Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

yahoo redirect problem


  • This topic is locked This topic is locked
26 replies to this topic

#1 kiki13

kiki13

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 01 July 2009 - 12:51 AM

Hi,

I have the search engine redirect virus and I've tried everything to get rid of it. I tried Ad-aware, SpyBot, Malwarebytes, SUPERAntiSpyware, and i have Kaspersky AV but every time i scan. I find a rootkit or trojan. I would try to delete it but it just comes back again when i try to scan. Ive tried scanning in safe mode but it doesnt work. I tried using SDfix but it wont even finish running in safemode I dont know what else to do. Please help thanks!!!

Attached Files



BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 04 July 2009 - 08:28 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 kiki13

kiki13
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  

Posted 04 July 2009 - 12:45 PM

Hi superbird,

Okay so far Ive scanned with Malwarebytes, KasperskyAV, SUPERAntiSpyware, Ad-Aware, in Safe mode and regular windows. I find this Trojan.tdss which always shows up again after i refresh and scan again. The problem is when I go search on Google or yahoo the result links always redirect me to other sites. I don't know how to fix this problem because it keeps coming back. I don't know how I got the Trojan because this is my family computer but im not sure if they downloaded anything or not.

and the dds scan took over 8 minutes to complete im not sure if that's a bad thing or not because it says it shouldn't take more then 3. I hope its not the Trojan.

Attached Files



#4 kiki13

kiki13
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 04 July 2009 - 02:47 PM

I scanned with DDS again because the original was after I scanned with Malwarebytes' which removed the trojan. But its back again. I just wanted to make sure you see the right log.

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:15 PM

Posted 07 July 2009 - 07:15 AM

Hi kiki13,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#6 kiki13

kiki13
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 07 July 2009 - 08:57 PM

ComboFix 09-07-07.A2 - Jiun 07/07/2009 18:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1710 [GMT -7:00]
Running from: c:\documents and settings\Jiun\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\17324d.msp
c:\windows\system32\_006124_.tmp.dll
c:\windows\system32\_006125_.tmp.dll
c:\windows\system32\_006126_.tmp.dll
c:\windows\system32\_006127_.tmp.dll
c:\windows\system32\_006134_.tmp.dll
c:\windows\system32\_006135_.tmp.dll
c:\windows\system32\_006136_.tmp.dll
c:\windows\system32\_006137_.tmp.dll
c:\windows\system32\_006139_.tmp.dll
c:\windows\system32\_006140_.tmp.dll
c:\windows\system32\_006143_.tmp.dll
c:\windows\system32\_006144_.tmp.dll
c:\windows\system32\_006146_.tmp.dll
c:\windows\system32\_006147_.tmp.dll
c:\windows\system32\_006148_.tmp.dll
c:\windows\system32\_006150_.tmp.dll
c:\windows\system32\_006153_.tmp.dll
c:\windows\system32\_006154_.tmp.dll
c:\windows\system32\_006158_.tmp.dll
c:\windows\system32\_006159_.tmp.dll
c:\windows\system32\_006161_.tmp.dll
c:\windows\system32\_006164_.tmp.dll
c:\windows\system32\_006166_.tmp.dll
c:\windows\system32\_006167_.tmp.dll
c:\windows\system32\_006168_.tmp.dll
c:\windows\system32\_006169_.tmp.dll
c:\windows\system32\_006170_.tmp.dll
c:\windows\system32\_006173_.tmp.dll
c:\windows\system32\_006174_.tmp.dll
c:\windows\system32\_006175_.tmp.dll
c:\windows\system32\_006176_.tmp.dll
c:\windows\system32\_006177_.tmp.dll
c:\windows\system32\_006182_.tmp.dll
c:\windows\system32\_006184_.tmp.dll
c:\windows\system32\_006185_.tmp.dll
c:\windows\system32\drivers\SKYNETpqjnssfv.sys
c:\windows\system32\SKYNETgqwublpr.dat
c:\windows\system32\SKYNEThxlhjncp.dat
c:\windows\system32\SKYNETwxvrjbpj.dll
c:\windows\system32\SKYNETxtetliws.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETamybwulq


((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-07 02:13 . 2009-07-07 02:13 -------- d-----w- c:\program files\Apple Software Update
2009-07-07 02:13 . 2009-07-07 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-02 04:40 . 2009-07-02 21:04 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-02 04:39 . 2009-07-02 04:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-02 03:37 . 2009-07-02 03:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-01 02:51 . 2009-07-08 01:48 117760 ----a-w- c:\documents and settings\Jiun\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-01 02:46 . 2009-07-01 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-01 02:41 . 2009-07-01 02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-01 02:41 . 2009-07-01 02:41 -------- d-----w- c:\documents and settings\Jiun\Application Data\SUPERAntiSpyware.com
2009-07-01 00:45 . 2009-07-02 00:45 -------- d-----w- C:\SDFix
2009-06-21 02:37 . 2009-06-30 02:45 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-06-21 02:37 . 2009-07-07 02:38 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-06-21 02:37 . 2009-06-30 02:44 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-21 02:37 . 2009-06-30 02:44 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-21 02:37 . 2009-06-30 02:44 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-21 02:37 . 2009-07-07 02:38 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-06-21 02:37 . 2009-06-30 02:41 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-21 02:37 . 2009-06-30 02:40 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-06-21 02:37 . 2009-06-30 02:40 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-21 02:37 . 2009-06-30 02:39 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-21 02:36 . 2009-07-07 02:37 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-06-21 02:36 . 2009-06-30 02:38 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-21 02:36 . 2009-06-30 22:20 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-21 02:36 . 2009-06-30 22:20 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-10 13:29 . 2009-06-10 13:29 152576 ----a-w- c:\documents and settings\Jiun\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 01:48 . 2006-12-22 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-08 01:46 . 2008-10-04 00:56 671776 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-08 01:46 . 2008-10-04 00:56 3376 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-08 01:46 . 2008-10-04 00:56 2813472 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-08 01:46 . 2008-10-04 00:56 23060 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-02 16:52 . 2008-09-03 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-01 02:35 . 2007-11-19 04:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-30 22:20 . 2009-06-02 02:45 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-30 21:46 . 2008-09-06 01:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 21:46 . 2009-03-08 01:24 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-30 02:41 . 2009-06-02 02:42 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-30 02:41 . 2009-06-02 02:42 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-27 08:49 . 2008-07-15 05:42 -------- d-----w- c:\documents and settings\Jiun\Application Data\Skype
2009-06-27 07:49 . 2008-07-15 05:47 -------- d-----w- c:\documents and settings\Jiun\Application Data\skypePM
2009-06-17 18:27 . 2008-09-06 01:14 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2008-09-06 01:14 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-10 13:30 . 2006-12-29 09:56 -------- d-----w- c:\program files\Java
2009-06-06 15:00 . 2007-11-25 23:48 -------- d-----w- c:\documents and settings\Jiun\Application Data\U3
2009-06-04 02:07 . 2006-12-22 21:12 -------- d-----w- c:\program files\World of Warcraft
2009-06-02 02:45 . 2009-06-02 02:45 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-06-02 02:45 . 2009-03-08 06:29 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-21 18:33 . 2008-12-06 19:10 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 12:42 . 2008-10-04 00:52 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-20 12:42 . 2008-10-04 00:52 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-19 08:36 . 2009-06-27 23:54 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 08:36 . 2009-06-27 23:54 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 08:36 . 2009-06-27 23:54 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 08:36 . 2009-06-27 23:54 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 08:36 . 2009-06-27 23:54 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 08:36 . 2009-06-27 23:54 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 08:36 . 2009-06-27 23:54 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 08:36 . 2009-06-27 23:54 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-04-24 04:07 . 2009-04-24 04:07 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-19 00:48 . 2009-04-19 00:48 152576 ----a-w- c:\documents and settings\Jiun\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

------- Sigcheck -------

[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$hf_mig$\KB890859\SP2GDR\user32.dll
[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2002-08-29 12:00 560128 DD9269230C21EE8FB7FD3FCCC3B1CFCB c:\windows\$NtUninstallKB890859_0$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[-] 2008-09-05 23:34 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll

[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 07:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2002-08-29 12:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtUninstallKB896423_0$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd3"="c:\windows\vsnpstd3.exe" [2005-09-05 339968]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-02-10 206088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-19 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Background Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk
backup=c:\windows\pss\EPSON Background Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe Version Cue CS2"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/7/2009 8:36 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/21/2008 6:57 PM 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1029456]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 02:39]

2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RocketDock - c:\program files\RocketDock\RocketDock.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qwest.live.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jiun\Application Data\Mozilla\Firefox\Profiles\lc6cces0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Jiun\Application Data\Mozilla\Firefox\Profiles\lc6cces0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 18:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\TINTLGNT.IME

- - - - - - - > 'explorer.exe'(2956)
c:\windows\system32\TINTLGNT.IME
.
------------------------ Other Running Processes ------------------------
.
c:\program files\EPSON\ESM2\eEBSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\pctspk.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-08 18:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-08 01:53

Pre-Run: 38,857,687,040 bytes free
Post-Run: 39,256,920,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

319 --- E O F --- 2009-06-11 06:42

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:15 PM

Posted 08 July 2009 - 05:10 AM

  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\ViewpointViewpoint Media Player

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    FCopy::
    c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\dllcache\user32.dll
    c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll
    c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
    c:\windows\ServicePackFiles\i386\spoolsv.exe | c:\windows\system32\spoolsv.exe
    DDS::
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    BHO: 1 (0x1) - No File

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Tell me if you still get redirected.


#8 kiki13

kiki13
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 08 July 2009 - 09:07 PM

My computer doesnt even start windows now after I dragged the file into combofix. I think maybe it is the Microsoft Windows Recovery Console? because now when i start the computer it shows a page telling me to push F2 or F11 but when i do i dont know what to do there and if i dont push those keys then the computer would try to start windows which fails and goes back to the same page. I tried safe mode but it doesnt work either. Help?

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:15 PM

Posted 09 July 2009 - 03:07 AM

Those system files we tried to replace were patched and we tried to replace them with a clean copy. We are going to recover the system.
Now I need some information to know our options:
  • Please tell me if you have a Windows installation disc in case we needed it.

  • Tell me if you have a flash drive or pendrive we eventually can use on this computer.

  • We want to try this before everything. Please start the computer and use F8 key and to get to the Windows Advanced Options Menu. There is an option "Last Known Good Configuration". Select the option and see if you can boot the computer.

  • If the step 3 didn't worked please tell me how far it goes when you start Windows. Like do you get to Windows logo, does it starts to load, do you get to log on screen page with your account name, do you get any STOP or Error message, etc.

  • Only if the step 3 did not worked please do the following:

    Start the Recovery Console by doing the following:
  • Reboot your computer and as Windows starts it will present you with your startup options: 1. Microsoft Windows Professional 2. Microsoft Recovery Console. Alternatively you can use F8 key to get to Advanced Options and select "Return to Operating System" Option.
  • With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter key on your keyboard.
  • The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.
  • If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.
  • Type the following and press Enter:

    dir c:\windows\system32\user32.dll

    Please note down the result and post it to your reply.
More information here: How to start the Recovery Console

Edited by farbar, 09 July 2009 - 08:24 AM.


#10 kiki13

kiki13
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 09 July 2009 - 10:20 AM

I have the windows cd. But I'm not sure what you mean by flash drive.

I tried step 3. But it didnt work. I can only get to the windows logo page and when thats done it just starts all over again.

I tried step 5 and it said something about "the volume in drive c has no label" and something about the volume of the serial number but it still didnt load windows.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:15 PM

Posted 09 July 2009 - 10:51 AM

Thanks for the feedback.

I tried step 5 and it said something about "the volume in drive c has no label" and something about the volume of the serial number but it still didnt load windows.


This was not suppose to fix anything otherwise I have told you to boot.
So please do the step and :

Please note down the result and post it to your reply.



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:15 AM

Posted 09 July 2009 - 10:54 AM

To add to the post: I mean note down what you get on the command window when you type the command. The command is suppose to evoke some information I need to proceed.

#13 kiki13

kiki13
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 09 July 2009 - 11:25 AM

Okay it says

Volume in drive c has no label
Volume serial number is c3e0-35e3

04/13/08 05:12p -a----- 578520 user32.dll
1 files(s) 578560 bytes
40503820288 bytes free

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:15 PM

Posted 09 July 2009 - 11:39 AM

Please type:

copy c:\windows\$NtServicePackUninstall$\user32.dll c:\windows\system32

Press Enter.
You get notified that the file exists and if you want the file to be overwritten.
Type Y
Press Enter to confirm the file to be overwritten.
You get notified that the file is copied/overwritten.
Type Exit
Press Enter and let the Windows boot. Tell me if you could boot.

#15 kiki13

kiki13
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 09 July 2009 - 12:16 PM

Yay windows loads now and im able to log in. Ive scanned the computer again with superantispyware and it says it found trojan.agent /GEN-PEC? That didnt show up before.

Ive used the search engines and i dont seem to be getting redirected anymore. do i turn system restore point back on?

Here is the combofix log:

ComboFix 09-07-08.04 - Jiun 07/08/2009 18:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1626 [GMT -7:00]
Running from: c:\documents and settings\Jiun\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jiun\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\dllcache\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\spoolsv.exe --> c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-07 02:13 . 2009-07-07 02:13 -------- d-----w- c:\program files\Apple Software Update
2009-07-07 02:13 . 2009-07-07 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-02 04:40 . 2009-07-02 21:04 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-02 04:39 . 2009-07-02 04:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-02 03:37 . 2009-07-02 03:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-01 02:51 . 2009-07-09 00:58 117760 ----a-w- c:\documents and settings\Jiun\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-01 02:46 . 2009-07-01 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-01 02:41 . 2009-07-01 02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-01 02:41 . 2009-07-01 02:41 -------- d-----w- c:\documents and settings\Jiun\Application Data\SUPERAntiSpyware.com
2009-07-01 00:45 . 2009-07-02 00:45 -------- d-----w- C:\SDFix
2009-06-21 02:37 . 2009-06-30 02:45 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-06-21 02:37 . 2009-07-07 02:38 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-06-21 02:37 . 2009-06-30 02:44 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-21 02:37 . 2009-06-30 02:44 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-21 02:37 . 2009-06-30 02:44 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-21 02:37 . 2009-07-07 02:38 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-06-21 02:37 . 2009-06-30 02:41 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-21 02:37 . 2009-06-30 02:40 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-06-21 02:37 . 2009-06-30 02:40 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-21 02:37 . 2009-06-30 02:39 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-21 02:36 . 2009-07-07 02:37 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-06-21 02:36 . 2009-06-30 02:38 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-21 02:36 . 2009-06-30 22:20 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-21 02:36 . 2009-06-30 22:20 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-10 13:29 . 2009-06-10 13:29 152576 ----a-w- c:\documents and settings\Jiun\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 00:58 . 2006-12-22 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-09 00:56 . 2008-10-04 00:56 3432 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-09 00:56 . 2008-10-04 00:56 688160 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-09 00:56 . 2008-10-04 00:56 2813472 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-09 00:56 . 2008-10-04 00:56 23060 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-09 00:49 . 2007-01-27 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-02 16:52 . 2008-09-03 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-01 02:35 . 2007-11-19 04:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-30 22:20 . 2009-06-02 02:45 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-30 21:46 . 2008-09-06 01:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 21:46 . 2009-03-08 01:24 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-30 02:41 . 2009-06-02 02:42 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-30 02:41 . 2009-06-02 02:42 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-27 08:49 . 2008-07-15 05:42 -------- d-----w- c:\documents and settings\Jiun\Application Data\Skype
2009-06-27 07:49 . 2008-07-15 05:47 -------- d-----w- c:\documents and settings\Jiun\Application Data\skypePM
2009-06-17 18:27 . 2008-09-06 01:14 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2008-09-06 01:14 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-10 13:30 . 2006-12-29 09:56 -------- d-----w- c:\program files\Java
2009-06-06 15:00 . 2007-11-25 23:48 -------- d-----w- c:\documents and settings\Jiun\Application Data\U3
2009-06-04 02:07 . 2006-12-22 21:12 -------- d-----w- c:\program files\World of Warcraft
2009-06-02 02:45 . 2009-06-02 02:45 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-06-02 02:45 . 2009-03-08 06:29 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-21 18:33 . 2008-12-06 19:10 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 12:42 . 2008-10-04 00:52 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-20 12:42 . 2008-10-04 00:52 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-19 08:36 . 2009-06-27 23:54 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 08:36 . 2009-06-27 23:54 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 08:36 . 2009-06-27 23:54 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 08:36 . 2009-06-27 23:54 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 08:36 . 2009-06-27 23:54 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 08:36 . 2009-06-27 23:54 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 08:36 . 2009-06-27 23:54 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 08:36 . 2009-06-27 23:54 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-04-24 04:07 . 2009-04-24 04:07 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-19 00:48 . 2009-04-19 00:48 152576 ----a-w- c:\documents and settings\Jiun\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-08_01.48.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-09 00:58 . 2009-07-09 00:58 16384 c:\windows\Temp\Perflib_Perfdata_298.dat
+ 2005-06-10 23:55 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\spoolsv.exe
+ 2006-12-20 18:21 . 2009-07-09 00:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-12-20 18:21 . 2009-07-08 01:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-12-20 18:21 . 2009-07-09 00:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-12-20 18:21 . 2009-07-08 01:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2002-08-29 12:00 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd3"="c:\windows\vsnpstd3.exe" [2005-09-05 339968]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-02-10 206088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-19 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Background Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk
backup=c:\windows\pss\EPSON Background Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe Version Cue CS2"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/7/2009 8:36 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1029456]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 02:39]

2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qwest.live.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jiun\Application Data\Mozilla\Firefox\Profiles\lc6cces0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Jiun\Application Data\Mozilla\Firefox\Profiles\lc6cces0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 18:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\TINTLGNT.IME

- - - - - - - > 'explorer.exe'(2560)
c:\windows\system32\TINTLGNT.IME
.
Completion time: 2009-07-09 18:10
ComboFix-quarantined-files.txt 2009-07-09 01:10
ComboFix2.txt 2009-07-08 01:53

Pre-Run: 39,645,609,984 bytes free
Post-Run: 39,614,443,520 bytes free

246 --- E O F --- 2009-06-11 06:42




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users