009-06-14 14:56 . 2009-06-14 14:56 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-13 20:28 . 2009-06-13 20:28 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-06-12 13:03 . 2008-04-14 00:11 1082368 ----a-w- c:\windows\system32\esent.dll
2009-06-12 12:57 . 2009-06-12 12:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Research In Motion
2009-06-11 01:25 . 2009-06-11 01:25 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-06-11 00:29 . 2009-06-11 00:29 -------- d-----w- c:\program files\uTorrent
2009-06-11 00:29 . 2009-06-11 00:29 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-06-11 00:17 . 2009-06-11 00:17 -------- d-----w- c:\program files\VideoLAN
2009-06-10 21:46 . 2009-06-10 21:46 1915520 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-10 21:35 . 2009-06-10 21:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2009-06-10 21:33 . 2009-06-10 21:33 -------- d-----w- c:\program files\Google
2009-06-10 21:33 . 2009-06-10 21:33 -------- d-----w- c:\windows\system32\Adobe
2009-06-10 20:31 . 2007-01-18 14:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-06-10 20:30 . 2009-06-10 20:30 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-06-10 20:30 . 2009-06-10 20:30 -------- d-----w- c:\program files\Research In Motion
2009-06-10 20:29 . 2009-06-10 20:29 -------- d-----w- c:\program files\MSXML 6.0
2009-06-10 19:39 . 2009-06-10 19:39 -------- d-sh--w- C:\FOUND.001
2009-06-10 19:36 . 2008-04-14 00:12 50688 ----a-w- c:\windows\system32\wstdecod.dll
2009-06-10 19:34 . 2003-08-11 14:07 14604 ----a-w- c:\windows\system32\drivers\pfc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 20:00 . 2009-06-07 23:46 90112 ----a-w- c:\windows\DUMP5a67.tmp
2009-06-15 05:16 . 2009-06-08 00:02 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-10 18:37 . 2006-06-21 00:38 -------- d-----w- c:\documents and settings\strange\Application Data\Intel
2009-06-10 16:08 . 2009-06-10 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-06-10 16:07 . 2009-06-08 01:12 5 ----a-w- c:\windows\system32\drivers\DELL_INS_700M.MRK
2009-06-10 16:07 . 2009-06-08 01:12 5 ----a-w- c:\windows\system32\drivers\1028_DELL_INS_700M.MRK
2009-06-08 00:52 . 2009-06-08 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-06-08 00:52 . 2009-06-08 00:52 -------- d-----w- c:\program files\Common Files\Motive
2009-06-08 00:10 . 2009-06-08 00:10 -------- d-----w- c:\program files\microsoft frontpage
2009-06-08 00:00 . 2009-06-08 00:00 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-29 20:31 . 2006-06-21 01:55 933888 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-05-29 20:31 . 2006-06-21 01:55 65536 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-05-29 20:31 . 2006-06-21 01:55 4616192 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-05-29 20:31 . 2006-06-21 01:55 344064 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-05-29 20:31 . 2006-06-21 01:55 103424 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-05-13 05:15 . 2006-06-23 15:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-17 00:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2003-07-17 00:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-07-19 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2006-11-01 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-20 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"PMX Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2006-06-09 47104]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2006-6-18 576000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 19:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/20/2009 3:39 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/20/2009 3:39 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/20/2009 3:39 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/20/2009 3:39 PM 298776]
S3 flash;flash;c:\windows\system32\drivers\flash.sys [6/10/2009 1:32 PM 7040]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/finance?hl=en&tab=we
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d3btq1ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/finance?hl=en&tab=we
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d3btq1ob.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 20:16
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\x 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5521408 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 7225344 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\w 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2899968 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 6504448 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3096576 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 6373376 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 4669440 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\, 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\{ 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\c 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\/ 5521408 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 5652480 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 7487488 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 4276224 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\V 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\x 7421952 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 5980160 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3555328 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\f 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 671744 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\[ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\U 7028736 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3031040 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 6373376 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\o 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 4734976 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4341760 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 4603904 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 5455872 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 7815168 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\Q 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\C 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 5062656 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\S 4734976 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 7487488 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 6111232 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\N 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\l 6766592 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 7094272 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3555328 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\o 3031040 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 7290880 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2899968 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 6504448 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 4866048 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 4669440 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\, 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\{ 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\c 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\/ 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 5652480 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4276224 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\V 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 4341760 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\j 671744 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\[ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\u 7028736 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3031040 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\o 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\K 7880704 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\w 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4341760 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\q 3555328 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\U 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 5455872 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\l 6701056 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\C 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 5062656 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\S 3096576 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3555328 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 6111232 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 6766592 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 6635520 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 6963200 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\J 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5718016 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2899968 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 6504448 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 6635520 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\l 6438912 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\, 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\{ 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\c 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 6766592 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 7487488 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 4276224 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\V 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\[ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\/ 6701056 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 868352 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3031040 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\o 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 4276224 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\q 7094272 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\w 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4341760 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 5455872 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\C 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 5062656 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\S 6635520 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\J 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 6111232 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\/ 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 6766592 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 6635520 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3227648 bytes

scan completed successfully
hidden files: 242

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-839522115-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-06-30 20:18
ComboFix-quarantined-files.txt 2009-06-30 00:18

Pre-Run: 4,843,356,160 bytes free
Post-Run: 6,166,216,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

505 --- E O F --- 2009-06-15 13:39

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:51 AM

Posted 29 June 2009 - 09:42 PM

Hi joosay,

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I??ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.




Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 joosay

joosay
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 29 June 2009 - 09:55 PM

ComboFix 09-06-29.02 - Owner 06/29/2009 22:49.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.750.414 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-25 18:26 . 2009-06-25 18:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-25 18:25 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-25 18:25 . 2009-06-25 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-25 18:25 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-25 18:25 . 2009-06-25 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 19:32 . 2009-06-24 19:32 127872 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-06-24 19:32 . 2009-06-24 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-06-20 21:01 . 2009-06-20 21:01 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-20 20:15 . 2009-06-20 20:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-20 19:39 . 2009-06-20 19:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-20 19:39 . 2009-06-20 19:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-20 19:39 . 2009-06-20 19:39 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-20 19:39 . 2009-06-20 19:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-20 19:39 . 2009-06-20 19:39 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-20 19:39 . 2009-06-20 19:39 -------- d-----w- c:\program files\AVG
2009-06-20 19:39 . 2009-06-20 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-19 19:45 . 2009-06-19 19:45 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-06-19 19:36 . 2009-06-19 19:36 -------- d-----w- c:\documents and settings\Owner\Application Data\WinFF
2009-06-19 19:04 . 2009-06-19 19:04 -------- d-----w- c:\program files\ConvertHelper
2009-06-19 18:52 . 2009-06-19 18:52 -------- d-----w- c:\documents and settings\Owner\dwhelper
2009-06-19 00:25 . 2009-06-19 00:25 -------- d-----w- c:\program files\MagicISO
2009-06-18 16:48 . 2009-06-18 16:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2009-06-18 15:19 . 2009-06-18 15:19 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-06-18 15:14 . 2009-06-18 15:14 -------- d-----w- c:\documents and settings\Owner\Application Data\AccurateRip
2009-06-18 15:14 . 2009-06-18 15:19 1073528 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-06-18 15:14 . 2009-06-18 15:14 14373 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-06-18 15:14 . 2009-06-18 15:14 -------- d-----w- c:\program files\Illustrate
2009-06-18 15:05 . 2009-06-18 15:05 -------- d-----w- C:\coolpro
2009-06-18 15:05 . 1997-07-18 05:00 90624 ----a-w- c:\windows\system32\pnc32301.dll
2009-06-18 15:05 . 1997-07-18 05:00 85504 ----a-w- c:\windows\system32\encdnet.dll
2009-06-18 15:05 . 1997-07-18 05:00 72704 ----a-w- c:\windows\system32\ra3228_8.dll
2009-06-18 15:05 . 1997-07-18 05:00 61440 ----a-w- c:\windows\system32\decdnet.dll
2009-06-18 15:05 . 1997-07-18 05:00 140288 ----a-w- c:\windows\system32\ra3214_4.dll
2009-06-18 15:05 . 1997-07-18 05:00 13824 ----a-w- c:\windows\system32\ra32dnet.dll
2009-06-18 15:05 . 1997-07-17 20:11 79650 ----a-w- c:\windows\cep1unin.exe
2009-06-18 15:04 . 2009-06-18 15:04 -------- d-----w- C:\amovie
2009-06-18 14:43 . 2009-06-18 14:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Cooliris
2009-06-17 16:45 . 2009-06-17 16:45 -------- d-----w- c:\program files\The Ur-Quan Masters
2009-06-17 16:45 . 2009-06-17 16:45 -------- d-----w- c:\documents and settings\Owner\Application Data\uqm
2009-06-16 19:03 . 2005-01-04 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-06-16 19:03 . 2009-06-16 19:03 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-06-16 18:58 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-16 18:58 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-06-16 18:58 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-06-16 18:58 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-06-16 18:16 . 2009-06-16 18:16 -------- d-----w- C:\GamesCampus
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-16 06:35 . 2009-06-24 19:32 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-06-15 05:14 . 2009-06-15 05:14 -------- d-----w- c:\windows\system32\scripting
2009-06-15 05:14 . 2009-06-15 05:14 -------- d-----w- c:\windows\l2schemas
2009-06-15 05:13 . 2009-06-15 05:14 -------- d-----w- c:\windows\system32\en
2009-06-14 21:49 . 2009-06-14 21:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-14 20:48 . 2009-06-14 20:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Redemption
2009-06-14 20:07 . 2009-06-14 20:07 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-06-14 20:06 . 2009-06-14 20:06 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-06-14 20:06 . 2009-06-14 20:06 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-06-14 19:43 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-06-14 19:43 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-14 19:43 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-14 19:43 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-06-14 19:43 . 2009-06-14 19:43 -------- d-----w- c:\windows\ie8updates
2009-06-14 19:43 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-14 19:42 . 2009-06-14 19:42 -------- d--h--w- c:\windows\ie8
2009-06-14 18:48 . 2008-04-14 00:12 150528 ------w- c:\windows\system32\qagent.dll
2009-06-14 18:47 . 2003-07-16 20:39 403 ------w- c:\windows\system32\dllcache\npdrmv2.zip
2009-06-14 18:47 . 2003-07-16 20:39 22060 ------w- c:\windows\system32\dllcache\npds.zip
2009-06-14 18:26 . 2009-06-14 18:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-06-14 18:26 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-14 18:26 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-14 18:26 . 2009-06-14 18:26 -------- d-----w- c:\program files\iPod
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\program files\iTunes
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\program files\Bonjour
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\program files\QuickTime
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-14 18:25 . 2009-06-14 18:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2009-06-14 18:24 . 2009-06-14 18:25 -------- d-----w- c:\program files\Apple Software Update
2009-06-14 18:24 . 2009-06-14 18:24 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 18:24 . 2009-06-14 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-14 18:18 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-06-14 18:17 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-06-14 18:17 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-06-14 18:17 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-14 18:17 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-06-14 18:17 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-06-14 18:17 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-14 18:17 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-14 18:17 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-06-14 18:17 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-06-14 18:17 . 2009-02-06 11:06 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-06-14 18:17 . 2009-02-06 11:08 2189056 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-06-14 18:17 . 2009-02-06 10:32 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-06-14 18:14 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-06-14 18:14 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-14 18:14 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-06-14 18:14 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-06-14 18:13 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-06-14 18:11 . 2008-10-03 10:02 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-06-14 18:11 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-06-14 18:10 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-14 18:10 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-06-14 18:07 . 2009-06-14 18:07 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2009-06-14 17:45 . 2009-06-14 17:45 -------- d-----w- c:\windows\ServicePackFiles
2009-06-14 17:39 . 2009-06-14 17:39 -------- d-----w- c:\windows\EHome
2009-06-14 15:44 . 2009-06-14 15:44 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2009-06-14 14:57 . 2009-06-14 14:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FullTiltPoker
2009-06-14 14:56 . 2009-06-14 14:56 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-13 20:28 . 2009-06-13 20:28 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-06-12 13:03 . 2008-04-14 00:11 1082368 ----a-w- c:\windows\system32\esent.dll
2009-06-12 12:57 . 2009-06-12 12:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Research In Motion
2009-06-11 01:25 . 2009-06-11 01:25 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-06-11 00:29 . 2009-06-11 00:29 -------- d-----w- c:\program files\uTorrent
2009-06-11 00:29 . 2009-06-11 00:29 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-06-11 00:17 . 2009-06-11 00:17 -------- d-----w- c:\program files\VideoLAN
2009-06-10 21:46 . 2009-06-10 21:46 1915520 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-10 21:35 . 2009-06-10 21:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2009-06-10 21:33 . 2009-06-10 21:33 -------- d-----w- c:\program files\Google
2009-06-10 21:33 . 2009-06-10 21:33 -------- d-----w- c:\windows\system32\Adobe
2009-06-10 20:31 . 2007-01-18 14:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-06-10 20:30 . 2009-06-10 20:30 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-06-10 20:30 . 2009-06-10 20:30 -------- d-----w- c:\program files\Research In Motion
2009-06-10 20:29 . 2009-06-10 20:29 -------- d-----w- c:\program files\MSXML 6.0
2009-06-10 19:39 . 2009-06-10 19:39 -------- d-sh--w- C:\FOUND.001
2009-06-10 19:36 . 2008-04-14 00:12 50688 ----a-w- c:\windows\system32\wstdecod.dll
2009-06-10 19:34 . 2003-08-11 14:07 14604 ----a-w- c:\windows\system32\drivers\pfc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 20:00 . 2009-06-07 23:46 90112 ----a-w- c:\windows\DUMP5a67.tmp
2009-06-15 05:16 . 2009-06-08 00:02 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-10 18:37 . 2006-06-21 00:38 -------- d-----w- c:\documents and settings\strange\Application Data\Intel
2009-06-10 16:08 . 2009-06-10 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-06-10 16:07 . 2009-06-08 01:12 5 ----a-w- c:\windows\system32\drivers\DELL_INS_700M.MRK
2009-06-10 16:07 . 2009-06-08 01:12 5 ----a-w- c:\windows\system32\drivers\1028_DELL_INS_700M.MRK
2009-06-08 00:52 . 2009-06-08 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-06-08 00:52 . 2009-06-08 00:52 -------- d-----w- c:\program files\Common Files\Motive
2009-06-08 00:10 . 2009-06-08 00:10 -------- d-----w- c:\program files\microsoft frontpage
2009-06-08 00:00 . 2009-06-08 00:00 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-29 20:31 . 2006-06-21 01:55 933888 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-05-29 20:31 . 2006-06-21 01:55 65536 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-05-29 20:31 . 2006-06-21 01:55 4616192 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-05-29 20:31 . 2006-06-21 01:55 344064 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-05-29 20:31 . 2006-06-21 01:55 103424 ----a-w- c:\documents and settings\strange\Application Data\Mozilla\Firefox\Profiles\dhjslwf7.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-05-13 05:15 . 2006-06-23 15:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-17 00:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2003-07-17 00:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-07-19 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2006-11-01 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-20 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"PMX Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2006-06-09 47104]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2006-6-18 576000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 19:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/20/2009 3:39 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/20/2009 3:39 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/20/2009 3:39 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/20/2009 3:39 PM 298776]
S3 flash;flash;c:\windows\system32\drivers\flash.sys [6/10/2009 1:32 PM 7040]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/finance?hl=en&tab=we
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d3btq1ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/finance?hl=en&tab=we
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d3btq1ob.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 22:51
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\x 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5521408 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 7225344 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\w 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2899968 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 6504448 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3096576 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 6373376 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 4669440 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\, 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\{ 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\c 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\/ 5521408 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 5652480 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 7487488 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 4276224 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\V 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\x 7421952 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 5980160 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3555328 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\f 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 671744 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\[ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\U 7028736 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3031040 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 6373376 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\o 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 4734976 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4341760 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 4603904 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 5455872 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 7815168 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\Q 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\C 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 5062656 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\S 4734976 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 7487488 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 6111232 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\N 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\l 6766592 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 7094272 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3555328 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\o 3031040 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 7290880 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2899968 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 6504448 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 4866048 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 4669440 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\, 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\{ 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\c 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\/ 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 5652480 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4276224 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\V 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 4341760 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\j 671744 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\[ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\u 7028736 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3031040 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\o 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\K 7880704 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\w 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4341760 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\q 3555328 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\U 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 5455872 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\l 6701056 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\C 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 5062656 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\S 3096576 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3555328 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 6111232 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 6766592 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 6635520 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 6963200 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\J 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5718016 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2899968 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 6504448 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 6635520 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\l 6438912 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\, 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\{ 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\c 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 6766592 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 7487488 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\y 4276224 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\V 3293184 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 3358720 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\[ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\/ 6701056 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 868352 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\5 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\2 3686400 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3031040 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\r 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\ 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\o 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 4276224 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\q 7094272 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\w 5390336 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 4341760 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 2965504 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\F 3227648 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\h 3620864 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\R 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\L 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 5455872 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\T 2113536 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\1 3424256 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\C 3817472 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\9 5062656 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\S 6635520 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\J 4997120 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\k 6111232 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 5259264 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4800512 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\/ 4472832 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 6766592 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\7 6635520 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\- 3751936 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\H 4538368 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\a 3489792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\n 3162112 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WER5d01.dir00\6 3227648 bytes

scan completed successfully
hidden files: 242

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-839522115-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4016)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-06-30 22:52
ComboFix-quarantined-files.txt 2009-06-30 02:52
ComboFix2.txt 2009-06-30 00:18

Pre-Run: 6,132,989,952 bytes free
Post-Run: 6,146,621,440 bytes free

494 --- E O F --- 2009-06-15 13:39

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:51 AM

Posted 29 June 2009 - 10:00 PM

Hi,

Now we scan for lingering malware.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 joosay

joosay
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 30 June 2009 - 12:33 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, June 30, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 30, 2009 03:38:35
Records in database: 2403678
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 73579
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:38:10


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETubdulmtt.dll.vir Infected: Trojan.Win32.Small.bzc 1

The selected area was scanned.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:51 AM

Posted 30 June 2009 - 09:26 AM

Hi joosay,

Looks good. :thumbup2: It found a quarantined file. We will getting rid of that shortly.

How is the computer running?
We still have to do some program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 joosay

joosay
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 30 June 2009 - 04:26 PM

The computer is running better. IE starts right up and I can use search engines again which is great. What free products would you suggest to keep such plagues at bay?

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:51 AM

Posted 30 June 2009 - 04:50 PM

Hi joosay,

Delete Security Check from your desktop.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTM3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously :!:
These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall.
Some good free firewalls are
Online Armor Free,
Comodo Firewall Pro + Antivirus, Sunbelt Kerio,ZoneAlarm, or Outpost
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
Please make sure to run your antivirus software regularly, and to keep it up-to-date.


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:51 AM

Posted 06 July 2009 - 09:47 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users