Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Being haunted by Baidu Bar


  • This topic is locked This topic is locked
31 replies to this topic

#1 yangwendi

yangwendi

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 10 July 2009 - 03:49 PM

No matter what anti spyware or anti virus software I try to use to remove Baidu Bar it comes back with a vengeance and a bunch of trojan friends. Help!


DDS (Ver_09-06-26.01) - NTFSx86
Run by Alice at 16:44:40.67 on 07/10/2009 Fri
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.511.205 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090709-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ringz Studio\Storm Codec\stormliv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alice\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = localhost;*.local
mSearchAssistant = hxxp://bar.baidu.com/sobar/defaultsearch.html
mCustomizeSearch = hxxp://bar.baidu.com/sobar/defaultsearch.html
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {77fef28e-eb96-44ff-b511-3185dea48697} - BandIE Class
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: 百度工具栏: {b580cf65-e151-49c3-b73f-70b13fca8e86} -
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RecordNow!]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hp\hp share-to-web\hpgs2wnd.exe
mRun: [HPHUPD05]
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [PPHIDPAD] c:\winpenjr\win32\pphidpad.exe
mRun: [TkBellExe]
mRun: [BigDogPath] c:\windows\VM_STI.EXE VIMICRO USB PC Camera 301x
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\ringz studio\storm codec\QTTask.exe" -atboottime
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: 使用迅雷下载 - c:\program files\thunder network\thunder\program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\thunder network\thunder\program\getallurl.htm
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\thunder network\thunder\Thunder.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alice\applic~1\mozilla\firefox\profiles\3efes560.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 BdGuard;BdGuard;c:\windows\system32\drivers\BDGuard.SYS [2008-10-26 28672]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-17 114768]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [2005-1-16 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [2005-1-16 17216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-3-17 718880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-17 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-17 138680]
R2 ccosm;Contrl Center of Storm Media;c:\program files\ringz studio\storm codec\stormliv.exe [2008-3-11 473184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-17 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-17 352920]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2003-8-15 68480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 mrtRate;mrtRate; [x]
S2 Stormser;Stormser;c:\progra~1\ringzs~1\stormc~1\stormser.exe --> c:\progra~1\ringzs~1\stormc~1\Stormser.exe [?]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [2005-8-21 245760]

=============== Created Last 30 ================


==================== Find3M ====================

2009-07-09 23:09 7,332 a------- c:\windows\system32\cid_store.dat
2009-05-25 22:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-01-07 22:19 35,008,838 a------- c:\docume~1\alluse~1\applic~1\Storm3.exe
2009-02-07 16:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020720090208\index.dat

============= FINISH: 16:46:01.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:00 AM

Posted 18 July 2009 - 06:43 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.Please perform the following scan:
  • Download DDS by sUBs from one of the following links.Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:You may have to disable any script protection running if the scan fails to run.After downloading the tool, disconnect from the internet and disable all antivirus protection.Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 yangwendi

yangwendi
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 18 July 2009 - 08:00 PM

DDS :


DDS (Ver_09-06-26.01) - NTFSx86
Run by Alice at 20:56:58.56 on 07/18/2009 Sat
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.511.238 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090718-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ringz Studio\Storm Codec\stormliv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Alice\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = localhost;*.local
mSearchAssistant = hxxp://bar.baidu.com/sobar/defaultsearch.html
mCustomizeSearch = hxxp://bar.baidu.com/sobar/defaultsearch.html
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {77fef28e-eb96-44ff-b511-3185dea48697} - BandIE Class
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: ールカネケ、セ゚タク: {b580cf65-e151-49c3-b73f-70b13fca8e86} -
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RecordNow!]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hp\hp share-to-web\hpgs2wnd.exe
mRun: [HPHUPD05]
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [PPHIDPAD] c:\winpenjr\win32\pphidpad.exe
mRun: [TkBellExe]
mRun: [BigDogPath] c:\windows\VM_STI.EXE VIMICRO USB PC Camera 301x
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\ringz studio\storm codec\QTTask.exe" -atboottime
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: ハケモテムクタラマツヤリ - c:\program files\thunder network\thunder\program\geturl.htm
IE: ハケモテムクタラマツヤリネォイソチエスモ - c:\program files\thunder network\thunder\program\getallurl.htm
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\thunder network\thunder\Thunder.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alice\applic~1\mozilla\firefox\profiles\3efes560.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 BdGuard;BdGuard;c:\windows\system32\drivers\BDGuard.SYS [2008-10-26 28672]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-17 114768]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [2005-1-16 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [2005-1-16 17216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-3-17 718880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-17 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-17 138680]
R2 ccosm;Contrl Center of Storm Media;c:\program files\ringz studio\storm codec\stormliv.exe [2008-3-11 473184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-17 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-17 352920]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2003-8-15 68480]
S2 mrtRate;mrtRate; [x]
S2 Stormser;Stormser;c:\progra~1\ringzs~1\stormc~1\stormser.exe --> c:\progra~1\ringzs~1\stormc~1\Stormser.exe [?]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [2005-8-21 245760]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================


==================== Find3M ====================

2009-07-15 21:38 8,051 a------- c:\windows\system32\cid_store.dat
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-25 22:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-01-07 22:19 35,008,838 a------- c:\docume~1\alluse~1\applic~1\Storm3.exe
2009-02-07 16:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020720090208\index.dat

============= FINISH: 20:58:18.00 ===============

Attached Files



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:00 AM

Posted 20 July 2009 - 05:16 PM

Hello yangwendi my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.



No matter what anti spyware or anti virus software I try to use to remove Baidu Bar it comes back with a vengeance and a bunch of trojan friends. Help!

This is because of the program thunder network that you have installed. This is the culprit of all your problems. I strongly suggest that you remove and stop using this program or you will keep getting reinfected again and again. Please read HERE.

Computer Virus

Many files bundled with the programme are found to to viruses by leading antivirus programmes such as Norton Antivirus.

Adware

Xunlei has Ads in it but no evidence shows it has adware. Xunlei may bundle 3rd party softwares such as Google Toolbar and Baidu Toolbar. Users are informed of the bundling and can choose not to install.



1. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Xunlei/thunder network).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


2. One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 yangwendi

yangwendi
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 20 July 2009 - 05:56 PM

I had suspected that was the main cause but what I was hoping for is that isn't there a way to protect the computer even while keeping that software? Because it is my mother's computer so getting rid of it is a last choice option.

So would there be a way to protect the computer from future infections of the same type while keeping xunlei or whatever its called? If there isn't then I guess we will have to uninstall it.

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:00 AM

Posted 22 July 2009 - 05:34 PM

Hi,

The possibility of getting reinfected is very high as a matter of fact you've got infected the first time you installed that program (because you mistakenly installed it's 3rd party softwares), I don't recommend keeping that program. But if you really insist, the best thing for you to do is to uninstall it then reinstall it again but this time make sure not to install it's bundled 3rd party software like Baidu Toolbar etc.

I already stated the risk factor of using this kind of programs. The decision of keeping or removing it is all yours.

Please let me know if you want me to proceed with the cleaning process.

~Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 yangwendi

yangwendi
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 24 July 2009 - 09:54 AM

We'll go with the uninstall.

Edited by yangwendi, 24 July 2009 - 10:10 AM.


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:00 AM

Posted 24 July 2009 - 05:03 PM

Hi yangwendi,

Let's begin with the cleaning process.

1. Go to start > control panel > add remove programs and uninstall thunder network and then go to c: > program files and delete thunder network folder.


2. We need to download and run ComboFix (by sUBs)

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2

  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**:

*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 yangwendi

yangwendi
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 25 July 2009 - 03:18 PM

Heres the log, but it got stalled the first time running while trying to delete a folder from the recycler and I had to reboot it.

ComboFix 09-07-24.01 - Alice 07/25/2009 15:42.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.234 [GMT -4:00]
Running from: c:\documents and settings\Alice\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090724-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\baidu
c:\program files\baidu\bar\bdgdins.dll
c:\windows\system32\BDGuard.DAT
c:\windows\system32\BDGuardS.DAT
c:\windows\system32\drivers\bdguard.sys
.
---- Previous Run -------
.
c:\docume~1\Alice\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Alice\Application Data\BITS
c:\documents and settings\Alice\Application Data\BITS\BITS.ini
c:\documents and settings\Alice\Application Data\BITS\DHTTable.dat
c:\documents and settings\Alice\Application Data\BITS\UPnP.ini
c:\documents and settings\Alice\Local Settings\Application Data\Baidu
c:\documents and settings\Alice\Local Settings\Temp\IadHide4.dll
c:\program files\FlashGet Network
c:\program files\FlashGet Network\Flashget\Profiles\config.dat
c:\program files\FlashGet Network\Flashget\Profiles\tasks.dat
c:\program files\StormII
c:\recycler\S-1-5-21-1452837178-3163268665-3262375872-500
c:\recycler\S-1-5-21-725345543-1390067357-839522115-500
c:\windows\Installer\337557.msp
c:\windows\Installer\33756a.msp
c:\windows\Installer\3375c3.msp
c:\windows\Installer\359b33.msi
c:\windows\Installer\ba0d5.msi
c:\windows\sosuo.col
c:\windows\system32\drivers\OCA_LOG.TXT
c:\windows\system32\iexp_log.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BDGUARD
-------\Service_BdGuard
-------\Legacy_BDGUARD
-------\Service_BdGuard


((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-25 18:31 . 2009-07-25 18:31 -------- d-sh--w- c:\documents and settings\Alice\PrivacIE
2009-07-25 18:22 . 2009-07-25 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-25 18:21 . 2009-07-25 18:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-25 18:21 . 2009-07-25 18:21 -------- d-sh--w- c:\documents and settings\Alice\IETldCache
2009-07-25 18:16 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-25 18:16 . 2009-07-25 18:16 -------- d-----w- c:\windows\ie8updates
2009-07-25 18:14 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-25 18:14 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-25 18:09 . 2009-07-25 18:14 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 23:01 . 2008-10-12 18:28 7376 ----a-w- c:\windows\system32\cid_store.dat
2009-07-19 22:59 . 2008-10-12 18:28 101 ----a-w- c:\windows\system32\xlhcc.dat
2009-07-10 20:11 . 2009-03-17 21:28 -------- d-----w- c:\program files\a-squared Free
2009-07-10 16:56 . 2009-03-17 23:07 117760 ----a-w- c:\documents and settings\Alice\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-28 18:16 . 2007-06-02 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Storm
2009-06-16 14:36 . 2003-03-31 02:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 02:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-09 00:56 . 2008-10-12 18:34 -------- d-sh--w- c:\documents and settings\All Users\Application Data\thunder_vod_cache
2009-06-03 19:09 . 2003-05-30 16:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 02:23 . 2009-05-26 02:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-26 02:13 . 2009-05-26 02:13 152576 ----a-w- c:\documents and settings\Alice\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-13 05:15 . 2004-12-07 21:37 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-03-31 02:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-10 21:21 . 2009-07-10 21:21 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-09-23 21:39 . 2008-10-12 18:24 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll
2008-09-23 21:39 . 2008-10-12 18:24 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
.

------- Sigcheck -------

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 01D5EAAFF224415A7FF513E4C882BE30 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 B4E29943B4B04BD5E7381546848E6669 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 4AFB3B0919649F95C1964AA1FAD27D73 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2005-08-21 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-18 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-03-12 3067904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-26 148888]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-11-18 241664]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"Share-to-Web Namespace Daemon"="c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-18 204862]
"PPHIDPAD"="c:\winpenjr\Win32\pphidpad.exe" [2003-08-22 53248]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-21 40960]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2003-03-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\QTTask.exe" [2008-01-10 385024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-8-21 450560]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ringz Studio\\Storm Codec\\Storm.exe"=
"c:\\Program Files\\Ringz Studio\\Storm Codec\\stormliv.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/17/2009 10:17 PM 114768]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [1/16/2005 3:54 PM 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [1/16/2005 3:54 PM 17216]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/17/2009 10:17 PM 20560]
R2 ccosm;Contrl Center of Storm Media;c:\program files\Ringz Studio\Storm Codec\stormliv.exe [3/11/2008 2:33 AM 473184]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [8/15/2003 11:10 AM 68480]
S2 mrtRate;mrtRate; [x]
S2 Stormser;Stormser;c:\progra~1\RINGZS~1\STORMC~1\Stormser.exe --> c:\progra~1\RINGZS~1\STORMC~1\Stormser.exe [?]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [8/21/2005 1:56 PM 245760]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2004-09-13 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-02-12 20:39]
.
- - - - ORPHANS REMOVED - - - -

BHO-{77FEF28E-EB96-44FF-B511-3185DEA48697} - (no file)
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-HPHUPD05 - (no file)
HKLM-Run-TkBellExe - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
FF - ProfilePath - c:\documents and settings\Alice\Application Data\Mozilla\Firefox\Profiles\3efes560.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 15:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?7?2?0??????? ?|?B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\BaiduBar.Baidu\CLSID]
@DACL=(02 0000)
@="{B580CF65-E151-49C3-B73F-70B13FCA8E86}"

[HKEY_LOCAL_MACHINE\software\Classes\BaiduBar.Baidu\CurVer]
@DACL=(02 0000)
@="BaiduBar.Baidu.1"

[HKEY_LOCAL_MACHINE\software\Classes\BaiduBar.Baidu.1\CLSID]
@DACL=(02 0000)
@="{B580CF65-E151-49C3-B73F-70B13FCA8E86}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32]
@DACL=(02 0000)
@="c:\\PROGRA~1\\baidu\\bar\\baidubar.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ProgID]
@DACL=(02 0000)
@="BaiduBarEx.BandIE.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib]
@DACL=(02 0000)
@="{6AFC2761-1253-427C-9A56-385B4609BE1D}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID]
@DACL=(02 0000)
@="BaiduBarEx.BandIE"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\Control]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\Thunder Network\\Thunder\\ComDlls\\xunleiBHO_Now.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\ProgID]
@DACL=(02 0000)
@="XunLeiBHO.ThunderIEHelper.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\TypeLib]
@DACL=(02 0000)
@="{87CA3845-37FE-414C-81CF-E08A7D0F6779}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\Version]
@DACL=(02 0000)
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\VersionIndependentProgID]
@DACL=(02 0000)
@="XunLeiBHO.ThunderIEHelper"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32]
@DACL=(02 0000)
@="c:\\PROGRA~1\\baidu\\bar\\baidubar.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID]
@DACL=(02 0000)
@="BaiduBar.Baidu.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib]
@DACL=(02 0000)
@="{6AFC2761-1253-427C-9A56-385B4609BE1D}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID]
@DACL=(02 0000)
@="BaiduBar.Baidu"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3860)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\HP\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-07-25 16:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-25 20:05

Pre-Run: 27,094,507,520 bytes free
Post-Run: 28,746,297,344 bytes free

298 --- E O F --- 2009-07-25 18:17

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:00 AM

Posted 26 July 2009 - 09:43 AM

Hello yangwendi,

1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll
IE: ハケモテムクタラマツヤリ - c:\program files\thunder network\thunder\program\geturl.htm
IE: ハケモテムクタラマツヤリネォイソチエスモ - c:\program files\thunder network\thunder\program\getallurl.htm
BHO: {77fef28e-eb96-44ff-b511-3185dea48697} - BandIE Class
TB: ールカネケ、セ゚タク: {b580cf65-e151-49c3-b73f-70b13fca8e86} -
mSearchAssistant = hxxp://bar.baidu.com/sobar/defaultsearch.html
mCustomizeSearch = hxxp://bar.baidu.com/sobar/defaultsearch.html
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -

File::
c:\windows\system32\cid_store.dat
c:\program files\mozilla firefox\components\NsThunderLoader.dll
c:\program files\mozilla firefox\components\ThunderComponent.dll

Folder::
c:\documents and settings\All Users\Application Data\thunder_vod_cache
c:\program files\baidu
c:\Program Files\Thunder Network

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\BaiduBar.Baidu]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}]

Driver::
mrtRate


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2. Create a new DDS log. Post it together with the Combofix and Jotti logs.


~Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 yangwendi

yangwendi
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 26 July 2009 - 11:54 AM

Combofix log, I will post DDS log in second post to mjake it easier to read:

ComboFix 09-07-25.06 - Alice 07/26/2009 12:26.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.241 [GMT -4:00]
Running from: c:\documents and settings\Alice\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alice\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090725-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\mozilla firefox\components\NsThunderLoader.dll"
"c:\program files\mozilla firefox\components\ThunderComponent.dll"
"c:\windows\system32\cid_store.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Alice\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Alice\Local Settings\temp\IadHide4.dll
c:\documents and settings\All Users\Application Data\thunder_vod_cache
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\10491518.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\12588670.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\14685822.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\2102910.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\4200062.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\5758.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\6297214.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\8394366.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\0AC5AF33E6A9C6D4B219206BF790405E7C73268F\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\29360858.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\31458010.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\33555162.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\35652314.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\37749466.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\39846618.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\41943770.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\44040922.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\46138074.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\48235226.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\50332378.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\52429530.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\54526682.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\56623834.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\1C528E0ABF34E74B39DB02DDF7E9B72D5A1AE5D3\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\10486751.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\12583903.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\14681055.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\16778207.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\18875359.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\20972511.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\2098143.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\23069663.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\25166815.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\27263967.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\29361119.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\31458271.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\33555423.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\35652575.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\37749727.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\39846879.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\41944031.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\4195295.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\44041183.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\46138335.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\48235487.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\50332639.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\52429791.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\54526943.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\6292447.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\8389599.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\991.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\291FC0677D8E093CE32D1E49977D9BE6C3CC270D\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\42F298499E0353B3FA536822052C7BB809C83271\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\29360858.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\31458010.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\33555162.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\35652314.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\37749466.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\39846618.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\41943770.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\44040922.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\46138074.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\48235226.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\50332378.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\52429530.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\53213283.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\6A8F7AD7C110EC2826868CD47B5632BE390AB967\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\70CEF557AA278E3D6B3BF6068490D675EDC03997\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\70CEF557AA278E3D6B3BF6068490D675EDC03997\2102910.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\70CEF557AA278E3D6B3BF6068490D675EDC03997\4200062.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\70CEF557AA278E3D6B3BF6068490D675EDC03997\5758.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\70CEF557AA278E3D6B3BF6068490D675EDC03997\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\29360858.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\31458010.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\33555162.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\35652314.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\37749466.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\39846618.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\41943770.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\44040922.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\46138074.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\48235226.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\50332378.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\52429530.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\54526682.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\56623834.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\58720986.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\60818138.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\62915290.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\65012442.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\67109594.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\69206746.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\71303898.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\73401050.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\75498202.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\77595354.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\79692506.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\791BD6BDC1F71693A36A9FB681C816B42DE495C4\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\29360858.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\31458010.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\33555162.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\35652314.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\37749466.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\39846618.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\41943770.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\44040922.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\46138074.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\48235226.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\50332378.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\52429530.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\54526682.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\56623834.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\58720986.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\60818138.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\62915290.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\65012442.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\67109594.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\69206746.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\71303898.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\73401050.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\75498202.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\77595354.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\79692506.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\81789658.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\83886810.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\7ACD16990632CCF4104122A24E96C82DD7689911\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\10491518.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\12588670.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\14685822.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\16782974.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\18880126.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\20977278.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\2102910.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\23074430.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\25171582.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\27268734.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\29365886.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\31463038.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\33560190.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\4200062.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\5758.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\6297214.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\8394366.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\808A928FA95BF6973F59A30EF536C3F628E3AFE9\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\10486751.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\12583903.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\14681055.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\16778207.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\18875359.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\20972511.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\2098143.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\23069663.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\25166815.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\27263967.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\29361119.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\31458271.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\33555423.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\35652575.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\37749727.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\39846879.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\41944031.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\4195295.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\44041183.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\46138335.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\48235487.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\50332639.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\52429791.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\54526943.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\6292447.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\8389599.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\991.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\8AB4542346ADF41389DDAA6E358AF9A943379777\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\29360858.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\31458010.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\33555162.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\35652314.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\37749466.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\39846618.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\41943770.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\44040922.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\46138074.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\48235226.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\50332378.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\9426A353EBFD229FA70527B9D62D5C615FAC2785\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\CB90078796B6878DD7656689117945E646C53F72\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\CB90078796B6878DD7656689117945E646C53F72\2102910.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\CB90078796B6878DD7656689117945E646C53F72\4200062.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\CB90078796B6878DD7656689117945E646C53F72\5758.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\CB90078796B6878DD7656689117945E646C53F72\6297214.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\CB90078796B6878DD7656689117945E646C53F72\8394366.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\CB90078796B6878DD7656689117945E646C53F72\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\29360858.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\31458010.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\33555162.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\35652314.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\37749466.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\39846618.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\41943770.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\44040922.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\46138074.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\48235226.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\50332378.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\52429530.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\54526682.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\56623834.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\58720986.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\60818138.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\62915290.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\65012442.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\67109594.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\69206746.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\71303898.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\73401050.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\75498202.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\77595354.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\79692506.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\81789658.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D2D651A1BE5DE032290B5E62F8DC436B87BC55EA\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\29360858.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\31458010.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\D6F261CC7C992B0F3AF660A1E7ED5BB5C8261762\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\29360858.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\31458010.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\33555162.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\35652314.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\37749466.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\39846618.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\41943770.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\44040922.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\46138074.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\48235226.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\50332378.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\50627994.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\DD40A5EAD13C859A053BB4F0A2224D1BC930A4D2\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\ED2AAAA1FDC036B307D36982A22E505A09AA21E9\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\ED2AAAA1FDC036B307D36982A22E505A09AA21E9\2102910.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\ED2AAAA1FDC036B307D36982A22E505A09AA21E9\4200062.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\ED2AAAA1FDC036B307D36982A22E505A09AA21E9\5758.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\ED2AAAA1FDC036B307D36982A22E505A09AA21E9\6297214.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\ED2AAAA1FDC036B307D36982A22E505A09AA21E9\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\10486751.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\12583903.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\14681055.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\16778207.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\18875359.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\20972511.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\2098143.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\23069663.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\25166815.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\27263967.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\29361119.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\31458271.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\33555423.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\35652575.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\37749727.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\39846879.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\41944031.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\4195295.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\44041183.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\46138335.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\48235487.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\50332639.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\52429791.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\54526943.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\56624095.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\58721247.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\6292447.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\8389599.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\991.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F1858B8D0FCE8498E9F7C017232B95930CE8B419\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\10486490.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\12583642.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\14680794.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\16777946.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\18875098.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\20972250.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\2097882.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\23069402.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\25166554.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\27263706.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\29360858.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\31458010.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\33555162.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\35652314.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\37749466.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\39846618.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\4195034.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\6292186.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\730.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\8389338.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F20CA0DEB8C86EDE43C2E82ABD6FB378FB95AF9A\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F4E91706E59C21AA6BE4E26D264052A4CCCA0755\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F4E91706E59C21AA6BE4E26D264052A4CCCA0755\10491518.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F4E91706E59C21AA6BE4E26D264052A4CCCA0755\12588670.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F4E91706E59C21AA6BE4E26D264052A4CCCA0755\2102910.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F4E91706E59C21AA6BE4E26D264052A4CCCA0755\4200062.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F4E91706E59C21AA6BE4E26D264052A4CCCA0755\5758.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F4E91706E59C21AA6BE4E26D264052A4CCCA0755\6297214.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F4E91706E59C21AA6BE4E26D264052A4CCCA0755\8394366.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F4E91706E59C21AA6BE4E26D264052A4CCCA0755\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\10486751.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\12583903.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\14681055.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\16778207.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\18875359.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\20972511.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\2098143.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\23069663.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\25166815.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\27263967.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\29361119.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\31458271.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\33555423.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\35652575.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\37749727.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\39846879.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\41944031.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\4195295.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\44041183.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\46138335.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\48235487.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\50332639.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\52429791.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\54526943.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\56624095.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\6292447.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\8389599.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\991.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\F8B5A7A7FE073D99DC545AF11375E00693AA760C\vod.cfg
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\0.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\10486751.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\12583903.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\14681055.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\16778207.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\18875359.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\20972511.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\2098143.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\23069663.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\25166815.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\27263967.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\29361119.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\31458271.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\33555423.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\35652575.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\37749727.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\4195295.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\6292447.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\8389599.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\991.dat
c:\documents and settings\All Users\Application Data\thunder_vod_cache\FE542287BA1B41239F36A4738F72B9C98E1D87F9\vod.cfg
c:\program files\mozilla firefox\components\NsThunderLoader.dll
c:\program files\mozilla firefox\components\ThunderComponent.dll
c:\program files\Thunder Network
c:\program files\Thunder Network\Thunder\Components\Security\config.ini
c:\program files\Thunder Network\Thunder\Components\Security\SafeHistory.xml
c:\program files\Thunder Network\Thunder\Profiles\history6.dat
c:\program files\Thunder Network\Thunder\Profiles\history6.dat.rescue
c:\program files\Thunder Network\Thunder\Profiles\Personal.ini
c:\program files\Thunder Network\Thunder\Profiles\Torrents\0819a0f8ab148d5760d993663d9d3c224ee4829f.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\0819a0f8ab148d5760d993663d9d3c224ee4829f.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\118c22a165df76a869d16c8cdcb9901110825d85.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\118c22a165df76a869d16c8cdcb9901110825d85.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\20f2a34fedb1870ba7917b4a3e3718309ee58c12.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\20f2a34fedb1870ba7917b4a3e3718309ee58c12.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\39e899f15dd43434bc8fc7485967528f5e8de77b.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\39e899f15dd43434bc8fc7485967528f5e8de77b.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\440bd7a6083cc27a0f354ba31cc24359d6a91f3b.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\440bd7a6083cc27a0f354ba31cc24359d6a91f3b.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\468363c06d2b65912021e9dad92343cb927c79e5.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\468363c06d2b65912021e9dad92343cb927c79e5.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\52e5818d8e039618b726fb28bafacdacde39f396.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\52e5818d8e039618b726fb28bafacdacde39f396.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\5397dfc80fe9bc00c9916c16549054c3376f510e.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\5397dfc80fe9bc00c9916c16549054c3376f510e.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\540ed93ac0f019705ddba2be7d93c888baed014a.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\540ed93ac0f019705ddba2be7d93c888baed014a.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\542d3597e492cd8195c14a94d1ffba85f874b0de.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\542d3597e492cd8195c14a94d1ffba85f874b0de.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\70648c68870100c36ebef52eee69e70ad249a6df.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\70648c68870100c36ebef52eee69e70ad249a6df.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\7b7857ddfc63989a2f265d3b4bb7fae1d86a0bf1.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\7b7857ddfc63989a2f265d3b4bb7fae1d86a0bf1.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\84408de8179fa5e0cf203ca4138b9612321c9208.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\84408de8179fa5e0cf203ca4138b9612321c9208.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\9150ea110638fd25651ef2ffab24f5c6bca8c7d8.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\9150ea110638fd25651ef2ffab24f5c6bca8c7d8.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\9995760e5dcb7d661610849ed2865d32a004364b.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\9995760e5dcb7d661610849ed2865d32a004364b.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\9c7f8677e941a16e09246bf350db01fccb08b145.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\9c7f8677e941a16e09246bf350db01fccb08b145.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\a1debdcad8bb974575ba00b982e3346fbf87b92b.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\a1debdcad8bb974575ba00b982e3346fbf87b92b.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\a637cbac28c1f87c5c915e0d39f011dc046c5063.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\a637cbac28c1f87c5c915e0d39f011dc046c5063.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\c379136bdbf22f033b2063dc0c74d058ee514c5a.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\c379136bdbf22f033b2063dc0c74d058ee514c5a.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\cc522f66b15001c03af9b979facbfca81d813510.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\cc522f66b15001c03af9b979facbfca81d813510.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\d1168df79715898eedd7fbb9c820bbae17e71b16.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\d1168df79715898eedd7fbb9c820bbae17e71b16.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\d40279e1a608d684537a24c7e3103e29e698c1bc.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\d40279e1a608d684537a24c7e3103e29e698c1bc.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\d883377be946752ae1f16bdf18f0e43aea0ab8d1.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\d883377be946752ae1f16bdf18f0e43aea0ab8d1.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\e0c91b3c699a422e7caeb3230c1215383aa616e1.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\e0c91b3c699a422e7caeb3230c1215383aa616e1.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\e6faf28afa4d69774c96e1c678c303c93391a998.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\e6faf28afa4d69774c96e1c678c303c93391a998.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\eb49445f4ca247becdc16927aef842575a2abdda.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\eb49445f4ca247becdc16927aef842575a2abdda.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\f5c514c46eb9885da2f3d5418c22019ca4885370.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\f5c514c46eb9885da2f3d5418c22019ca4885370.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\f6314e0ed3267ba507ca4ed21b956307bb0613fb.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\f6314e0ed3267ba507ca4ed21b956307bb0613fb.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\f6db3cfaf5072022b692bfd43b705859fbb76f82.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\f6db3cfaf5072022b692bfd43b705859fbb76f82.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\Torrents\ff6e2b8e5d0b9e12ec618c2c6573ab42943cabf8.bt.cfg
c:\program files\Thunder Network\Thunder\Profiles\Torrents\ff6e2b8e5d0b9e12ec618c2c6573ab42943cabf8.bt.dat
c:\program files\Thunder Network\Thunder\Profiles\UserConfig.ini
c:\program files\Thunder Network\Thunder\TDTmp\12250749611(1).torrent
c:\program files\Thunder Network\Thunder\TDTmp\12250749611(2).torrent
c:\program files\Thunder Network\Thunder\TDTmp\12250749611.torrent
c:\program files\Thunder Network\Thunder\TDTmp\12283663571(1).torrent
c:\program files\Thunder Network\Thunder\TDTmp\12283663571.torrent
c:\program files\Thunder Network\Thunder\TDTmp\12313021061.torrent
c:\program files\Thunder Network\Thunder\TDTmp\12433046871.torrent
c:\windows\system32\cid_store.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MRTRATE
-------\Service_mrtRate


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 18:31 . 2009-07-25 18:31 -------- d-sh--w- c:\documents and settings\Alice\PrivacIE
2009-07-25 18:22 . 2009-07-25 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-25 18:21 . 2009-07-25 18:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-25 18:21 . 2009-07-25 18:21 -------- d-sh--w- c:\documents and settings\Alice\IETldCache
2009-07-25 18:16 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-25 18:16 . 2009-07-25 18:16 -------- d-----w- c:\windows\ie8updates
2009-07-25 18:14 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-25 18:14 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-25 18:09 . 2009-07-25 18:14 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 22:59 . 2008-10-12 18:28 101 ----a-w- c:\windows\system32\xlhcc.dat
2009-07-10 20:11 . 2009-03-17 21:28 -------- d-----w- c:\program files\a-squared Free
2009-07-10 16:56 . 2009-03-17 23:07 117760 ----a-w- c:\documents and settings\Alice\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-28 18:16 . 2007-06-02 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Storm
2009-06-16 14:36 . 2003-03-31 02:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 02:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2003-05-30 16:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 02:23 . 2009-05-26 02:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-26 02:13 . 2009-05-26 02:13 152576 ----a-w- c:\documents and settings\Alice\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-13 05:15 . 2004-12-07 21:37 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-03-31 02:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-10 21:21 . 2009-07-10 21:21 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 01D5EAAFF224415A7FF513E4C882BE30 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 B4E29943B4B04BD5E7381546848E6669 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 4AFB3B0919649F95C1964AA1FAD27D73 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-25_19.56.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-26 16:11 . 2009-07-26 16:11 16384 c:\windows\Temp\Perflib_Perfdata_6bc.dat
+ 2009-07-26 16:40 . 2009-07-26 16:40 16384 c:\windows\Temp\Perflib_Perfdata_6a4.dat
+ 2009-07-26 16:40 . 2009-07-26 16:40 16384 c:\windows\Temp\Perflib_Perfdata_63c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2005-08-21 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-18 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-03-12 3067904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-26 148888]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-11-18 241664]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"Share-to-Web Namespace Daemon"="c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-18 204862]
"PPHIDPAD"="c:\winpenjr\Win32\pphidpad.exe" [2003-08-22 53248]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-21 40960]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2003-03-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\QTTask.exe" [2008-01-10 385024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-8-21 450560]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ringz Studio\\Storm Codec\\Storm.exe"=
"c:\\Program Files\\Ringz Studio\\Storm Codec\\stormliv.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/17/2009 10:17 PM 114768]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [1/16/2005 3:54 PM 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [1/16/2005 3:54 PM 17216]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/17/2009 10:17 PM 20560]
R2 ccosm;Contrl Center of Storm Media;c:\program files\Ringz Studio\Storm Codec\stormliv.exe [3/11/2008 2:33 AM 473184]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [8/15/2003 11:10 AM 68480]
S2 Stormser;Stormser;c:\progra~1\RINGZS~1\STORMC~1\Stormser.exe --> c:\progra~1\RINGZS~1\STORMC~1\Stormser.exe [?]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [8/21/2005 1:56 PM 245760]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2004-09-13 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-02-12 20:39]
.
- - - - ORPHANS REMOVED - - - -

BHO-{77FEF28E-EB96-44FF-B511-3185DEA48697} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
FF - ProfilePath - c:\documents and settings\Alice\Application Data\Mozilla\Firefox\Profiles\3efes560.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 12:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?7?2?0??????? ?|?B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\BaiduBar.Baidu.1\CLSID]
@DACL=(02 0000)
@="{B580CF65-E151-49C3-B73F-70B13FCA8E86}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2716)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\HP\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-07-26 12:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 16:50
ComboFix2.txt 2009-07-25 20:05

Pre-Run: 28,723,216,384 bytes free
Post-Run: 28,696,248,320 bytes free

786 --- E O F --- 2009-07-25 18:17

#12 yangwendi

yangwendi
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 26 July 2009 - 11:57 AM

DDS log here, what do you mean by Jotti log? Also I'm getting a "TypeError: Components.classes['@thunder.com/thundercomponent;1'] is undefined" error when opening firefox.

EDIT: Uninstalling the thunder network add-on seems to stop the message from coming up.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Alice at 12:54:59.65 on Sun 07/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.226 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090725-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ringz Studio\Storm Codec\stormliv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Alice\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = localhost;*.local
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hp\hp share-to-web\hpgs2wnd.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [PPHIDPAD] c:\winpenjr\win32\pphidpad.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE VIMICRO USB PC Camera 301x
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\ringz studio\storm codec\QTTask.exe" -atboottime
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alice\applic~1\mozilla\firefox\profiles\3efes560.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-17 114768]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [2005-1-16 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [2005-1-16 17216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-3-17 718880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-17 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-17 138680]
R2 ccosm;Contrl Center of Storm Media;c:\program files\ringz studio\storm codec\stormliv.exe [2008-3-11 473184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-17 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-17 352920]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2003-8-15 68480]
S2 Stormser;Stormser;c:\progra~1\ringzs~1\stormc~1\stormser.exe --> c:\progra~1\ringzs~1\stormc~1\Stormser.exe [?]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [2005-8-21 245760]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-07-26 12:25 219,648 a------- c:\windows\PEV.exe
2009-07-26 12:25 161,792 a------- c:\windows\SWREG.exe
2009-07-26 12:25 98,816 a------- c:\windows\sed.exe
2009-07-25 16:03 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-25 14:45 <DIR> a-dshr-- C:\cmdcons
2009-07-25 14:31 <DIR> --dsh--- c:\documents and settings\alice\PrivacIE
2009-07-25 14:21 <DIR> --dsh--- c:\documents and settings\alice\IETldCache
2009-07-25 14:16 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-25 14:16 <DIR> --d----- c:\windows\ie8updates
2009-07-25 14:14 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-25 14:14 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-25 14:09 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-25 22:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 00:55 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-07 22:19 35,008,838 a------- c:\docume~1\alluse~1\applic~1\Storm3.exe
2009-02-07 16:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020720090208\index.dat

============= FINISH: 12:55:24.78 ===============

Attached Files


Edited by yangwendi, 26 July 2009 - 12:00 PM.


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:00 AM

Posted 27 July 2009 - 05:32 PM

Hello yangwendi,

DDS log here, what do you mean by Jotti log?

I'm sorry I made a mistake, I edited my fix before posting it to you but I forgot to edit the last part.


1. Please open your Internet Explorer. Then click Tools > manage add-ons then under toolbar and extensions remove / disable the following add-ons if present:

Thunder network or any other thunder extensions.
KuGoo or KuGoo3


2. Go to start > control panel > add remove programs and uninstall the following programs if present:

Ӱ
Ѹ5
KuGoo or KuGoo3


3. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -

Folder::
c:\Program Files\Thunder Network
c:\Program Files\Ӱ
c:\Program Files\Ѹ5
c:\Program Files\KuGoo
c:\Program Files\KuGoo3

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\BaiduBar.Baidu.1]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


4. Lastly create a new DDS log. Post it together with combofix log.


~Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 yangwendi

yangwendi
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 29 July 2009 - 10:25 AM

Making two posts again, first one will be the Combofix log:

ComboFix 09-07-28.06 - Alice 07/29/2009 10:59.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.265 [GMT -4:00]
Running from: c:\documents and settings\Alice\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alice\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090728-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Alice\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Alice\Local Settings\temp\IadHide4.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-25 18:31 . 2009-07-25 18:31 -------- d-sh--w- c:\documents and settings\Alice\PrivacIE
2009-07-25 18:22 . 2009-07-25 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-25 18:21 . 2009-07-25 18:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-25 18:21 . 2009-07-25 18:21 -------- d-sh--w- c:\documents and settings\Alice\IETldCache
2009-07-25 18:16 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-25 18:16 . 2009-07-25 18:16 -------- d-----w- c:\windows\ie8updates
2009-07-25 18:14 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-25 18:14 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-25 18:09 . 2009-07-25 18:14 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 14:51 . 2007-06-02 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Storm
2009-07-19 22:59 . 2008-10-12 18:28 101 ----a-w- c:\windows\system32\xlhcc.dat
2009-07-10 20:11 . 2009-03-17 21:28 -------- d-----w- c:\program files\a-squared Free
2009-07-10 16:56 . 2009-03-17 23:07 117760 ----a-w- c:\documents and settings\Alice\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 14:36 . 2003-03-31 02:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 02:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2003-05-30 16:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 02:23 . 2009-05-26 02:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-26 02:13 . 2009-05-26 02:13 152576 ----a-w- c:\documents and settings\Alice\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-13 05:15 . 2004-12-07 21:37 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-03-31 02:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-10 21:21 . 2009-07-10 21:21 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 01D5EAAFF224415A7FF513E4C882BE30 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 B4E29943B4B04BD5E7381546848E6669 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 4AFB3B0919649F95C1964AA1FAD27D73 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-25_19.56.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-29 15:10 . 2009-07-29 15:10 16384 c:\windows\Temp\Perflib_Perfdata_bc.dat
+ 2009-07-29 15:09 . 2009-07-29 15:09 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
+ 2009-07-29 14:37 . 2009-07-29 14:37 16384 c:\windows\Temp\Perflib_Perfdata_6c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2005-08-21 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-18 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-03-12 3067904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-26 148888]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-11-18 241664]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"Share-to-Web Namespace Daemon"="c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-18 204862]
"PPHIDPAD"="c:\winpenjr\Win32\pphidpad.exe" [2003-08-22 53248]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-21 40960]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2003-03-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\QTTask.exe" [2008-01-10 385024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-8-21 450560]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/17/2009 10:17 PM 114768]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [1/16/2005 3:54 PM 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [1/16/2005 3:54 PM 17216]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/17/2009 10:17 PM 20560]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [8/15/2003 11:10 AM 68480]
S2 Stormser;Stormser;c:\progra~1\RINGZS~1\STORMC~1\Stormser.exe --> c:\progra~1\RINGZS~1\STORMC~1\Stormser.exe [?]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [8/21/2005 1:56 PM 245760]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2004-09-13 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-02-12 20:39]
.
- - - - ORPHANS REMOVED - - - -

BHO-{77FEF28E-EB96-44FF-B511-3185DEA48697} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
FF - ProfilePath - c:\documents and settings\Alice\Application Data\Mozilla\Firefox\Profiles\3efes560.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?7?2?0??????? ?|?B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2580)
c:\windows\system32\WININET.dll
c:\docume~1\Alice\LOCALS~1\Temp\IadHide4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\HP\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-07-29 11:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 15:21
ComboFix2.txt 2009-07-26 16:50
ComboFix3.txt 2009-07-25 20:05

Pre-Run: 28,642,254,848 bytes free
Post-Run: 28,600,369,152 bytes free

203 --- E O F --- 2009-07-25 18:17

#15 yangwendi

yangwendi
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 29 July 2009 - 10:26 AM

This DDS, also just like last time Internet Explorer got resetted to be the default browser and the shortcut reappeared on my desktop, which is a bit strange:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Alice at 11:22:43.37 on Wed 07/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.227 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090728-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Alice\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = localhost;*.local
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hp\hp share-to-web\hpgs2wnd.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [PPHIDPAD] c:\winpenjr\win32\pphidpad.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE VIMICRO USB PC Camera 301x
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\ringz studio\storm codec\QTTask.exe" -atboottime
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alice\applic~1\mozilla\firefox\profiles\3efes560.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-17 114768]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [2005-1-16 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [2005-1-16 17216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-3-17 718880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-17 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-17 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-17 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-17 352920]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2003-8-15 68480]
S2 Stormser;Stormser;c:\progra~1\ringzs~1\stormc~1\stormser.exe --> c:\progra~1\ringzs~1\stormc~1\Stormser.exe [?]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [2005-8-21 245760]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-07-26 12:25 219,648 a------- c:\windows\PEV.exe
2009-07-26 12:25 161,792 a------- c:\windows\SWREG.exe
2009-07-26 12:25 98,816 a------- c:\windows\sed.exe
2009-07-25 16:03 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-25 14:45 <DIR> a-dshr-- C:\cmdcons
2009-07-25 14:31 <DIR> --dsh--- c:\documents and settings\alice\PrivacIE
2009-07-25 14:21 <DIR> --dsh--- c:\documents and settings\alice\IETldCache
2009-07-25 14:16 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-25 14:16 <DIR> --d----- c:\windows\ie8updates
2009-07-25 14:14 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-25 14:14 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-25 14:09 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-25 22:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-01-07 22:19 35,008,838 a------- c:\docume~1\alluse~1\applic~1\Storm3.exe
2009-02-07 16:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020720090208\index.dat

============= FINISH: 11:23:09.76 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users