Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit and redirect virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 soniashannon

soniashannon

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 26 May 2010 - 08:37 PM

Hey all, I was sent over here from the "am I infected board". Topic referenced is here: http://www.bleepingcomputer.com/forums/t/318989/antispyware-soft-causing-problems/ ~ OB I was having an issue with Antispyware soft and I think that's sorted out, but now I'm getting a search engine redirect that strongly resembles one I'd had previously. I also had a rootkit about a year ago and it looks as though it may have flared up again so here's my DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner-pc at 20:16:11.56 on Wed 05/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.234 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100526-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\GIMPS\prime95.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\runit201\Runit.exe
C:\Freeware\Programs\SpecChar\SpecChar.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\3.5\firefox.exe
C:\Documents and Settings\Owner-pc\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\Owner-pc\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\owner-pc\startm~1\programs\startup\runite~1.lnk - c:\windows\system32\runit201\Runit.exe
StartupFolder: c:\docume~1\owner-pc\startm~1\programs\startup\specch~1.lnk - c:\freeware\programs\specchar\SpecChar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner-pc\applic~1\mozilla\firefox\profiles\kwchyh0l.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\owner-pc\application data\mozilla\firefox\profiles\kwchyh0l.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\winnt-32\MinimizeToTrayPlus.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner-pc\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner-pc\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\mozilla firefox\3.5\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\3.5\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-11 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-11 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-11 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-11 352920]
S2 DrWebEngine;Dr.Web ® Scanning Engine (DrWebEngine);"c:\program files\common files\doctor web\scanning engine\dwengine.exe" --> c:\program files\common files\doctor web\scanning engine\dwengine.exe [?]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-12 10384]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-8-15 16512]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\owner-pc\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\owner-pc\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurnsDriver.sys [2008-11-28 10704]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-9-7 24416]

=============== Created Last 30 ================

2010-05-27 00:15:08 0 ----a-w- c:\documents and settings\owner-pc\defogger_reenable
2010-05-26 16:38:50 0 d-----w- C:\Fall '09
2010-05-26 15:26:40 0 d-sh--w- C:\found.000
2010-05-26 11:32:25 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-05-26 08:10:37 0 d-----w- c:\docume~1\owner-pc\applic~1\SUPERAntiSpyware.com
2010-05-25 07:29:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-25 07:29:20 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-22 19:46:35 0 d-----w- c:\program files\iPod
2010-05-22 19:46:29 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-22 19:37:41 0 d-----w- c:\program files\Bonjour
2010-05-12 06:56:29 0 d-----w- c:\docume~1\owner-pc\applic~1\LolClient
2010-05-09 18:44:20 0 d-----w- c:\program files\Excel Advanced Sort By Characters, Position, Length, Color, Dates Software
2010-05-09 08:04:25 0 d-----w- c:\program files\JRE

==================== Find3M ====================

2010-05-10 00:44:34 64812 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 12:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-11 11:49:32 841216 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 11:49:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 11:49:29 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:06:59 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-09-06 06:34:26 2 --shatr- c:\windows\winstart.bat
2009-09-08 19:29:03 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-01-26 10:29:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-01-26 16:44:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012620090127\index.dat

============= FINISH: 20:18:17.78 ===============


and the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-26 21:33:50
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner-pc\LOCALS~1\Temp\ufdoiaob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA119F6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA119F574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA119FA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA119F14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA119F64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA119F08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA119F0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA119F76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA119F72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA119F8AE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ohci1394.sys entry point in ".rsrc" section [0xF7668114]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1080] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[1080] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\WINDOWS\System32\svchost.exe[1272] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0205000A
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[1444] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Mozilla Firefox\3.5\firefox.exe[2804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0124000A
.text C:\Program Files\Mozilla Firefox\3.5\firefox.exe[2804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0125000A
.text C:\Program Files\Mozilla Firefox\3.5\firefox.exe[2804] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0123000C
.text C:\Program Files\Mozilla Firefox\3.5\firefox.exe[2804] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\3.5\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86EF2D01

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcqvmphwhxymohrbqintidwejwcsiwulke.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules@gxvxcserv
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules@gxvxcl

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ohci1394.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Any help is much appreciated, as always smile.gif

Attached Files


Edited by Orange Blossom, 26 May 2010 - 09:01 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:06 AM

Posted 28 May 2010 - 01:23 PM

Hi soniashannon,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      CODE
      Comment:
      start to process
      Files to delete:
      gxvxcqvmphwhxymohrbqintidwejwcsiwulke.sys
      Registry keys to delete:
      HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys
    • In the avenger window, click the Paste Script from Clipboard, button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  3. Run TDLfix.exe, type the following in the open window and press enter:

    mbr

    A log file opens up. please post the content to your reply.


#3 soniashannon

soniashannon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 28 May 2010 - 04:07 PM

I agree to refrain from making any changes to my system. You're in charge 100% smile.gif I just had a quick question before I begin to do the stuff you instructed: We had a power outage since I disabled my CD emulation software. Will I need to redo that (run DeFogger again), or can I go straight ahead and start with your instructions?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:06 AM

Posted 28 May 2010 - 04:12 PM

You don't need to run DeDeFogger again. I hope the power outage has not damaged your computer.

#5 soniashannon

soniashannon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 28 May 2010 - 05:32 PM

nah, I think it's about as good as it was. Anyway, here's the Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "gxvxcqvmphwhxymohrbqintidwejwcsiwulke.sys" not found!
Deletion of file "gxvxcqvmphwhxymohrbqintidwejwcsiwulke.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.






and the mbr log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EFFD01]<<
kernel: MBR read successfully
user & kernel MBR OK


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:06 AM

Posted 28 May 2010 - 05:51 PM

  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, this is normal.

  2. Reboot the computer once.

  3. Close all the open windows.
    • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      ohci1394

    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  4. Reboot the computer once manually then run TDLFix again, type mbr and press Enter. Copy and paste the log it creates.


#7 soniashannon

soniashannon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 28 May 2010 - 07:23 PM

the computer rebooted, but the program did not run.

Here's the mbr log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:06 AM

Posted 28 May 2010 - 07:40 PM

So you are sure when the tool rebooted the computer it didn't open for a while then closed?

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:06 AM

Posted 29 May 2010 - 04:58 AM

Seems the tool is run, but you didn't notice it as it runs briefly.

The mbr log shows the rootkit is taken care of. The redirecting should have been stopped now.thumbup2.gif
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any version remaining versions if the tool could not uninstall them.

  2. Please post a fresh DDS.txt log and tell me how is your computer running now.


#10 soniashannon

soniashannon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2010 - 04:15 PM

I did some trial googling and the redirects appear to be at an end smile.gif
Java is updated, and thank you for letting me know about that.
Here's the DDS log and attach.txt is, well, attached. The computer is running beautifully, much faster and no scary nonsense popping up or anything, so I am infinitely thankful for your help clapping.gif
The only thing is, System Restore is still being weird. I tried to create a restore point, but when I get to the screen where it asks me to name the point, I try to type in the box, but the cursor refuses to appear there. I clicked and tabbed and tried every other thing I could think of, but nothing worked. I backtracked and went in to see if it would let me restore to a previous date (I didn't intend to go through with the restore, I just wanted to see if it was still messing up). The calendar still does not appear. Is there some way to repair this? I figure if anyone knows, it will be you, 'cause you kicked that rootkit in its behind thumbup.gif



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner-pc at 16:56:05.23 on Sat 05/29/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.340 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\GIMPS\prime95.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\runit201\Runit.exe
C:\Freeware\Programs\SpecChar\SpecChar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner-pc\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\owner-pc\startm~1\programs\startup\runite~1.lnk - c:\windows\system32\runit201\Runit.exe
StartupFolder: c:\docume~1\owner-pc\startm~1\programs\startup\specch~1.lnk - c:\freeware\programs\specchar\SpecChar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner-pc\applic~1\mozilla\firefox\profiles\kwchyh0l.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\owner-pc\application data\mozilla\firefox\profiles\kwchyh0l.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\winnt-32\MinimizeToTrayPlus.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner-pc\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner-pc\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\3.5\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\3.5\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\3.5\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\3.5\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\3.5\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\3.5\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-29 164048]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-29 532224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-29 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-29 40384]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-29 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-29 40384]
S2 DrWebEngine;Dr.Web ® Scanning Engine (DrWebEngine);"c:\program files\common files\doctor web\scanning engine\dwengine.exe" --> c:\program files\common files\doctor web\scanning engine\dwengine.exe [?]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-12 10384]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-8-15 16512]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\owner-pc\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\owner-pc\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurnsDriver.sys [2008-11-28 10704]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-9-7 24416]

=============== Created Last 30 ================

2010-05-29 20:48:44 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-29 20:48:33 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-05-29 20:48:32 0 d-----w- c:\windows\system32\ZoneLabs
2010-05-29 20:48:31 420800 ----a-w- c:\windows\system32\vsconfig.xml
2010-05-29 20:48:30 0 d-----w- c:\program files\Zone Labs
2010-05-29 20:47:53 0 d-----w- c:\windows\Internet Logs
2010-05-29 20:35:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-29 20:28:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-29 20:28:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 23:57:09 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-05-28 23:57:09 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-05-28 23:56:50 0 d-----w- C:\vir
2010-05-28 23:55:22 1414 ----a-w- C:\ohci1394.reg
2010-05-28 23:55:20 61696 ----a-w- c:\windows\system32\drivers\tmpohci1394.sys
2010-05-28 23:55:20 0 d-----w- C:\backup
2010-05-28 21:00:58 77312 ----a-w- c:\windows\mbr.exe
2010-05-27 00:15:08 0 ----a-w- c:\documents and settings\owner-pc\defogger_reenable
2010-05-26 16:38:50 0 d-----w- C:\Fall '09
2010-05-26 15:26:40 0 d-sh--w- C:\found.000
2010-05-26 11:32:25 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-05-22 19:46:35 0 d-----w- c:\program files\iPod
2010-05-22 19:46:29 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-22 19:37:41 0 d-----w- c:\program files\Bonjour
2010-05-12 06:56:29 0 d-----w- c:\docume~1\owner-pc\applic~1\LolClient
2010-05-09 08:04:25 0 d-----w- c:\program files\JRE

==================== Find3M ====================

2010-05-10 00:44:34 64812 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 12:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-11 11:49:32 841216 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 11:49:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 11:49:29 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:06:59 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-09-06 06:34:26 2 --shatr- c:\windows\winstart.bat
2009-09-08 19:29:03 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-01-26 10:29:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-01-26 16:44:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012620090127\index.dat

============= FINISH: 16:58:41.56 ===============

Attached Files



#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:06 AM

Posted 29 May 2010 - 05:41 PM

Thanks for your kind words. We will take care of System Restore issue. there are a lot of leftover from legit program we should clean.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#12 soniashannon

soniashannon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2010 - 06:11 PM

ComboFix 10-05-29.03 - Owner-pc 05/29/2010 18:57:13.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.444 [GMT -4:00]
Running from: c:\documents and settings\Owner-pc\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner-pc\Application Data\inst.exe
c:\windows\system32\Icons
c:\windows\system32\Icons\Permanent Icons\3D Studio Max.ico
c:\windows\system32\Icons\Permanent Icons\about.ico
c:\windows\system32\Icons\Permanent Icons\Add.ico
c:\windows\system32\Icons\Permanent Icons\Address Book (1).ico
c:\windows\system32\Icons\Permanent Icons\Address Book (2).ico
c:\windows\system32\Icons\Permanent Icons\administrative_tools.ico
c:\windows\system32\Icons\Permanent Icons\Adobe Illustrator.ico
c:\windows\system32\Icons\Permanent Icons\Adobe PDF.ico
c:\windows\system32\Icons\Permanent Icons\Adobe Photoshop.ico
c:\windows\system32\Icons\Permanent Icons\Adobe.ico
c:\windows\system32\Icons\Permanent Icons\Alert.ico
c:\windows\system32\Icons\Permanent Icons\alien.ico
c:\windows\system32\Icons\Permanent Icons\Apple (1).ico
c:\windows\system32\Icons\Permanent Icons\Apple (2).ico
c:\windows\system32\Icons\Permanent Icons\Apple (3).ico
c:\windows\system32\Icons\Permanent Icons\Apple (4).ico
c:\windows\system32\Icons\Permanent Icons\Application.ico
c:\windows\system32\Icons\Permanent Icons\applications.ico
c:\windows\system32\Icons\Permanent Icons\Apps (1).ico
c:\windows\system32\Icons\Permanent Icons\Apps (2).ico
c:\windows\system32\Icons\Permanent Icons\Apps (3).ico
c:\windows\system32\Icons\Permanent Icons\ascii.ico
c:\windows\system32\Icons\Permanent Icons\atlantik.ico
c:\windows\system32\Icons\Permanent Icons\atlantikdesigner.ico
c:\windows\system32\Icons\Permanent Icons\Audio (1).ico
c:\windows\system32\Icons\Permanent Icons\Audio (2).ico
c:\windows\system32\Icons\Permanent Icons\Audio (3).ico
c:\windows\system32\Icons\Permanent Icons\Audio (4).ico
c:\windows\system32\Icons\Permanent Icons\audio_cd.ico
c:\windows\system32\Icons\Permanent Icons\audio_file.ico
c:\windows\system32\Icons\Permanent Icons\Axialis Icon Workshop.ico
c:\windows\system32\Icons\Permanent Icons\back.ico
c:\windows\system32\Icons\Permanent Icons\banana.ico
c:\windows\system32\Icons\Permanent Icons\BarredSpiralGalaxyNGC1300.ico
c:\windows\system32\Icons\Permanent Icons\bat in flight.ico
c:\windows\system32\Icons\Permanent Icons\battery.ico
c:\windows\system32\Icons\Permanent Icons\binary.ico
c:\windows\system32\Icons\Permanent Icons\BitComet.ico
c:\windows\system32\Icons\Permanent Icons\bitmap (1).ico
c:\windows\system32\Icons\Permanent Icons\bitmap (2).ico
c:\windows\system32\Icons\Permanent Icons\Bittorent Downloads.ico
c:\windows\system32\Icons\Permanent Icons\Blank.ico
c:\windows\system32\Icons\Permanent Icons\blockdevice.ico
c:\windows\system32\Icons\Permanent Icons\Blue Flower (1).ico
c:\windows\system32\Icons\Permanent Icons\Blue Flower (2).ico
c:\windows\system32\Icons\Permanent Icons\Blue_butterfly.ico
c:\windows\system32\Icons\Permanent Icons\bomb.ico
c:\windows\system32\Icons\Permanent Icons\bookmark (1).ico
c:\windows\system32\Icons\Permanent Icons\bookmark (2).ico
c:\windows\system32\Icons\Permanent Icons\bookmark missing (1).ico
c:\windows\system32\Icons\Permanent Icons\bookmark missing (2).ico
c:\windows\system32\Icons\Permanent Icons\Box.ico
c:\windows\system32\Icons\Permanent Icons\Bug.ico
c:\windows\system32\Icons\Permanent Icons\Burn.ico
c:\windows\system32\Icons\Permanent Icons\button_cancel.ico
c:\windows\system32\Icons\Permanent Icons\button_ok.ico
c:\windows\system32\Icons\Permanent Icons\Calender.ico
c:\windows\system32\Icons\Permanent Icons\camera (1).ico
c:\windows\system32\Icons\Permanent Icons\camera (2).ico
c:\windows\system32\Icons\Permanent Icons\camera (3).ico
c:\windows\system32\Icons\Permanent Icons\Cauldron.ico
c:\windows\system32\Icons\Permanent Icons\CD-Alt.ico
c:\windows\system32\Icons\Permanent Icons\CD-RW.ico
c:\windows\system32\Icons\Permanent Icons\cd (1).ico
c:\windows\system32\Icons\Permanent Icons\cd (2).ico
c:\windows\system32\Icons\Permanent Icons\cd (3).ico
c:\windows\system32\Icons\Permanent Icons\cd (4).ico
c:\windows\system32\Icons\Permanent Icons\cd (5).ico
c:\windows\system32\Icons\Permanent Icons\cd audio.ico
c:\windows\system32\Icons\Permanent Icons\cd rom audio.ico
c:\windows\system32\Icons\Permanent Icons\cd rom.ico
c:\windows\system32\Icons\Permanent Icons\cd_rom_driver.ico
c:\windows\system32\Icons\Permanent Icons\cdaudio_mount.ico
c:\windows\system32\Icons\Permanent Icons\cdaudio_unmount.ico
c:\windows\system32\Icons\Permanent Icons\cdimage (2).ico
c:\windows\system32\Icons\Permanent Icons\cdimage.ico
c:\windows\system32\Icons\Permanent Icons\cdr.ico
c:\windows\system32\Icons\Permanent Icons\cdrom_mount.ico
c:\windows\system32\Icons\Permanent Icons\cdrom_unmount.ico
c:\windows\system32\Icons\Permanent Icons\cdtrack.ico
c:\windows\system32\Icons\Permanent Icons\cdwriter_mount.ico
c:\windows\system32\Icons\Permanent Icons\cdwriter_unmount.ico
c:\windows\system32\Icons\Permanent Icons\Ceres.ico
c:\windows\system32\Icons\Permanent Icons\Chat.ico
c:\windows\system32\Icons\Permanent Icons\clanbomber.ico
c:\windows\system32\Icons\Permanent Icons\client.ico
c:\windows\system32\Icons\Permanent Icons\clock.ico
c:\windows\system32\Icons\Permanent Icons\closed_folder.ico
c:\windows\system32\Icons\Permanent Icons\Cloud.ico
c:\windows\system32\Icons\Permanent Icons\Cloud_Sun.ico
c:\windows\system32\Icons\Permanent Icons\coffee.ico
c:\windows\system32\Icons\Permanent Icons\colorscm.ico
c:\windows\system32\Icons\Permanent Icons\Command (1).ico
c:\windows\system32\Icons\Permanent Icons\Command (2).ico
c:\windows\system32\Icons\Permanent Icons\Computer (1).ico
c:\windows\system32\Icons\Permanent Icons\Computer (2).ico
c:\windows\system32\Icons\Permanent Icons\Computer (3).ico
c:\windows\system32\Icons\Permanent Icons\Computer (4).ico
c:\windows\system32\Icons\Permanent Icons\Computer (5).ico
c:\windows\system32\Icons\Permanent Icons\configuration_settings (1).ico
c:\windows\system32\Icons\Permanent Icons\configuration_settings (2).ico
c:\windows\system32\Icons\Permanent Icons\control_panel (1).ico
c:\windows\system32\Icons\Permanent Icons\control_panel (2).ico
c:\windows\system32\Icons\Permanent Icons\core (1).ico
c:\windows\system32\Icons\Permanent Icons\core (2).ico
c:\windows\system32\Icons\Permanent Icons\Database.ico
c:\windows\system32\Icons\Permanent Icons\DDR.ico
c:\windows\system32\Icons\Permanent Icons\deb.ico
c:\windows\system32\Icons\Permanent Icons\default_document.ico
c:\windows\system32\Icons\Permanent Icons\default_icon.ico
c:\windows\system32\Icons\Permanent Icons\Desktop (1).ico
c:\windows\system32\Icons\Permanent Icons\Desktop (2).ico
c:\windows\system32\Icons\Permanent Icons\Desktop (3).ico
c:\windows\system32\Icons\Permanent Icons\Desktop (4).ico
c:\windows\system32\Icons\Permanent Icons\Desktop (5).ico
c:\windows\system32\Icons\Permanent Icons\Desktop (6).ico
c:\windows\system32\Icons\Permanent Icons\Deviant Art.ico
c:\windows\system32\Icons\Permanent Icons\directory (1).ico
c:\windows\system32\Icons\Permanent Icons\directory (2).ico
c:\windows\system32\Icons\Permanent Icons\directory accept (2).ico
c:\windows\system32\Icons\Permanent Icons\directory accept.ico
c:\windows\system32\Icons\Permanent Icons\directory visiting.ico
c:\windows\system32\Icons\Permanent Icons\directory_incative.ico
c:\windows\system32\Icons\Permanent Icons\disc dvd ram.ico
c:\windows\system32\Icons\Permanent Icons\disc dvd rom.ico
c:\windows\system32\Icons\Permanent Icons\disc dvdr plus.ico
c:\windows\system32\Icons\Permanent Icons\Divx Movies.ico
c:\windows\system32\Icons\Permanent Icons\doc (1).ico
c:\windows\system32\Icons\Permanent Icons\doc (2).ico
c:\windows\system32\Icons\Permanent Icons\doc (3).ico
c:\windows\system32\Icons\Permanent Icons\Documents (1).ico
c:\windows\system32\Icons\Permanent Icons\Documents (2).ico
c:\windows\system32\Icons\Permanent Icons\Documents (3).ico
c:\windows\system32\Icons\Permanent Icons\Documents (4).ico
c:\windows\system32\Icons\Permanent Icons\documents_white.ico
c:\windows\system32\Icons\Permanent Icons\documents_white_edit.ico
c:\windows\system32\Icons\Permanent Icons\documents_white_exec.ico
c:\windows\system32\Icons\Permanent Icons\documents_white_fav.ico
c:\windows\system32\Icons\Permanent Icons\documents_white_music.ico
c:\windows\system32\Icons\Permanent Icons\documents_white_web.ico
c:\windows\system32\Icons\Permanent Icons\documents_yellow.ico
c:\windows\system32\Icons\Permanent Icons\documents_yellow_edit.ico
c:\windows\system32\Icons\Permanent Icons\documents_yellow_exec.ico
c:\windows\system32\Icons\Permanent Icons\documents_yellow_fav.ico
c:\windows\system32\Icons\Permanent Icons\documents_yellow_music.ico
c:\windows\system32\Icons\Permanent Icons\documents_yellow_web.ico
c:\windows\system32\Icons\Permanent Icons\Download (1).ico
c:\windows\system32\Icons\Permanent Icons\Download (2).ico
c:\windows\system32\Icons\Permanent Icons\Download (3).ico
c:\windows\system32\Icons\Permanent Icons\Download (4).ico
c:\windows\system32\Icons\Permanent Icons\Download (5).ico
c:\windows\system32\Icons\Permanent Icons\Drought_Leaf.ico
c:\windows\system32\Icons\Permanent Icons\DVD (2).ico
c:\windows\system32\Icons\Permanent Icons\DVD.ico
c:\windows\system32\Icons\Permanent Icons\dvd_mount.ico
c:\windows\system32\Icons\Permanent Icons\dvd_unmount.ico
c:\windows\system32\Icons\Permanent Icons\dvi.ico
c:\windows\system32\Icons\Permanent Icons\e_mail.ico
c:\windows\system32\Icons\Permanent Icons\Earth and Moon.ico
c:\windows\system32\Icons\Permanent Icons\Earth.ico
c:\windows\system32\Icons\Permanent Icons\eclipse_mts_2009jul220130_lrg.ico
c:\windows\system32\Icons\Permanent Icons\Edit.ico
c:\windows\system32\Icons\Permanent Icons\empty.ico
c:\windows\system32\Icons\Permanent Icons\encrypted.ico
c:\windows\system32\Icons\Permanent Icons\entire_network.ico
c:\windows\system32\Icons\Permanent Icons\Eris.ico
c:\windows\system32\Icons\Permanent Icons\Error.ico
c:\windows\system32\Icons\Permanent Icons\exe.ico
c:\windows\system32\Icons\Permanent Icons\exec (1).ico
c:\windows\system32\Icons\Permanent Icons\exec (2).ico
c:\windows\system32\Icons\Permanent Icons\exec.ico
c:\windows\system32\Icons\Permanent Icons\exec_wine.ico
c:\windows\system32\Icons\Permanent Icons\executable.ico
c:\windows\system32\Icons\Permanent Icons\Fav-Alt (1).ico
c:\windows\system32\Icons\Permanent Icons\Fav-Alt (2).ico
c:\windows\system32\Icons\Permanent Icons\Fav (1).ico
c:\windows\system32\Icons\Permanent Icons\Fav (2).ico
c:\windows\system32\Icons\Permanent Icons\Fav (Heart).ico
c:\windows\system32\Icons\Permanent Icons\Fav (Star).ico
c:\windows\system32\Icons\Permanent Icons\fav.ico
c:\windows\system32\Icons\Permanent Icons\favorits (1).ico
c:\windows\system32\Icons\Permanent Icons\favorits (2).ico
c:\windows\system32\Icons\Permanent Icons\favorits (3).ico
c:\windows\system32\Icons\Permanent Icons\file (1).ico
c:\windows\system32\Icons\Permanent Icons\file (2).ico
c:\windows\system32\Icons\Permanent Icons\file_locked.ico
c:\windows\system32\Icons\Permanent Icons\file_temporary.ico
c:\windows\system32\Icons\Permanent Icons\files.ico
c:\windows\system32\Icons\Permanent Icons\files_edit.ico
c:\windows\system32\Icons\Permanent Icons\files_text.ico
c:\windows\system32\Icons\Permanent Icons\files2.ico
c:\windows\system32\Icons\Permanent Icons\filesaveas.ico
c:\windows\system32\Icons\Permanent Icons\film-reel.ico
c:\windows\system32\Icons\Permanent Icons\find.ico
c:\windows\system32\Icons\Permanent Icons\finder.ico
c:\windows\system32\Icons\Permanent Icons\Firewall.ico
c:\windows\system32\Icons\Permanent Icons\Flower 1.ico
c:\windows\system32\Icons\Permanent Icons\Folder (1).ico
c:\windows\system32\Icons\Permanent Icons\Folder (2).ico
c:\windows\system32\Icons\Permanent Icons\Folder (3).ico
c:\windows\system32\Icons\Permanent Icons\Folder (4).ico
c:\windows\system32\Icons\Permanent Icons\Folder (5).ico
c:\windows\system32\Icons\Permanent Icons\Folder (6).ico
c:\windows\system32\Icons\Permanent Icons\folder blue (1).ico
c:\windows\system32\Icons\Permanent Icons\folder blue (2).ico
c:\windows\system32\Icons\Permanent Icons\folder blue (3).ico
c:\windows\system32\Icons\Permanent Icons\folder blue (4).ico
c:\windows\system32\Icons\Permanent Icons\folder close blue.ico
c:\windows\system32\Icons\Permanent Icons\folder close green.ico
c:\windows\system32\Icons\Permanent Icons\folder close red.ico
c:\windows\system32\Icons\Permanent Icons\folder close yellow.ico
c:\windows\system32\Icons\Permanent Icons\folder documents (2).ico
c:\windows\system32\Icons\Permanent Icons\folder documents blue.ico
c:\windows\system32\Icons\Permanent Icons\folder documents red.ico
c:\windows\system32\Icons\Permanent Icons\folder documents yellow.ico
c:\windows\system32\Icons\Permanent Icons\folder documents.ico
c:\windows\system32\Icons\Permanent Icons\folder downloads.ico
c:\windows\system32\Icons\Permanent Icons\folder exec.ico
c:\windows\system32\Icons\Permanent Icons\folder fav.ico
c:\windows\system32\Icons\Permanent Icons\folder favorite.ico
c:\windows\system32\Icons\Permanent Icons\folder favorits blue.ico
c:\windows\system32\Icons\Permanent Icons\folder favorits green.ico
c:\windows\system32\Icons\Permanent Icons\folder favorits yellow.ico
c:\windows\system32\Icons\Permanent Icons\folder favorits.ico
c:\windows\system32\Icons\Permanent Icons\folder find.ico
c:\windows\system32\Icons\Permanent Icons\folder FTP.ico
c:\windows\system32\Icons\Permanent Icons\folder games.ico
c:\windows\system32\Icons\Permanent Icons\folder grape.ico
c:\windows\system32\Icons\Permanent Icons\folder gray (2).ico
c:\windows\system32\Icons\Permanent Icons\folder gray.ico
c:\windows\system32\Icons\Permanent Icons\folder green (1).ico
c:\windows\system32\Icons\Permanent Icons\folder green (2).ico
c:\windows\system32\Icons\Permanent Icons\folder green open.ico
c:\windows\system32\Icons\Permanent Icons\folder green.ico
c:\windows\system32\Icons\Permanent Icons\folder grey open.ico
c:\windows\system32\Icons\Permanent Icons\folder grey.ico
c:\windows\system32\Icons\Permanent Icons\folder home (2).ico
c:\windows\system32\Icons\Permanent Icons\folder home.ico
c:\windows\system32\Icons\Permanent Icons\folder html (2).ico
c:\windows\system32\Icons\Permanent Icons\folder html.ico
c:\windows\system32\Icons\Permanent Icons\folder image blue.ico
c:\windows\system32\Icons\Permanent Icons\folder image red.ico
c:\windows\system32\Icons\Permanent Icons\folder image yellow.ico
c:\windows\system32\Icons\Permanent Icons\folder image.ico
c:\windows\system32\Icons\Permanent Icons\folder important.ico
c:\windows\system32\Icons\Permanent Icons\folder ipod blue.ico
c:\windows\system32\Icons\Permanent Icons\folder ipod green.ico
c:\windows\system32\Icons\Permanent Icons\folder ipod red.ico
c:\windows\system32\Icons\Permanent Icons\folder ipod yellow.ico
c:\windows\system32\Icons\Permanent Icons\folder locked (2).ico
c:\windows\system32\Icons\Permanent Icons\folder locked.ico
c:\windows\system32\Icons\Permanent Icons\folder man.ico
c:\windows\system32\Icons\Permanent Icons\folder movies.ico
c:\windows\system32\Icons\Permanent Icons\folder music blue.ico
c:\windows\system32\Icons\Permanent Icons\folder music green.ico
c:\windows\system32\Icons\Permanent Icons\folder music red.ico
c:\windows\system32\Icons\Permanent Icons\folder music yellow.ico
c:\windows\system32\Icons\Permanent Icons\folder music.ico
c:\windows\system32\Icons\Permanent Icons\folder open.ico
c:\windows\system32\Icons\Permanent Icons\folder open3.ico
c:\windows\system32\Icons\Permanent Icons\folder orange open.ico
c:\windows\system32\Icons\Permanent Icons\folder orange.ico
c:\windows\system32\Icons\Permanent Icons\folder penguin.ico
c:\windows\system32\Icons\Permanent Icons\folder picture green.ico
c:\windows\system32\Icons\Permanent Icons\folder print.ico
c:\windows\system32\Icons\Permanent Icons\folder red (1).ico
c:\windows\system32\Icons\Permanent Icons\folder red (2).ico
c:\windows\system32\Icons\Permanent Icons\folder red open.ico
c:\windows\system32\Icons\Permanent Icons\folder red.ico
c:\windows\system32\Icons\Permanent Icons\folder sound (2).ico
c:\windows\system32\Icons\Permanent Icons\folder sound.ico
c:\windows\system32\Icons\Permanent Icons\folder tar.ico
c:\windows\system32\Icons\Permanent Icons\folder temporary.ico
c:\windows\system32\Icons\Permanent Icons\folder txt.ico
c:\windows\system32\Icons\Permanent Icons\folder video.ico
c:\windows\system32\Icons\Permanent Icons\folder violet open.ico
c:\windows\system32\Icons\Permanent Icons\folder violet.ico
c:\windows\system32\Icons\Permanent Icons\folder web blue.ico
c:\windows\system32\Icons\Permanent Icons\folder web green.ico
c:\windows\system32\Icons\Permanent Icons\folder web red.ico
c:\windows\system32\Icons\Permanent Icons\folder web yellow.ico
c:\windows\system32\Icons\Permanent Icons\folder web.ico
c:\windows\system32\Icons\Permanent Icons\folder yellow (1).ico
c:\windows\system32\Icons\Permanent Icons\folder yellow (2).ico
c:\windows\system32\Icons\Permanent Icons\folder yellow (3).ico
c:\windows\system32\Icons\Permanent Icons\folder yellow open.ico
c:\windows\system32\Icons\Permanent Icons\folder yellow.ico
c:\windows\system32\Icons\Permanent Icons\folder_app1.ico
c:\windows\system32\Icons\Permanent Icons\folder_app2.ico
c:\windows\system32\Icons\Permanent Icons\font bitmap.ico
c:\windows\system32\Icons\Permanent Icons\font truetype.ico
c:\windows\system32\Icons\Permanent Icons\font type1.ico
c:\windows\system32\Icons\Permanent Icons\font.ico
c:\windows\system32\Icons\Permanent Icons\fonts.ico
c:\windows\system32\Icons\Permanent Icons\forward.ico
c:\windows\system32\Icons\Permanent Icons\fox.ico
c:\windows\system32\Icons\Permanent Icons\fractal-cheetah-by-artofpai.ico
c:\windows\system32\Icons\Permanent Icons\fsview.ico
c:\windows\system32\Icons\Permanent Icons\ftp.ico
c:\windows\system32\Icons\Permanent Icons\FullmoonnewL.ico
c:\windows\system32\Icons\Permanent Icons\Galaxy.ico
c:\windows\system32\Icons\Permanent Icons\Games (2).ico
c:\windows\system32\Icons\Permanent Icons\Games.ico
c:\windows\system32\Icons\Permanent Icons\Gaming-Pad.ico
c:\windows\system32\Icons\Permanent Icons\garage band.ico
c:\windows\system32\Icons\Permanent Icons\Generic Black.ico
c:\windows\system32\Icons\Permanent Icons\Generic Blue.ico
c:\windows\system32\Icons\Permanent Icons\Generic Brown.ico
c:\windows\system32\Icons\Permanent Icons\Generic Green.ico
c:\windows\system32\Icons\Permanent Icons\Generic Orange.ico
c:\windows\system32\Icons\Permanent Icons\Generic Red.ico
c:\windows\system32\Icons\Permanent Icons\Generic Violet.ico
c:\windows\system32\Icons\Permanent Icons\Generic White.ico
c:\windows\system32\Icons\Permanent Icons\Generic Yellow.ico
c:\windows\system32\Icons\Permanent Icons\Generic.ico
c:\windows\system32\Icons\Permanent Icons\gerbera-1.ico
c:\windows\system32\Icons\Permanent Icons\gettext.ico
c:\windows\system32\Icons\Permanent Icons\gf.ico
c:\windows\system32\Icons\Permanent Icons\gif.ico
c:\windows\system32\Icons\Permanent Icons\gif_image.ico
c:\windows\system32\Icons\Permanent Icons\gnome.ico
c:\windows\system32\Icons\Permanent Icons\gpg.ico
c:\windows\system32\Icons\Permanent Icons\gpgsm.ico
c:\windows\system32\Icons\Permanent Icons\Grab-1.ico
c:\windows\system32\Icons\Permanent Icons\Grab-3.ico
c:\windows\system32\Icons\Permanent Icons\grape.ico
c:\windows\system32\Icons\Permanent Icons\Graphic.ico
c:\windows\system32\Icons\Permanent Icons\Graphics.ico
c:\windows\system32\Icons\Permanent Icons\grayscale.ico
c:\windows\system32\Icons\Permanent Icons\Green_Butterfly.ico
c:\windows\system32\Icons\Permanent Icons\Green_Leaf.ico
c:\windows\system32\Icons\Permanent Icons\Hand.ico
c:\windows\system32\Icons\Permanent Icons\Hard Disk.ico
c:\windows\system32\Icons\Permanent Icons\hard_disk.ico
c:\windows\system32\Icons\Permanent Icons\hard_driver.ico
c:\windows\system32\Icons\Permanent Icons\harddisk internal.ico
c:\windows\system32\Icons\Permanent Icons\harddisk.ico
c:\windows\system32\Icons\Permanent Icons\harddrive.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Alt.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Apple.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Audio.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Documents.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Down.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Network.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Pictures.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Video.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Web.ico
c:\windows\system32\Icons\Permanent Icons\HDD-Win.ico
c:\windows\system32\Icons\Permanent Icons\HDD.ico
c:\windows\system32\Icons\Permanent Icons\hdd_mount.ico
c:\windows\system32\Icons\Permanent Icons\hdd_unmount.ico
c:\windows\system32\Icons\Permanent Icons\Headphones2.ico
c:\windows\system32\Icons\Permanent Icons\Help (1).ico
c:\windows\system32\Icons\Permanent Icons\Help (2).ico
c:\windows\system32\Icons\Permanent Icons\Help (3).ico
c:\windows\system32\Icons\Permanent Icons\Help (4).ico
c:\windows\system32\Icons\Permanent Icons\Home (1).ico
c:\windows\system32\Icons\Permanent Icons\Home (2).ico
c:\windows\system32\Icons\Permanent Icons\Home (3).ico
c:\windows\system32\Icons\Permanent Icons\Home (4).ico
c:\windows\system32\Icons\Permanent Icons\Home (5).ico
c:\windows\system32\Icons\Permanent Icons\HTM (2)l.ico
c:\windows\system32\Icons\Permanent Icons\html.ico
c:\windows\system32\Icons\Permanent Icons\ical.ico
c:\windows\system32\Icons\Permanent Icons\iChat (2).ico
c:\windows\system32\Icons\Permanent Icons\ichat.ico
c:\windows\system32\Icons\Permanent Icons\image (2).ico
c:\windows\system32\Icons\Permanent Icons\image.ico
c:\windows\system32\Icons\Permanent Icons\images.ico
c:\windows\system32\Icons\Permanent Icons\info. (2).ico
c:\windows\system32\Icons\Permanent Icons\Info.ico
c:\windows\system32\Icons\Permanent Icons\Internet.ico
c:\windows\system32\Icons\Permanent Icons\internet_document.ico
c:\windows\system32\Icons\Permanent Icons\iphoto.ico
c:\windows\system32\Icons\Permanent Icons\ipod. (1).ico
c:\windows\system32\Icons\Permanent Icons\ipod. (2).ico
c:\windows\system32\Icons\Permanent Icons\ipod. (3).ico
c:\windows\system32\Icons\Permanent Icons\iTunes.ico
c:\windows\system32\Icons\Permanent Icons\jack.ico
c:\windows\system32\Icons\Permanent Icons\java (2).ico
c:\windows\system32\Icons\Permanent Icons\Java.ico
c:\windows\system32\Icons\Permanent Icons\Jo.ico
c:\windows\system32\Icons\Permanent Icons\jpeg_image.ico
c:\windows\system32\Icons\Permanent Icons\Jupiter 2.ico
c:\windows\system32\Icons\Permanent Icons\Jupiter.ico
c:\windows\system32\Icons\Permanent Icons\Kazaa Downloads.ico
c:\windows\system32\Icons\Permanent Icons\kcontrol.ico
c:\windows\system32\Icons\Permanent Icons\keditbookmarks.ico
c:\windows\system32\Icons\Permanent Icons\keyboard.ico
c:\windows\system32\Icons\Permanent Icons\kfm_home.ico
c:\windows\system32\Icons\Permanent Icons\kgpg.ico
c:\windows\system32\Icons\Permanent Icons\kolf.ico
c:\windows\system32\Icons\Permanent Icons\konsole.ico
c:\windows\system32\Icons\Permanent Icons\kwifimanager.ico
c:\windows\system32\Icons\Permanent Icons\laptop (2).ico
c:\windows\system32\Icons\Permanent Icons\Laptop (Black).ico
c:\windows\system32\Icons\Permanent Icons\Laptop.ico
c:\windows\system32\Icons\Permanent Icons\library.ico
c:\windows\system32\Icons\Permanent Icons\Limewire Downloads.ico
c:\windows\system32\Icons\Permanent Icons\loading icon.ico
c:\windows\system32\Icons\Permanent Icons\loading.ico
c:\windows\system32\Icons\Permanent Icons\lock.ico
c:\windows\system32\Icons\Permanent Icons\lock_file.ico
c:\windows\system32\Icons\Permanent Icons\lockoverlay (2).ico
c:\windows\system32\Icons\Permanent Icons\lockoverlay.ico
c:\windows\system32\Icons\Permanent Icons\log.ico
c:\windows\system32\Icons\Permanent Icons\LogOff.ico
c:\windows\system32\Icons\Permanent Icons\Mac (2).ico
c:\windows\system32\Icons\Permanent Icons\Mac.ico
c:\windows\system32\Icons\Permanent Icons\Macromedia Dreaweaver.ico
c:\windows\system32\Icons\Permanent Icons\Macromedia Fireworks.ico
c:\windows\system32\Icons\Permanent Icons\Macromedia Flash.ico
c:\windows\system32\Icons\Permanent Icons\Macromedia.ico
c:\windows\system32\Icons\Permanent Icons\mail (1).ico
c:\windows\system32\Icons\Permanent Icons\mail (2).ico
c:\windows\system32\Icons\Permanent Icons\mail (3).ico
c:\windows\system32\Icons\Permanent Icons\Maintenance.ico
c:\windows\system32\Icons\Permanent Icons\make.ico
c:\windows\system32\Icons\Permanent Icons\man.ico
c:\windows\system32\Icons\Permanent Icons\Mars.ico
c:\windows\system32\Icons\Permanent Icons\media_cilp.ico
c:\windows\system32\Icons\Permanent Icons\memory (1).ico
c:\windows\system32\Icons\Permanent Icons\memory (2).ico
c:\windows\system32\Icons\Permanent Icons\Mercury.ico
c:\windows\system32\Icons\Permanent Icons\message.ico
c:\windows\system32\Icons\Permanent Icons\MGP.ico
c:\windows\system32\Icons\Permanent Icons\Microsoft Excel.ico
c:\windows\system32\Icons\Permanent Icons\Microsoft PowerPoint.ico
c:\windows\system32\Icons\Permanent Icons\Microsoft Word.ico
c:\windows\system32\Icons\Permanent Icons\midi_sequence.ico
c:\windows\system32\Icons\Permanent Icons\MintMorpho.ico
c:\windows\system32\Icons\Permanent Icons\Miranda.ico
c:\windows\system32\Icons\Permanent Icons\Misc-Box.ico
c:\windows\system32\Icons\Permanent Icons\moive_cilp.ico
c:\windows\system32\Icons\Permanent Icons\Moon.ico
c:\windows\system32\Icons\Permanent Icons\Morpho-Phano-Red.ico
c:\windows\system32\Icons\Permanent Icons\MorphoAbsoloni.ico
c:\windows\system32\Icons\Permanent Icons\MorphoAchilleana.ico
c:\windows\system32\Icons\Permanent Icons\MorphoAchilles.ico
c:\windows\system32\Icons\Permanent Icons\MorphoAdonisHuallegaBOTTOM.ico
c:\windows\system32\Icons\Permanent Icons\MorphoAdonisHuallegaTOP.ico
c:\windows\system32\Icons\Permanent Icons\MorphoAmphitrion.ico
c:\windows\system32\Icons\Permanent Icons\MorphoCatenariusUnderside.ico
c:\windows\system32\Icons\Permanent Icons\MorphoCissis.ico
c:\windows\system32\Icons\Permanent Icons\MorphoCypres.ico
c:\windows\system32\Icons\Permanent Icons\MorphoCypressCyanidesFemale.ico
c:\windows\system32\Icons\Permanent Icons\MorphoDeidamiaErica.ico
c:\windows\system32\Icons\Permanent Icons\MorphoDeidamiaNeoptolomous.ico
c:\windows\system32\Icons\Permanent Icons\MorphoDiana.ico
c:\windows\system32\Icons\Permanent Icons\MorphoDidius.ico
c:\windows\system32\Icons\Permanent Icons\MorphoDidiusUnderside.ico
c:\windows\system32\Icons\Permanent Icons\MorphoGodarti.ico
c:\windows\system32\Icons\Permanent Icons\MorphoHecuba_(sunset).ico
c:\windows\system32\Icons\Permanent Icons\MorphoHelena.ico
c:\windows\system32\Icons\Permanent Icons\MorphoHelenaPersonal.ico
c:\windows\system32\Icons\Permanent Icons\MorphoLunaMale.ico
c:\windows\system32\Icons\Permanent Icons\MorphoMenelaus.ico
c:\windows\system32\Icons\Permanent Icons\MorphoMenelausHubneri.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPartisThamyris.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPatroclusOrestesMale.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPeleides.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPeleidesMontezuma.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPeleidesMontezumaUnderside.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPhanoBlue.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPhanoRed.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPolyphemus.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPortisMale.ico
c:\windows\system32\Icons\Permanent Icons\MorphoPseudogamedes.ico
c:\windows\system32\Icons\Permanent Icons\MorphoRhetenorCacica.ico
c:\windows\system32\Icons\Permanent Icons\MorphoSulkowski(PearlMorpho).ico
c:\windows\system32\Icons\Permanent Icons\MorphoSulkowskiUnderside.ico
c:\windows\system32\Icons\Permanent Icons\MorphoTelemachus.ico
c:\windows\system32\Icons\Permanent Icons\MorphoTheseusAmphotrion.ico
c:\windows\system32\Icons\Permanent Icons\MorphoZephyritisMale.ico
c:\windows\system32\Icons\Permanent Icons\Mountain.ico
c:\windows\system32\Icons\Permanent Icons\mouse old.ico
c:\windows\system32\Icons\Permanent Icons\mouse.ico
c:\windows\system32\Icons\Permanent Icons\Mozilla Firefox Bookmarks.ico
c:\windows\system32\Icons\Permanent Icons\Mozilla Firefox.ico
c:\windows\system32\Icons\Permanent Icons\Mozilla Thunderbird.ico
c:\windows\system32\Icons\Permanent Icons\ms_dos_application.ico
c:\windows\system32\Icons\Permanent Icons\ms_dos_batch_file.ico
c:\windows\system32\Icons\Permanent Icons\Music (1).ico
c:\windows\system32\Icons\Permanent Icons\Music (2).ico
c:\windows\system32\Icons\Permanent Icons\Music (3).ico
c:\windows\system32\Icons\Permanent Icons\Music (4).ico
c:\windows\system32\Icons\Permanent Icons\Music (5).ico
c:\windows\system32\Icons\Permanent Icons\Music (6).ico
c:\windows\system32\Icons\Permanent Icons\music cd (1).ico
c:\windows\system32\Icons\Permanent Icons\music cd (2).ico
c:\windows\system32\Icons\Permanent Icons\my-documents.ico
c:\windows\system32\Icons\Permanent Icons\My Burn.ico
c:\windows\system32\Icons\Permanent Icons\My Documents.ico
c:\windows\system32\Icons\Permanent Icons\My Downloads.ico
c:\windows\system32\Icons\Permanent Icons\My Fonts.ico
c:\windows\system32\Icons\Permanent Icons\My Games.ico
c:\windows\system32\Icons\Permanent Icons\My Music.ico
c:\windows\system32\Icons\Permanent Icons\My Office Documents.ico
c:\windows\system32\Icons\Permanent Icons\My Pictures.ico
c:\windows\system32\Icons\Permanent Icons\My Videos.ico
c:\windows\system32\Icons\Permanent Icons\My Widgets.ico
c:\windows\system32\Icons\Permanent Icons\my_computer.ico
c:\windows\system32\Icons\Permanent Icons\my_documents.ico
c:\windows\system32\Icons\Permanent Icons\my_music.ico
c:\windows\system32\Icons\Permanent Icons\my_network_places.ico
c:\windows\system32\Icons\Permanent Icons\my_pictures.ico
c:\windows\system32\Icons\Permanent Icons\my_recent_documents.ico
c:\windows\system32\Icons\Permanent Icons\my_videos.ico
c:\windows\system32\Icons\Permanent Icons\nature-snow-leopard.ico
c:\windows\system32\Icons\Permanent Icons\nebula.ico
c:\windows\system32\Icons\Permanent Icons\Neptune.ico
c:\windows\system32\Icons\Permanent Icons\Network (1).ico
c:\windows\system32\Icons\Permanent Icons\Network (2).ico
c:\windows\system32\Icons\Permanent Icons\Network (3).ico
c:\windows\system32\Icons\Permanent Icons\Network (4).ico
c:\windows\system32\Icons\Permanent Icons\Network (5).ico
c:\windows\system32\Icons\Permanent Icons\Network (6).ico
c:\windows\system32\Icons\Permanent Icons\network_connections.ico
c:\windows\system32\Icons\Permanent Icons\network_downloads.ico
c:\windows\system32\Icons\Permanent Icons\network_driver_connected.ico
c:\windows\system32\Icons\Permanent Icons\network_find.ico
c:\windows\system32\Icons\Permanent Icons\network_group.ico
c:\windows\system32\Icons\Permanent Icons\network_local.ico
c:\windows\system32\Icons\Permanent Icons\network_offline (1).ico
c:\windows\system32\Icons\Permanent Icons\network_offline (2).ico
c:\windows\system32\Icons\Permanent Icons\network_online.ico
c:\windows\system32\Icons\Permanent Icons\network_service.ico
c:\windows\system32\Icons\Permanent Icons\network_uploads.ico
c:\windows\system32\Icons\Permanent Icons\nfs.ico
c:\windows\system32\Icons\Permanent Icons\nfs_mount.ico
c:\windows\system32\Icons\Permanent Icons\nfs_unmount.ico
c:\windows\system32\Icons\Permanent Icons\Notepad.ico
c:\windows\system32\Icons\Permanent Icons\nyan254.ico
c:\windows\system32\Icons\Permanent Icons\Old-Movie.ico
c:\windows\system32\Icons\Permanent Icons\open_folder.ico
c:\windows\system32\Icons\Permanent Icons\Opera.ico
c:\windows\system32\Icons\Permanent Icons\optical mouse.ico
c:\windows\system32\Icons\Permanent Icons\Options.ico
c:\windows\system32\Icons\Permanent Icons\orange.ico
c:\windows\system32\Icons\Permanent Icons\Organize.ico
c:\windows\system32\Icons\Permanent Icons\package_development.ico
c:\windows\system32\Icons\Permanent Icons\package_games.ico
c:\windows\system32\Icons\Permanent Icons\package_multimedia.ico
c:\windows\system32\Icons\Permanent Icons\package_network.ico
c:\windows\system32\Icons\Permanent Icons\Packed.ico
c:\windows\system32\Icons\Permanent Icons\Paint.ico
c:\windows\system32\Icons\Permanent Icons\papaya.ico
c:\windows\system32\Icons\Permanent Icons\pcmcia.ico
c:\windows\system32\Icons\Permanent Icons\PDF (2).ico
c:\windows\system32\Icons\Permanent Icons\pdf.ico
c:\windows\system32\Icons\Permanent Icons\penguin.ico
c:\windows\system32\Icons\Permanent Icons\pgp.ico
c:\windows\system32\Icons\Permanent Icons\PGP_keys.ico
c:\windows\system32\Icons\Permanent Icons\photobook.ico
c:\windows\system32\Icons\Permanent Icons\photoshop.ico
c:\windows\system32\Icons\Permanent Icons\Pictures (1).ico
c:\windows\system32\Icons\Permanent Icons\Pictures (2).ico
c:\windows\system32\Icons\Permanent Icons\Pictures (3).ico
c:\windows\system32\Icons\Permanent Icons\Pictures (4).ico
c:\windows\system32\Icons\Permanent Icons\pineapple.ico
c:\windows\system32\Icons\Permanent Icons\Pink_Flower.ico
c:\windows\system32\Icons\Permanent Icons\Pluto.ico
c:\windows\system32\Icons\Permanent Icons\PNG.ico
c:\windows\system32\Icons\Permanent Icons\postscript (1).ico
c:\windows\system32\Icons\Permanent Icons\postscript (2).ico
c:\windows\system32\Icons\Permanent Icons\print_class.ico
c:\windows\system32\Icons\Permanent Icons\print_printer.ico
c:\windows\system32\Icons\Permanent Icons\Printer (1).ico
c:\windows\system32\Icons\Permanent Icons\Printer (2).ico
c:\windows\system32\Icons\Permanent Icons\Printer (3).ico
c:\windows\system32\Icons\Permanent Icons\Printer (4).ico
c:\windows\system32\Icons\Permanent Icons\printers_and_faxes.ico
c:\windows\system32\Icons\Permanent Icons\printmgr.ico
c:\windows\system32\Icons\Permanent Icons\private.ico
c:\windows\system32\Icons\Permanent Icons\program_group.ico
c:\windows\system32\Icons\Permanent Icons\programs.ico
c:\windows\system32\Icons\Permanent Icons\PS.ico
c:\windows\system32\Icons\Permanent Icons\PSP.ico
c:\windows\system32\Icons\Permanent Icons\Public (1).ico
c:\windows\system32\Icons\Permanent Icons\Public (2).ico
c:\windows\system32\Icons\Permanent Icons\Public (3).ico
c:\windows\system32\Icons\Permanent Icons\Quark.ico
c:\windows\system32\Icons\Permanent Icons\Quicktime (1).ico
c:\windows\system32\Icons\Permanent Icons\Quicktime (2).ico
c:\windows\system32\Icons\Permanent Icons\ram_driver.ico
c:\windows\system32\Icons\Permanent Icons\readme.ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin (1).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin (2).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin (3).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin (4).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin (5).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Empty (1).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Empty (2).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Empty (3).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Empty (4).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Empty (5).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Empty (6).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Full (1).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Full (2).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Full (3).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Full (4).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Full (5).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Full (6).ico
c:\windows\system32\Icons\Permanent Icons\Recycle Bin Full (7).ico
c:\windows\system32\Icons\Permanent Icons\recycled.ico
c:\windows\system32\Icons\Permanent Icons\Red_Butterfly.ico
c:\windows\system32\Icons\Permanent Icons\Red_Flower.ico
c:\windows\system32\Icons\Permanent Icons\Refresh.ico
c:\windows\system32\Icons\Permanent Icons\regular.ico
c:\windows\system32\Icons\Permanent Icons\removable (1).ico
c:\windows\system32\Icons\Permanent Icons\removable (2).ico
c:\windows\system32\Icons\Permanent Icons\removable (3).ico
c:\windows\system32\Icons\Permanent Icons\removable (4).ico
c:\windows\system32\Icons\Permanent Icons\removable (5).ico
c:\windows\system32\Icons\Permanent Icons\removable (6).ico
c:\windows\system32\Icons\Permanent Icons\Restart.ico
c:\windows\system32\Icons\Permanent Icons\RhetenorMorpho.ico
c:\windows\system32\Icons\Permanent Icons\rich_text_format.ico
c:\windows\system32\Icons\Permanent Icons\Ring-tailed lemur.ico
c:\windows\system32\Icons\Permanent Icons\rpm.ico
c:\windows\system32\Icons\Permanent Icons\RSS.ico
c:\windows\system32\Icons\Permanent Icons\RTF.ico
c:\windows\system32\Icons\Permanent Icons\run.ico
c:\windows\system32\Icons\Permanent Icons\rw.ico
c:\windows\system32\Icons\Permanent Icons\safari.ico
c:\windows\system32\Icons\Permanent Icons\Saturn (1).ico
c:\windows\system32\Icons\Permanent Icons\Saturn (2).ico
c:\windows\system32\Icons\Permanent Icons\Saturn (3).ico
c:\windows\system32\Icons\Permanent Icons\scanners_and_cameras.ico
c:\windows\system32\Icons\Permanent Icons\scheduled_tasks.ico
c:\windows\system32\Icons\Permanent Icons\Search (1).ico
c:\windows\system32\Icons\Permanent Icons\Search (2).ico
c:\windows\system32\Icons\Permanent Icons\Security.ico
c:\windows\system32\Icons\Permanent Icons\Select.ico
c:\windows\system32\Icons\Permanent Icons\server (1).ico
c:\windows\system32\Icons\Permanent Icons\server (2).ico
c:\windows\system32\Icons\Permanent Icons\Settings.ico
c:\windows\system32\Icons\Permanent Icons\share (1).ico
c:\windows\system32\Icons\Permanent Icons\share (2).ico
c:\windows\system32\Icons\Permanent Icons\Shareaza Downloads.ico
c:\windows\system32\Icons\Permanent Icons\shared_music.ico
c:\windows\system32\Icons\Permanent Icons\shared_pictures.ico
c:\windows\system32\Icons\Permanent Icons\shellscript.ico
c:\windows\system32\Icons\Permanent Icons\Shortcut Overlay (1).ico
c:\windows\system32\Icons\Permanent Icons\Shortcut Overlay (2).ico
c:\windows\system32\Icons\Permanent Icons\Shortcut Overlay (3).ico
c:\windows\system32\Icons\Permanent Icons\Shutdown.ico
c:\windows\system32\Icons\Permanent Icons\skull (1).ico
c:\windows\system32\Icons\Permanent Icons\skull (2).ico
c:\windows\system32\Icons\Permanent Icons\skull (3).ico
c:\windows\system32\Icons\Permanent Icons\skull (4).ico
c:\windows\system32\Icons\Permanent Icons\SMB (2).ico
c:\windows\system32\Icons\Permanent Icons\smb.ico
c:\windows\system32\Icons\Permanent Icons\socket (1).ico
c:\windows\system32\Icons\Permanent Icons\socket (2).ico
c:\windows\system32\Icons\Permanent Icons\Software.ico
c:\windows\system32\Icons\Permanent Icons\solar eclipse.ico
c:\windows\system32\Icons\Permanent Icons\solar system.ico
c:\windows\system32\Icons\Permanent Icons\sound (1).ico
c:\windows\system32\Icons\Permanent Icons\sound (2).ico
c:\windows\system32\Icons\Permanent Icons\source.ico
c:\windows\system32\Icons\Permanent Icons\source_c.ico
c:\windows\system32\Icons\Permanent Icons\source_cpp.ico
c:\windows\system32\Icons\Permanent Icons\source_cs.ico
c:\windows\system32\Icons\Permanent Icons\source_f.ico
c:\windows\system32\Icons\Permanent Icons\source_h.ico
c:\windows\system32\Icons\Permanent Icons\source_j.ico
c:\windows\system32\Icons\Permanent Icons\source_java.ico
c:\windows\system32\Icons\Permanent Icons\source_l.ico
c:\windows\system32\Icons\Permanent Icons\source_ml.ico
c:\windows\system32\Icons\Permanent Icons\source_moc.ico
c:\windows\system32\Icons\Permanent Icons\source_n.ico
c:\windows\system32\Icons\Permanent Icons\source_o.ico
c:\windows\system32\Icons\Permanent Icons\source_p.ico
c:\windows\system32\Icons\Permanent Icons\source_php.ico
c:\windows\system32\Icons\Permanent Icons\source_pl.ico
c:\windows\system32\Icons\Permanent Icons\source_py.ico
c:\windows\system32\Icons\Permanent Icons\source_s.ico
c:\windows\system32\Icons\Permanent Icons\source_y.ico
c:\windows\system32\Icons\Permanent Icons\Speaker.ico
c:\windows\system32\Icons\Permanent Icons\spreadsheet.ico
c:\windows\system32\Icons\Permanent Icons\ssh.ico
c:\windows\system32\Icons\Permanent Icons\StandBy.ico
c:\windows\system32\Icons\Permanent Icons\Stats.ico
c:\windows\system32\Icons\Permanent Icons\Stop.ico
c:\windows\system32\Icons\Permanent Icons\strawberry.ico
c:\windows\system32\Icons\Permanent Icons\subscriptions.ico
c:\windows\system32\Icons\Permanent Icons\Sun (1).ico
c:\windows\system32\Icons\Permanent Icons\Sun (2).ico
c:\windows\system32\Icons\Permanent Icons\supernova.ico
c:\windows\system32\Icons\Permanent Icons\System (1).ico
c:\windows\system32\Icons\Permanent Icons\System (2).ico
c:\windows\system32\Icons\Permanent Icons\System (3).ico
c:\windows\system32\Icons\Permanent Icons\System (4).ico
c:\windows\system32\Icons\Permanent Icons\System (5).ico
c:\windows\system32\Icons\Permanent Icons\tar.ico
c:\windows\system32\Icons\Permanent Icons\television.ico
c:\windows\system32\Icons\Permanent Icons\tex.ico
c:\windows\system32\Icons\Permanent Icons\text.ico
c:\windows\system32\Icons\Permanent Icons\text_document.ico
c:\windows\system32\Icons\Permanent Icons\tgz.ico
c:\windows\system32\Icons\Permanent Icons\Tip.ico
c:\windows\system32\Icons\Permanent Icons\Tools (1).ico
c:\windows\system32\Icons\Permanent Icons\Tools (2).ico
c:\windows\system32\Icons\Permanent Icons\Tools (3).ico
c:\windows\system32\Icons\Permanent Icons\Tree (1).ico
c:\windows\system32\Icons\Permanent Icons\Tree (2).ico
c:\windows\system32\Icons\Permanent Icons\txt.ico
c:\windows\system32\Icons\Permanent Icons\unison.ico
c:\windows\system32\Icons\Permanent Icons\unknown.ico
c:\windows\system32\Icons\Permanent Icons\unlock.ico
c:\windows\system32\Icons\Permanent Icons\up.ico
c:\windows\system32\Icons\Permanent Icons\Uranus (1).ico
c:\windows\system32\Icons\Permanent Icons\Uranus (2).ico
c:\windows\system32\Icons\Permanent Icons\USB.ico
c:\windows\system32\Icons\Permanent Icons\usbpendrive_mount.ico
c:\windows\system32\Icons\Permanent Icons\usbpendrive_unmount.ico
c:\windows\system32\Icons\Permanent Icons\vector.ico
c:\windows\system32\Icons\Permanent Icons\vectorgfx.ico
c:\windows\system32\Icons\Permanent Icons\Venus.ico
c:\windows\system32\Icons\Permanent Icons\Video (1).ico
c:\windows\system32\Icons\Permanent Icons\Video (2).ico
c:\windows\system32\Icons\Permanent Icons\Video (3).ico
c:\windows\system32\Icons\Permanent Icons\Video (4).ico
c:\windows\system32\Icons\Permanent Icons\Video (5).ico
c:\windows\system32\Icons\Permanent Icons\Video (6).ico
c:\windows\system32\Icons\Permanent Icons\video_cilp.ico
c:\windows\system32\Icons\Permanent Icons\VLC.ico
c:\windows\system32\Icons\Permanent Icons\watermelon.ico
c:\windows\system32\Icons\Permanent Icons\wave_sound.ico
c:\windows\system32\Icons\Permanent Icons\Web (1).ico
c:\windows\system32\Icons\Permanent Icons\Web (2).ico
c:\windows\system32\Icons\Permanent Icons\Web (3).ico
c:\windows\system32\Icons\Permanent Icons\Web (4).ico
c:\windows\system32\Icons\Permanent Icons\Web (5).ico
c:\windows\system32\Icons\Permanent Icons\web_file.ico
c:\windows\system32\Icons\Permanent Icons\web_folder.ico
c:\windows\system32\Icons\Permanent Icons\WebCam.ico
c:\windows\system32\Icons\Permanent Icons\White_Flower.ico
c:\windows\system32\Icons\Permanent Icons\widget_doc.ico
c:\windows\system32\Icons\Permanent Icons\Win (1).ico
c:\windows\system32\Icons\Permanent Icons\Win (2).ico
c:\windows\system32\Icons\Permanent Icons\Win (3).ico
c:\windows\system32\Icons\Permanent Icons\Winamp.ico
c:\windows\system32\Icons\Permanent Icons\window_fullscreen.ico
c:\windows\system32\Icons\Permanent Icons\window_nofullscreen.ico
c:\windows\system32\Icons\Permanent Icons\Windows (1).ico
c:\windows\system32\Icons\Permanent Icons\Windows (2).ico
c:\windows\system32\Icons\Permanent Icons\Wizard.ico
c:\windows\system32\Icons\Permanent Icons\WLM.ico
c:\windows\system32\Icons\Permanent Icons\WMP.ico
c:\windows\system32\Icons\Permanent Icons\WMP11.ico
c:\windows\system32\Icons\Permanent Icons\wordprocessing.ico
c:\windows\system32\Icons\Permanent Icons\write_document.ico
c:\windows\system32\Icons\Permanent Icons\www.ico
c:\windows\system32\Icons\Permanent Icons\YM.ico
c:\windows\system32\Icons\Permanent Icons\zip_file.ico
c:\windows\system32\Icons\PNGs\.deb.png
c:\windows\system32\Icons\PNGs\3D Studio Max.png
c:\windows\system32\Icons\PNGs\Acrobat.png
c:\windows\system32\Icons\PNGs\Acroread.pdf.png
c:\windows\system32\Icons\PNGs\Adobe Illustrator.png
c:\windows\system32\Icons\PNGs\Adobe Image Ready.png
c:\windows\system32\Icons\PNGs\Adobe PDF.png
c:\windows\system32\Icons\PNGs\Adobe Photoshop.png
c:\windows\system32\Icons\PNGs\Adobe.png
c:\windows\system32\Icons\PNGs\Applications\Adobe Photoshop.png
c:\windows\system32\Icons\PNGs\Applications\Apple iTunes.png
c:\windows\system32\Icons\PNGs\Applications\Apple Quicktime.png
c:\windows\system32\Icons\PNGs\Applications\BitTorrent.png
c:\windows\system32\Icons\PNGs\Applications\Blogger.png
c:\windows\system32\Icons\PNGs\Applications\Corel Paint Shop Pro.png
c:\windows\system32\Icons\PNGs\Applications\Corel Word Perfect.png
c:\windows\system32\Icons\PNGs\Applications\CorelDraw.png
c:\windows\system32\Icons\PNGs\Applications\Firefox.png
c:\windows\system32\Icons\PNGs\Applications\Gaim.png
c:\windows\system32\Icons\PNGs\Applications\Google Talk.png
c:\windows\system32\Icons\PNGs\Applications\Limewire.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Internet Explorer.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office - Excel.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office - OneNote.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office - Outlook.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office - PowerPoint.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office - Publisher.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office - Visio.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office - Word.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office Alternates - Excel.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office Alternates - Internet Explorer.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office Alternates - Media Player.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office Alternates - Office.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office Alternates - OneNote.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office Alternates - Outlook.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office Alternates - PowerPoint.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Office Alternates - Word.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Outlook Express.png
c:\windows\system32\Icons\PNGs\Applications\Microsoft Visual Studio.png
c:\windows\system32\Icons\PNGs\Applications\mIRC.png
c:\windows\system32\Icons\PNGs\Applications\napster.png
c:\windows\system32\Icons\PNGs\Applications\Nero.png
c:\windows\system32\Icons\PNGs\Applications\NotePad.png
c:\windows\system32\Icons\PNGs\Applications\Opera.png
c:\windows\system32\Icons\PNGs\Applications\Paint.png
c:\windows\system32\Icons\PNGs\Applications\Skype.png
c:\windows\system32\Icons\PNGs\Applications\Stardock Central.png
c:\windows\system32\Icons\PNGs\Applications\Stardock Component Tray.png
c:\windows\system32\Icons\PNGs\Applications\Stardock IconDeveloper.png
c:\windows\system32\Icons\PNGs\Applications\Stardock IconPackager.png
c:\windows\system32\Icons\PNGs\Applications\Stardock ObjectDock.png
c:\windows\system32\Icons\PNGs\Applications\Stardock Theme Manager.png
c:\windows\system32\Icons\PNGs\Applications\Stardock WindowBlinds.png
c:\windows\system32\Icons\PNGs\Applications\Thunderbird.png
c:\windows\system32\Icons\PNGs\Applications\Trillian.png
c:\windows\system32\Icons\PNGs\Applications\Ultra Edit.png
c:\windows\system32\Icons\PNGs\Applications\WinAmp (Classic).png
c:\windows\system32\Icons\PNGs\Applications\WinAmp.png
c:\windows\system32\Icons\PNGs\Applications\Windows Live Messenger.png
c:\windows\system32\Icons\PNGs\Applications\Windows Media Player.png
c:\windows\system32\Icons\PNGs\Applications\WinRar.png
c:\windows\system32\Icons\PNGs\Applications\WinZip.png
c:\windows\system32\Icons\PNGs\Applications\Yahoo Messenger Message.png
c:\windows\system32\Icons\PNGs\Applications\Yahoo Messenger.png
c:\windows\system32\Icons\PNGs\Axialis Icon Workshop.png
c:\windows\system32\Icons\PNGs\Bittorent Downloads.png
c:\windows\system32\Icons\PNGs\Button-shutdown-256.png
c:\windows\system32\Icons\PNGs\Clock 2.png
c:\windows\system32\Icons\PNGs\Clock.png
c:\windows\system32\Icons\PNGs\coins-128x128.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Dossier-Blue-Musique.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Dossier-Blue-Normal.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Dossier-Blue-Papier.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Dossier-Blue-Pictures.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Dossier-Green-Musique.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Dossier-Green-Normal.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Dossier-Green-Papier.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Dossier-Green-Pictures.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Drive-Blue-Disk.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Drive-Blue-Network.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Drive-Blue-Usb.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Drive-Green-Disk.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Drive-Green-Network.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Dossiers & drives\Drive-Green-Usb.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Bouee.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Brush.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Citrouille.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\DeviantART.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Eggz.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Heart.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Loupe.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Orange-RSS-Feed.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Paper-Plane.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Pill.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Pink-Heart.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Santa-Hat.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Sucre-d-Orge.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\The-Sims.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Other\Trucsenvrac.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Acroread.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Aim.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Amkarok.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Azureus.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Blender.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Blocnote.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Bridgecs2.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Candybar.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\CloneCD.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\CloneDVD.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\CrystalMSN.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Duck.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Egg.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Firefox.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Gimp.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Godduck.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\I-tunes.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Icone-Aim.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Icone-Blender.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Icone-Candybar.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Icone-Winamp.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Illustrator.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Inkscape.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Itunes.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Java-coffe.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Limewire.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Mirc.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Mumule.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Notepad.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Opera.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Photoshop CS 2.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Pidgin.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Quicktime.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Safari.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Songbird.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Winamp-cone.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\Software\Windowsmedia11hc4.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Achtung.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Apple.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Bluetooth.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Cadenas.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Carton.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Corbeille-Cobalt.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Database-Add.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Database.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Icone-Windows.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Mail-envelope.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\My-Computer-off.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\My-Computer-on.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Star.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\Sys.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\User-man.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\User-woman.png
c:\windows\system32\Icons\PNGs\ColoBrush-png\System\WorldMap.png
c:\windows\system32\Icons\PNGs\Computer Desktop.png
c:\windows\system32\Icons\PNGs\Configure ObjectDock.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Address Book.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\BitComet.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Command.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Firewall.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\iChat.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\iTunes.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Java.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Miranda.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Notepad.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Opera.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Paint.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\PS.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Quicktime.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\VLC.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\Winamp.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\WLM.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\WMP.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\WMP11.png
c:\windows\system32\Icons\PNGs\crystalxp\Apps\YM.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\Camera.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\Computer.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\Floppy.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\Gaming-Pad.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\Headphones2.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\iPod.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\Laptop (Black).png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\Laptop.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\Printer.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\PSP.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\Speaker.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\USB.png
c:\windows\system32\Icons\PNGs\crystalxp\Devices\WebCam.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\CD-Alt.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\CD-RW.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\CD.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\DVD.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Alt.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Apple.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Audio.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Documents.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Down.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Network.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Pictures.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Video.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Web.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD-Win.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\HDD.png
c:\windows\system32\Icons\PNGs\crystalxp\Disks & Drives\Removable.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Application.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Audio.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Blank.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Command.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Document.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Graphic.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Help.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Music.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Packed.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Pictures.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\System.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Video.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Web.png
c:\windows\system32\Icons\PNGs\crystalxp\File Types\Win.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Apple.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Apps.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Audio.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Documents.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Download.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Fav-Alt.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Fav.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Folder.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Games.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Music.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Pictures.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Public.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\System.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Tools.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Video.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Web.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Blue\Win.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Apple.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Apps.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Audio.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Documents.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Download.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Fav-Alt.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Fav.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Folder.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Games.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Music.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Pictures.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Public.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\System.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Tools.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Video.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Web.png
c:\windows\system32\Icons\PNGs\crystalxp\Folders\Light\Win.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Apps.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Box.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Bug.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Burn.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Calender.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Chat.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Database.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Download.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Edit.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Fav (Heart).png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Fav (Star).png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Games.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Graphics.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Help.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Mail.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Maintenance.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Misc-Box.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Options.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Organize.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\RSS.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Security.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Settings.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Software.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Stats.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Tip.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Tools.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Video.png
c:\windows\system32\Icons\PNGs\crystalxp\Misc\Wizard.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Add.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Alert.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Download.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Error.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Info.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\LogOff.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Music.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Public.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Refresh.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Restart.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Search.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Select.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Shutdown.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\StandBy.png
c:\windows\system32\Icons\PNGs\crystalxp\Signs & Symbols\Stop.png
c:\windows\system32\Icons\PNGs\crystalxp\System\Apple.png
c:\windows\system32\Icons\PNGs\crystalxp\System\Desktop.png
c:\windows\system32\Icons\PNGs\crystalxp\System\Home.png
c:\windows\system32\Icons\PNGs\crystalxp\System\Internet.png
c:\windows\system32\Icons\PNGs\crystalxp\System\Mac.png
c:\windows\system32\Icons\PNGs\crystalxp\System\Network.png
c:\windows\system32\Icons\PNGs\crystalxp\System\Recycle Bin (Full).png
c:\windows\system32\Icons\PNGs\crystalxp\System\Recycle Bin.png
c:\windows\system32\Icons\PNGs\crystalxp\System\System.png
c:\windows\system32\Icons\PNGs\crystalxp\System\Windows.png
c:\windows\system32\Icons\PNGs\Deleket\3D Studio Max.png
c:\windows\system32\Icons\PNGs\Deleket\Adobe Illustrator.png
c:\windows\system32\Icons\PNGs\Deleket\Adobe PDF.png
c:\windows\system32\Icons\PNGs\Deleket\Adobe Photoshop.png
c:\windows\system32\Icons\PNGs\Deleket\Adobe.png
c:\windows\system32\Icons\PNGs\Deleket\Axialis Icon Workshop.png
c:\windows\system32\Icons\PNGs\Deleket\Bittorent Downloads.png
c:\windows\system32\Icons\PNGs\Deleket\Deviant Art.png
c:\windows\system32\Icons\PNGs\Deleket\Divx Movies.png
c:\windows\system32\Icons\PNGs\Deleket\Generic Black.png
c:\windows\system32\Icons\PNGs\Deleket\Generic Blue.png
c:\windows\system32\Icons\PNGs\Deleket\Generic Brown.png
c:\windows\system32\Icons\PNGs\Deleket\Generic Green.png
c:\windows\system32\Icons\PNGs\Deleket\Generic Orange.png
c:\windows\system32\Icons\PNGs\Deleket\Generic Red.png
c:\windows\system32\Icons\PNGs\Deleket\Generic Violet.png
c:\windows\system32\Icons\PNGs\Deleket\Generic White.png
c:\windows\system32\Icons\PNGs\Deleket\Generic Yellow.png
c:\windows\system32\Icons\PNGs\Deleket\Generic.png
c:\windows\system32\Icons\PNGs\Deleket\Internet Explorer Bookmarks.png
c:\windows\system32\Icons\PNGs\Deleket\Internet Explorer.png
c:\windows\system32\Icons\PNGs\Deleket\Jo.png
c:\windows\system32\Icons\PNGs\Deleket\Kazaa Downloads.png
c:\windows\system32\Icons\PNGs\Deleket\Limewire Downloads.png
c:\windows\system32\Icons\PNGs\Deleket\Mac.png
c:\windows\system32\Icons\PNGs\Deleket\Macromedia Dreaweaver.png
c:\windows\system32\Icons\PNGs\Deleket\Macromedia Fireworks.png
c:\windows\system32\Icons\PNGs\Deleket\Macromedia Flash.png
c:\windows\system32\Icons\PNGs\Deleket\Macromedia.png
c:\windows\system32\Icons\PNGs\Deleket\Microsoft Excel.png
c:\windows\system32\Icons\PNGs\Deleket\Microsoft PowerPoint.png
c:\windows\system32\Icons\PNGs\Deleket\Microsoft Word.png
c:\windows\system32\Icons\PNGs\Deleket\Mozilla Firefox Bookmarks.png
c:\windows\system32\Icons\PNGs\Deleket\Mozilla Firefox.png
c:\windows\system32\Icons\PNGs\Deleket\Mozilla Thunderbird.png
c:\windows\system32\Icons\PNGs\Deleket\My Burn.png
c:\windows\system32\Icons\PNGs\Deleket\My Documents.png
c:\windows\system32\Icons\PNGs\Deleket\My Downloads.png
c:\windows\system32\Icons\PNGs\Deleket\My Fonts.png
c:\windows\system32\Icons\PNGs\Deleket\My Games.png
c:\windows\system32\Icons\PNGs\Deleket\My Music.png
c:\windows\system32\Icons\PNGs\Deleket\My Office Documents.png
c:\windows\system32\Icons\PNGs\Deleket\My Pictures.png
c:\windows\system32\Icons\PNGs\Deleket\My Videos.png
c:\windows\system32\Icons\PNGs\Deleket\My Widgets.png
c:\windows\system32\Icons\PNGs\Deleket\Quark.png
c:\windows\system32\Icons\PNGs\Deleket\Shareaza Downloads.png
c:\windows\system32\Icons\PNGs\Deleket\Trash Empty.png
c:\windows\system32\Icons\PNGs\Deleket\Trash Full.png
c:\windows\system32\Icons\PNGs\Deleket\Windows.png
c:\windows\system32\Icons\PNGs\Deviant Art.png
c:\windows\system32\Icons\PNGs\disque local ©.png
c:\windows\system32\Icons\PNGs\Divx Movies.png
c:\windows\system32\Icons\PNGs\eclipse.png
c:\windows\system32\Icons\PNGs\Email 2.png
c:\windows\system32\Icons\PNGs\Email.png
c:\windows\system32\Icons\PNGs\explorer.png
c:\windows\system32\Icons\PNGs\File Types\.Avi.png
c:\windows\system32\Icons\PNGs\File Types\.C.png
c:\windows\system32\Icons\PNGs\File Types\.cpp.png
c:\windows\system32\Icons\PNGs\File Types\.dll.png
c:\windows\system32\Icons\PNGs\File Types\.doc.png
c:\windows\system32\Icons\PNGs\File Types\.docx.png
c:\windows\system32\Icons\PNGs\File Types\.flv.png
c:\windows\system32\Icons\PNGs\File Types\.gz.png
c:\windows\system32\Icons\PNGs\File Types\.h.png
c:\windows\system32\Icons\PNGs\File Types\.htm.png
c:\windows\system32\Icons\PNGs\File Types\.html.png
c:\windows\system32\Icons\PNGs\File Types\.iso.png
c:\windows\system32\Icons\PNGs\File Types\.java.png
c:\windows\system32\Icons\PNGs\File Types\.log.png
c:\windows\system32\Icons\PNGs\File Types\.mp3.png
c:\windows\system32\Icons\PNGs\File Types\.ogg.png
c:\windows\system32\Icons\PNGs\File Types\.pdf.png
c:\windows\system32\Icons\PNGs\File Types\.perl.png
c:\windows\system32\Icons\PNGs\File Types\.php.png
c:\windows\system32\Icons\PNGs\File Types\.psd.png
c:\windows\system32\Icons\PNGs\File Types\.rar.png
c:\windows\system32\Icons\PNGs\File Types\.rpm.png
c:\windows\system32\Icons\PNGs\File Types\.rtf.png
c:\windows\system32\Icons\PNGs\File Types\.sql.png
c:\windows\system32\Icons\PNGs\File Types\.tar.png
c:\windows\system32\Icons\PNGs\File Types\.txt.png
c:\windows\system32\Icons\PNGs\File Types\.wav.png
c:\windows\system32\Icons\PNGs\File Types\.wma.png
c:\windows\system32\Icons\PNGs\File Types\.xls.png
c:\windows\system32\Icons\PNGs\File Types\.xlsx.png
c:\windows\system32\Icons\PNGs\File Types\.zip.png
c:\windows\system32\Icons\PNGs\File Types\Acrobat Document.png
c:\windows\system32\Icons\PNGs\File Types\Adobe Photoshop File.png
c:\windows\system32\Icons\PNGs\File Types\bz.png
c:\windows\system32\Icons\PNGs\File Types\Microsoft Office File - Excel.png
c:\windows\system32\Icons\PNGs\File Types\Microsoft Office File - Outlook.png
c:\windows\system32\Icons\PNGs\File Types\Microsoft Office File - PowerPoint.png
c:\windows\system32\Icons\PNGs\File Types\Microsoft Office File - Word.png
c:\windows\system32\Icons\PNGs\firefox2005_folder_png.png
c:\windows\system32\Icons\PNGs\firefox2005_icon_png.png
c:\windows\system32\Icons\PNGs\Generic Black.png
c:\windows\system32\Icons\PNGs\Generic Blue.png
c:\windows\system32\Icons\PNGs\Generic Brown.png
c:\windows\system32\Icons\PNGs\Generic Green.png
c:\windows\system32\Icons\PNGs\Generic Orange.png
c:\windows\system32\Icons\PNGs\Generic Red.png
c:\windows\system32\Icons\PNGs\Generic Violet.png
c:\windows\system32\Icons\PNGs\Generic White.png
c:\windows\system32\Icons\PNGs\Generic Yellow.png
c:\windows\system32\Icons\PNGs\Generic.png
c:\windows\system32\Icons\PNGs\Industrial Icons (PNGs)\Computer.png
c:\windows\system32\Icons\PNGs\Industrial Icons (PNGs)\Documents.png
c:\windows\system32\Icons\PNGs\Industrial Icons (PNGs)\Folder.png
c:\windows\system32\Icons\PNGs\Industrial Icons (PNGs)\Hard Disk.png
c:\windows\system32\Icons\PNGs\Industrial Icons (PNGs)\Music.png
c:\windows\system32\Icons\PNGs\Industrial Icons (PNGs)\Pictures.png
c:\windows\system32\Icons\PNGs\Industrial Icons (PNGs)\Trash Empty.png
c:\windows\system32\Icons\PNGs\Industrial Icons (PNGs)\Trash Full.png
c:\windows\system32\Icons\PNGs\Internet 2.png
c:\windows\system32\Icons\PNGs\Internet Explorer Bookmarks.png
c:\windows\system32\Icons\PNGs\Internet Explorer.png
c:\windows\system32\Icons\PNGs\Internet.png
c:\windows\system32\Icons\PNGs\Jo.png
c:\windows\system32\Icons\PNGs\Kazaa Downloads.png
c:\windows\system32\Icons\PNGs\Limewire Downloads.png
c:\windows\system32\Icons\PNGs\Mac.png
c:\windows\system32\Icons\PNGs\Macromedia Dreaweaver.png
c:\windows\system32\Icons\PNGs\Macromedia Fireworks.png
c:\windows\system32\Icons\PNGs\Macromedia Flash.png
c:\windows\system32\Icons\PNGs\Macromedia.png
c:\windows\system32\Icons\PNGs\Microsoft Excel.png
c:\windows\system32\Icons\PNGs\Microsoft PowerPoint.png
c:\windows\system32\Icons\PNGs\Microsoft Word.png
c:\windows\system32\Icons\PNGs\Mozilla Firefox Bookmarks.png
c:\windows\system32\Icons\PNGs\Mozilla Firefox.png
c:\windows\system32\Icons\PNGs\Mozilla Thunderbird.png
c:\windows\system32\Icons\PNGs\Music CD.png
c:\windows\system32\Icons\PNGs\My Burn.png
c:\windows\system32\Icons\PNGs\My Computer 2.png
c:\windows\system32\Icons\PNGs\My Computer.png
c:\windows\system32\Icons\PNGs\My Documents.png
c:\windows\system32\Icons\PNGs\My Downloads.png
c:\windows\system32\Icons\PNGs\My Fonts.png
c:\windows\system32\Icons\PNGs\My Games.png
c:\windows\system32\Icons\PNGs\My Music.png
c:\windows\system32\Icons\PNGs\My Office Documents.png
c:\windows\system32\Icons\PNGs\My Pictures.png
c:\windows\system32\Icons\PNGs\My Videos.png
c:\windows\system32\Icons\PNGs\My Widgets.png
c:\windows\system32\Icons\PNGs\Programs Folder.png
c:\windows\system32\Icons\PNGs\Quark.png
c:\windows\system32\Icons\PNGs\Question Mark.png
c:\windows\system32\Icons\PNGs\Readme.png
c:\windows\system32\Icons\PNGs\Recycle Bin - Empty.png
c:\windows\system32\Icons\PNGs\Recycle Bin - Full.png
c:\windows\system32\Icons\PNGs\Search.png
c:\windows\system32\Icons\PNGs\Shareaza Downloads.png
c:\windows\system32\Icons\PNGs\Special Folders\My Documents Folder.png
c:\windows\system32\Icons\PNGs\Special Folders\My Favorites Folder.png
c:\windows\system32\Icons\PNGs\Special Folders\My Music Folder.png
c:\windows\system32\Icons\PNGs\Special Folders\My Pictures - My Photos Folder.png
c:\windows\system32\Icons\PNGs\Special Folders\My Videos - My Movies Folder.png
c:\windows\system32\Icons\PNGs\Special Folders\Plain Folder, Empty.png
c:\windows\system32\Icons\PNGs\Special Folders\Search Folder.png
c:\windows\system32\Icons\PNGs\Start Button.png
c:\windows\system32\Icons\PNGs\Trash Empty.png
c:\windows\system32\Icons\PNGs\Trash Full.png
c:\windows\system32\Icons\PNGs\unknown.png
c:\windows\system32\Icons\PNGs\Unload ObjectDock 2.png
c:\windows\system32\Icons\PNGs\Unload ObjectDock.png
c:\windows\system32\Icons\PNGs\WinCustomize.png
c:\windows\system32\Icons\PNGs\Windows.png
c:\windows\system32\Icons\Thumbs.db
c:\windows\system32\Icons\Tse2008_1250_mo1.png
c:\windows\system32\walssexp.dll
c:\windows\system32\zlibwapi.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
.

2010-05-29 22:50 . 2010-05-29 22:50 -------- d-----w- c:\windows\Internet Logs
2010-05-29 20:48 . 2010-05-29 20:48 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-29 20:35 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-29 20:35 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-29 20:35 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-29 20:35 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-29 20:35 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-29 20:35 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-29 20:35 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-29 20:35 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-29 20:35 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-29 20:35 . 2010-05-29 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-29 20:28 . 2010-05-29 20:28 -------- d-----w- c:\program files\Common Files\Java
2010-05-29 20:28 . 2010-05-29 20:28 503808 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-440b4318-n\msvcp71.dll
2010-05-29 20:28 . 2010-05-29 20:28 499712 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-440b4318-n\jmc.dll
2010-05-29 20:28 . 2010-05-29 20:28 348160 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-440b4318-n\msvcr71.dll
2010-05-29 20:28 . 2010-05-29 20:28 61440 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c5094a9-n\decora-sse.dll
2010-05-29 20:28 . 2010-05-29 20:28 12800 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c5094a9-n\decora-d3d.dll
2010-05-29 20:28 . 2010-05-29 20:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 23:57 . 2008-06-19 12:05 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-05-28 23:57 . 2008-06-19 12:05 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-05-28 23:56 . 2010-05-29 00:20 -------- d-----w- C:\vir
2010-05-28 23:55 . 2010-05-29 00:19 1414 ----a-w- C:\ohci1394.reg
2010-05-28 23:55 . 2010-05-28 23:55 -------- d-----w- C:\backup
2010-05-28 23:55 . 2008-06-19 12:05 61696 ----a-w- c:\windows\system32\drivers\tmpohci1394.sys
2010-05-26 16:38 . 2010-05-26 16:39 -------- d-----w- C:\Fall '09
2010-05-26 15:26 . 2010-05-26 15:26 -------- d-----w- C:\found.000
2010-05-26 11:32 . 2010-05-26 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-05-26 03:19 . 2010-05-26 03:19 -------- d-----w- c:\documents and settings\Owner-pc\Local Settings\Application Data\Opera
2010-05-26 03:19 . 2010-05-26 03:19 -------- d-----w- c:\program files\Opera
2010-05-25 07:30 . 2010-05-25 07:30 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-25 07:30 . 2010-05-25 07:30 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-25 07:30 . 2010-05-25 07:30 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-25 07:29 . 2010-05-25 07:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-05-25 04:21 . 2010-05-25 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-25 00:41 . 2010-05-25 00:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2010-05-24 23:46 . 2010-05-25 07:19 -------- d-----w- c:\documents and settings\Owner-pc\Local Settings\Application Data\fuqawlblb
2010-05-22 19:46 . 2010-05-22 19:46 -------- d-----w- c:\program files\iPod
2010-05-22 19:46 . 2010-05-22 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-22 19:42 . 2010-05-22 19:43 -------- d-----w- c:\program files\QuickTime
2010-05-22 19:37 . 2010-05-22 19:37 -------- d-----w- c:\program files\Bonjour
2010-05-22 19:30 . 2010-05-22 19:30 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-12 06:56 . 2010-05-12 06:56 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\LolClient
2010-05-09 08:04 . 2010-05-09 08:04 -------- d-----w- c:\program files\JRE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 20:35 . 2009-09-06 05:20 -------- d-----w- c:\program files\Alwil Software
2010-05-29 20:22 . 2009-01-26 15:54 -------- d-----w- c:\program files\Java
2010-05-29 00:02 . 2009-10-03 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-26 21:25 . 2009-08-17 06:06 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\vlc
2010-05-26 17:32 . 2009-08-27 03:45 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\dvdcss
2010-05-26 15:49 . 2010-02-06 23:27 -------- d-----w- c:\program files\PodSync.com
2010-05-26 15:41 . 2009-10-09 15:54 -------- d-----w- c:\program files\Common Files\InstallerA
2010-05-26 15:40 . 2009-12-29 19:11 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\Lala Music Mover
2010-05-26 11:24 . 2009-06-12 00:08 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\DVD Flick
2010-05-25 06:41 . 2009-11-27 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 01:11 . 2009-02-03 15:51 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\Apple Computer
2010-05-25 00:41 . 2009-11-27 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-05-22 19:47 . 2009-07-24 16:57 -------- d-----w- c:\program files\iTunes
2010-05-22 19:46 . 2009-02-03 15:49 -------- d-----w- c:\program files\Common Files\Apple
2010-05-13 02:25 . 2009-01-26 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-10 00:44 . 2009-09-19 05:30 64812 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-09 17:12 . 2009-01-26 21:03 78528 ----a-w- c:\documents and settings\Owner-pc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 08:07 . 2009-02-03 22:38 1 ----a-w- c:\documents and settings\Owner-pc\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-09 08:04 . 2009-02-03 22:33 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-29 19:39 . 2009-11-27 06:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-11-27 06:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 05:16 . 2009-10-28 21:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-26 03:32 . 2010-04-26 03:32 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2010-04-26 03:03 . 2009-01-26 21:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-26 02:50 . 2009-10-21 03:08 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\signo
2010-04-26 02:42 . 2010-04-26 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-04-26 02:39 . 2010-04-26 02:39 -------- d-----w- c:\program files\Pando Networks
2010-04-16 12:33 . 2009-06-28 20:47 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 12:33 . 2009-02-03 15:49 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-11 16:24 . 2010-04-11 16:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-11 16:24 . 2010-04-11 16:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-11 16:24 . 2010-04-11 16:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-11 16:24 . 2010-04-11 16:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-11 16:24 . 2010-04-11 16:24 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-11 16:24 . 2010-04-11 16:24 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-11 16:24 . 2010-04-11 16:24 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-11 16:23 . 2010-04-11 16:23 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-11 16:23 . 2010-04-11 16:23 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-11 16:23 . 2009-02-04 15:57 -------- d-----w- c:\program files\Common Files\Real
2010-04-11 16:22 . 2009-02-04 15:57 -------- d-----w- c:\program files\Real
2010-04-11 16:22 . 2010-04-11 16:22 -------- d-----w- c:\program files\Common Files\xing shared
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-08 02:33 . 2010-03-05 04:09 439816 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\setup.exe
2010-04-04 06:13 . 2009-09-08 19:25 1287464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-03 04:47 . 2010-04-03 04:47 -------- d-----w- c:\program files\NetLibrary
2010-03-28 19:53 . 2010-03-28 19:52 20846064 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-21 19:15 . 2010-03-21 19:15 8405312 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-21 19:15 . 2010-03-21 19:15 149000 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-21 19:15 . 2010-03-21 19:14 10309448 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-21 19:14 . 2010-03-21 19:14 283280 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-21 19:14 . 2010-03-21 19:14 181768 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-21 19:14 . 2010-03-21 19:14 79368 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-21 19:14 . 2010-03-21 19:14 64000 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-21 19:14 . 2010-03-21 19:14 52288 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-21 19:14 . 2010-03-21 19:14 50688 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-21 19:14 . 2010-03-21 19:14 49152 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-21 19:14 . 2010-03-21 19:14 118784 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 11:49 . 2008-04-23 03:35 841216 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 11:49 . 2009-12-16 19:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 11:49 . 2007-01-08 18:01 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:06 . 2008-06-25 17:19 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-09-06 06:34 . 2009-09-06 06:34 2 --shatr- c:\windows\winstart.bat
.

------- Sigcheck -------


[-] 2009-08-24 . 31469362CD0DF7DAF40798265E906DA2 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-08-24 . 31469362CD0DF7DAF40798265E906DA2 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS

c:\windows\System32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-26 2938552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-11 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

c:\documents and settings\Owner-pc\Start Menu\Programs\Startup\
Runit.exe.lnk - c:\windows\system32\runit201\Runit.exe [2009-11-14 93696]
SpecChar.exe.lnk - c:\freeware\Programs\SpecChar\SpecChar.exe [2007-11-21 20480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2009-1-31 286720]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-12 813584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BumpTop.lnk]
backup=c:\windows\pss\BumpTop.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner-pc^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxTo]
2009-03-15 11:47 114120 ----a-w- c:\freeware\Programs\MaxTo\MaxTo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56485:TCP"= 56485:TCP:Pando Media Booster
"56485:UDP"= 56485:UDP:Pando Media Booster
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"6886:TCP"= 6886:TCP:League of Legends Launcher
"6886:UDP"= 6886:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/29/2010 4:35 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/29/2010 4:35 PM 19024]
S2 DrWebEngine;Dr.Web ® Scanning Engine (DrWebEngine);"c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe" --> c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [?]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/12/2009 8:26 PM 10384]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [8/15/2009 7:32 PM 16512]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Owner-pc\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Owner-pc\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurnsDriver.sys [11/28/2008 3:26 PM 10704]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [9/7/2009 11:39 AM 24416]
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3519928212-3014706299-3887354751-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3519928212-3014706299-3887354751-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Owner-pc\Application Data\Mozilla\Firefox\Profiles\kwchyh0l.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Owner-pc\Application Data\Mozilla\Firefox\Profiles\kwchyh0l.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\WINNT-32\MinimizeToTrayPlus.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Owner-pc\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Owner-pc\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\3.5\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\3.5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\3.5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\3.5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\3.5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\3.5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\3.5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
Notify-!SASWinLogon - (no file)
MSConfigStartUp-dvd43 - c:\program files\dvd43\dvd43_tray.exe
MSConfigStartUp-LanguageShortcut - c:\program files\CyberLink\PowerDVD\Language\Language.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-SpywareTerminatorUpdate - c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-29 19:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-05-29 19:09:34
ComboFix-quarantined-files.txt 2010-05-29 23:09

Pre-Run: 99,984,572,416 bytes free
Post-Run: 99,874,193,408 bytes free

- - End Of File - - 42AE46C0F63F8CB70E7D08AF018B7933


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:06 AM

Posted 29 May 2010 - 06:42 PM

Looks this is the log of the second run of Combofix? scratchhead.gif

There is a missing system file (beep.sys), that is not a big deal. But we need to replace an important system file (tcpip.sys). Do you have a access to another computer with Windows XP Service Pack 3 with IE 7 installed? Another option is to upgrade IE and install IE 8 to see if the problem resolves.

We are going to see if ComboFix finds a good copy on the computer.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
Driver::
Viewpoint Manager Service
F-Secure Standalone Minifilter
DrWebEngine
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
DDS::
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
SRPeek::
c:\windows\system32\drivers\TCPIP.SYS
MIA::
c:\windows\System32\drivers\beep.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#14 soniashannon

soniashannon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2010 - 07:12 PM

I don't have another XP computer. I'm thinking it would be best to upgrade to IE8.

Here's the second combofix log:


ComboFix 10-05-29.03 - Owner-pc 05/29/2010 19:56:56.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.480 [GMT -4:00]
Running from: c:\documents and settings\Owner-pc\Desktop\ComboFix.exe
Command switches used :: E:\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\drivers\beep.sys . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRWEBENGINE
-------\Legacy_F-SECURE_STANDALONE_MINIFILTER
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_DrWebEngine
-------\Service_F-Secure Standalone Minifilter
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-29 22:50 . 2010-05-29 22:50 -------- d-----w- c:\windows\Internet Logs
2010-05-29 20:48 . 2010-05-29 20:48 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-29 20:35 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-29 20:35 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-29 20:35 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-29 20:35 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-29 20:35 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-29 20:35 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-29 20:35 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-29 20:35 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-29 20:35 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-29 20:35 . 2010-05-29 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-29 20:28 . 2010-05-29 20:28 -------- d-----w- c:\program files\Common Files\Java
2010-05-29 20:28 . 2010-05-29 20:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 23:57 . 2008-06-19 12:05 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-05-28 23:57 . 2008-06-19 12:05 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-05-28 23:56 . 2010-05-29 00:20 -------- d-----w- C:\vir
2010-05-28 23:55 . 2010-05-29 00:19 1414 ----a-w- C:\ohci1394.reg
2010-05-28 23:55 . 2010-05-28 23:55 -------- d-----w- C:\backup
2010-05-28 23:55 . 2008-06-19 12:05 61696 ----a-w- c:\windows\system32\drivers\tmpohci1394.sys
2010-05-26 16:38 . 2010-05-26 16:39 -------- d-----w- C:\Fall '09
2010-05-26 15:26 . 2010-05-26 15:26 -------- d-----w- C:\found.000
2010-05-26 11:32 . 2010-05-26 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-05-26 03:19 . 2010-05-26 03:19 -------- d-----w- c:\documents and settings\Owner-pc\Local Settings\Application Data\Opera
2010-05-26 03:19 . 2010-05-26 03:19 -------- d-----w- c:\program files\Opera
2010-05-25 07:29 . 2010-05-25 07:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-05-25 04:21 . 2010-05-25 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-25 00:41 . 2010-05-25 00:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2010-05-24 23:46 . 2010-05-25 07:19 -------- d-----w- c:\documents and settings\Owner-pc\Local Settings\Application Data\fuqawlblb
2010-05-22 19:46 . 2010-05-22 19:46 -------- d-----w- c:\program files\iPod
2010-05-22 19:46 . 2010-05-22 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-22 19:42 . 2010-05-22 19:43 -------- d-----w- c:\program files\QuickTime
2010-05-22 19:37 . 2010-05-22 19:37 -------- d-----w- c:\program files\Bonjour
2010-05-12 06:56 . 2010-05-12 06:56 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\LolClient
2010-05-09 08:04 . 2010-05-09 08:04 -------- d-----w- c:\program files\JRE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 20:35 . 2009-09-06 05:20 -------- d-----w- c:\program files\Alwil Software
2010-05-29 20:28 . 2010-05-29 20:28 503808 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-440b4318-n\msvcp71.dll
2010-05-29 20:28 . 2010-05-29 20:28 499712 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-440b4318-n\jmc.dll
2010-05-29 20:28 . 2010-05-29 20:28 348160 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-440b4318-n\msvcr71.dll
2010-05-29 20:28 . 2010-05-29 20:28 61440 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c5094a9-n\decora-sse.dll
2010-05-29 20:28 . 2010-05-29 20:28 12800 ----a-w- c:\documents and settings\Owner-pc\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c5094a9-n\decora-d3d.dll
2010-05-29 20:22 . 2009-01-26 15:54 -------- d-----w- c:\program files\Java
2010-05-29 00:02 . 2009-10-03 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-26 21:25 . 2009-08-17 06:06 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\vlc
2010-05-26 17:32 . 2009-08-27 03:45 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\dvdcss
2010-05-26 15:49 . 2010-02-06 23:27 -------- d-----w- c:\program files\PodSync.com
2010-05-26 15:41 . 2009-10-09 15:54 -------- d-----w- c:\program files\Common Files\InstallerA
2010-05-26 15:40 . 2009-12-29 19:11 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\Lala Music Mover
2010-05-26 11:24 . 2009-06-12 00:08 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\DVD Flick
2010-05-25 07:30 . 2010-05-25 07:30 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-25 07:30 . 2010-05-25 07:30 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-25 07:30 . 2010-05-25 07:30 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-25 06:41 . 2009-11-27 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 01:11 . 2009-02-03 15:51 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\Apple Computer
2010-05-25 00:41 . 2009-11-27 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-05-22 19:47 . 2009-07-24 16:57 -------- d-----w- c:\program files\iTunes
2010-05-22 19:46 . 2009-02-03 15:49 -------- d-----w- c:\program files\Common Files\Apple
2010-05-22 19:30 . 2010-05-22 19:30 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-13 02:25 . 2009-01-26 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-10 00:44 . 2009-09-19 05:30 64812 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-09 17:12 . 2009-01-26 21:03 78528 ----a-w- c:\documents and settings\Owner-pc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 08:07 . 2009-02-03 22:38 1 ----a-w- c:\documents and settings\Owner-pc\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-09 08:04 . 2009-02-03 22:33 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-29 19:39 . 2009-11-27 06:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-11-27 06:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 05:16 . 2009-10-28 21:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-26 03:32 . 2010-04-26 03:32 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2010-04-26 03:03 . 2009-01-26 21:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-26 02:50 . 2009-10-21 03:08 -------- d-----w- c:\documents and settings\Owner-pc\Application Data\signo
2010-04-26 02:42 . 2010-04-26 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-04-26 02:39 . 2010-04-26 02:39 -------- d-----w- c:\program files\Pando Networks
2010-04-16 12:33 . 2009-06-28 20:47 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 12:33 . 2009-02-03 15:49 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-11 16:24 . 2010-04-11 16:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-11 16:24 . 2010-04-11 16:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-11 16:24 . 2010-04-11 16:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-11 16:24 . 2010-04-11 16:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-11 16:24 . 2010-04-11 16:24 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-11 16:24 . 2010-04-11 16:24 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-11 16:24 . 2010-04-11 16:24 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-11 16:23 . 2010-04-11 16:23 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-11 16:23 . 2010-04-11 16:23 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-11 16:23 . 2009-02-04 15:57 -------- d-----w- c:\program files\Common Files\Real
2010-04-11 16:22 . 2009-02-04 15:57 -------- d-----w- c:\program files\Real
2010-04-11 16:22 . 2010-04-11 16:22 -------- d-----w- c:\program files\Common Files\xing shared
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-08 02:33 . 2010-03-05 04:09 439816 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\setup.exe
2010-04-04 06:13 . 2009-09-08 19:25 1287464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-03 04:47 . 2010-04-03 04:47 -------- d-----w- c:\program files\NetLibrary
2010-03-28 19:53 . 2010-03-28 19:52 20846064 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-21 19:15 . 2010-03-21 19:15 8405312 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-21 19:15 . 2010-03-21 19:15 149000 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-21 19:15 . 2010-03-21 19:14 10309448 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-21 19:14 . 2010-03-21 19:14 283280 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-21 19:14 . 2010-03-21 19:14 181768 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-21 19:14 . 2010-03-21 19:14 79368 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-21 19:14 . 2010-03-21 19:14 64000 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-21 19:14 . 2010-03-21 19:14 52288 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-21 19:14 . 2010-03-21 19:14 50688 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-21 19:14 . 2010-03-21 19:14 49152 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-21 19:14 . 2010-03-21 19:14 118784 ----a-w- c:\documents and settings\Owner-pc\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 11:49 . 2008-04-23 03:35 841216 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 11:49 . 2009-12-16 19:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 11:49 . 2007-01-08 18:01 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:06 . 2008-06-25 17:19 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-09-06 06:34 . 2009-09-06 06:34 2 --shatr- c:\windows\winstart.bat
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------


[-] 2009-08-24 . 31469362CD0DF7DAF40798265E906DA2 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-08-24 . 31469362CD0DF7DAF40798265E906DA2 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS

c:\windows\System32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-05-29_23.06.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-30 00:04 . 2010-05-30 00:04 16384 c:\windows\Temp\Perflib_Perfdata_314.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-26 2938552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-11 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

c:\documents and settings\Owner-pc\Start Menu\Programs\Startup\
Runit.exe.lnk - c:\windows\system32\runit201\Runit.exe [2009-11-14 93696]
SpecChar.exe.lnk - c:\freeware\Programs\SpecChar\SpecChar.exe [2007-11-21 20480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2009-1-31 286720]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-12 813584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BumpTop.lnk]
backup=c:\windows\pss\BumpTop.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner-pc^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxTo]
2009-03-15 11:47 114120 ----a-w- c:\freeware\Programs\MaxTo\MaxTo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56485:TCP"= 56485:TCP:Pando Media Booster
"56485:UDP"= 56485:UDP:Pando Media Booster
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"6886:TCP"= 6886:TCP:League of Legends Launcher
"6886:UDP"= 6886:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/29/2010 4:35 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/29/2010 4:35 PM 19024]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/12/2009 8:26 PM 10384]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [8/15/2009 7:32 PM 16512]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurnsDriver.sys [11/28/2008 3:26 PM 10704]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [9/7/2009 11:39 AM 24416]
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3519928212-3014706299-3887354751-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3519928212-3014706299-3887354751-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner-pc\Application Data\Mozilla\Firefox\Profiles\kwchyh0l.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Owner-pc\Application Data\Mozilla\Firefox\Profiles\kwchyh0l.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\WINNT-32\MinimizeToTrayPlus.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Owner-pc\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Owner-pc\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\3.5\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\3.5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\3.5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\3.5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\3.5\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\3.5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\3.5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\3.5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-29 20:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1740)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\GIMPS\prime95.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-29 20:09:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 00:09
ComboFix2.txt 2010-05-29 23:09

Pre-Run: 99,883,044,864 bytes free
Post-Run: 99,809,853,440 bytes free

- - End Of File - - 6300485492530298ABCC2B32C4105419


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:06 AM

Posted 30 May 2010 - 03:25 AM

Do you have a Windows XP installation CD?
  1. You may download Internet Explorer 8 from http://www.microsoft.com
    Install the application and configure it as you like.

  2. Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      CODE
      :filefind
      tcpip*
      beep*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users