Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • This topic is locked This topic is locked
19 replies to this topic

#1 radish158

radish158

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 03 January 2012 - 08:55 AM

Hi-

2-3 months ago my computer was infected with the System Fix malware. It has since been removed, but sometime after (I can't remember, we may have even had it since System Fix was an issue) whenever I click on a search result link from Google, the page immediately redirects to some random link or IP, that never actually loads. I've run both AVG and Kapersky Anti-Virus scans with no results.

I was unsure if I needed to run a GMER scan, but let me know if I need to. I've attached the DDS scan file.

I realized that I am working on a 32-bit system so I tried to run GMER. However, on launching GMER I received the following error, "LoadDriver('C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwlyyfod.sys') error 0xC00010E"

Thanks!
Attached File  attach.txt   20.38KB   2 downloads

Edited by radish158, 03 January 2012 - 09:31 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 PM

Posted 06 January 2012 - 01:12 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 PM

Posted 09 January 2012 - 12:39 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 radish158

radish158
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 09 January 2012 - 12:32 PM

Still having problems but my internet has been down! Will post logs later today!

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 PM

Posted 09 January 2012 - 12:34 PM

Hello


no problem and I will be around


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 radish158

radish158
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 09 January 2012 - 02:30 PM

Here are the logs:

attach.txt

DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/16/2010 12:50:56 PM
System Uptime: 1/3/2012 8:25:50 AM (77 hours ago)
.
Motherboard: Hewlett-Packard | | 2821h
Processor: Intel® Atom™ CPU 230 @ 1.60GHz | XU1 PROCESSOR | 1596/533mhz
Processor: Intel® Atom™ CPU 230 @ 1.60GHz | XU1 PROCESSOR 2 | 1596/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 63 GiB total, 44.556 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 8.172 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&EDE93E0&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&EDE93E0&0
Service: i8042prt
.
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&EDE93E0&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&EDE93E0&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP509: 10/9/2011 3:45:42 AM - System Checkpoint
RP510: 10/10/2011 4:45:41 AM - System Checkpoint
RP511: 10/11/2011 5:45:41 AM - System Checkpoint
RP512: 10/12/2011 6:45:42 AM - System Checkpoint
RP513: 10/13/2011 7:45:41 AM - System Checkpoint
RP514: 10/14/2011 10:03:14 AM - System Checkpoint
RP515: 10/15/2011 10:46:47 AM - System Checkpoint
RP516: 10/16/2011 7:52:45 PM - System Checkpoint
RP517: 10/17/2011 8:43:21 PM - System Checkpoint
RP518: 10/18/2011 10:31:12 PM - System Checkpoint
RP519: 10/19/2011 10:36:10 PM - System Checkpoint
RP520: 10/20/2011 10:47:04 PM - System Checkpoint
RP521: 10/21/2011 11:09:50 PM - System Checkpoint
RP522: 10/22/2011 11:55:19 PM - System Checkpoint
RP523: 10/23/2011 11:55:47 PM - System Checkpoint
RP524: 10/25/2011 12:55:17 AM - System Checkpoint
RP525: 10/26/2011 1:10:09 AM - System Checkpoint
RP526: 10/27/2011 1:43:35 AM - System Checkpoint
RP527: 10/27/2011 3:00:20 AM - Software Distribution Service 3.0
RP528: 10/28/2011 3:00:17 AM - Software Distribution Service 3.0
RP529: 10/29/2011 3:00:16 AM - Software Distribution Service 3.0
RP530: 10/30/2011 3:00:17 AM - Software Distribution Service 3.0
RP531: 10/31/2011 3:00:17 AM - Software Distribution Service 3.0
RP532: 11/1/2011 3:00:16 AM - Software Distribution Service 3.0
RP533: 11/2/2011 3:00:16 AM - Software Distribution Service 3.0
RP534: 11/3/2011 3:00:17 AM - Software Distribution Service 3.0
RP535: 11/4/2011 3:00:16 AM - Software Distribution Service 3.0
RP536: 11/5/2011 3:00:16 AM - Software Distribution Service 3.0
RP537: 11/6/2011 2:08:12 AM - System Checkpoint
RP538: 11/6/2011 3:00:17 AM - Software Distribution Service 3.0
RP539: 11/7/2011 3:00:16 AM - Software Distribution Service 3.0
RP540: 11/8/2011 3:00:16 AM - Software Distribution Service 3.0
RP541: 11/9/2011 3:00:17 AM - Software Distribution Service 3.0
RP542: 11/10/2011 3:00:16 AM - Software Distribution Service 3.0
RP543: 11/11/2011 3:00:16 AM - Software Distribution Service 3.0
RP544: 11/12/2011 3:00:17 AM - Software Distribution Service 3.0
RP545: 11/13/2011 3:00:16 AM - Software Distribution Service 3.0
RP546: 11/14/2011 3:00:17 AM - Software Distribution Service 3.0
RP547: 11/15/2011 3:00:17 AM - Software Distribution Service 3.0
RP548: 11/16/2011 3:00:17 AM - Software Distribution Service 3.0
RP549: 11/17/2011 3:00:16 AM - Software Distribution Service 3.0
RP550: 11/18/2011 3:00:16 AM - Software Distribution Service 3.0
RP551: 11/19/2011 3:00:19 AM - Software Distribution Service 3.0
RP552: 11/20/2011 3:00:17 AM - Software Distribution Service 3.0
RP553: 11/21/2011 3:00:17 AM - Software Distribution Service 3.0
RP554: 11/21/2011 5:16:56 PM - Installed Ralink Wireless LAN
RP555: 11/21/2011 5:40:07 PM - Installed Windows XP WgaNotify.
RP556: 11/22/2011 3:00:16 AM - Software Distribution Service 3.0
RP557: 11/23/2011 3:00:17 AM - Software Distribution Service 3.0
RP558: 11/24/2011 3:00:18 AM - Software Distribution Service 3.0
RP559: 11/25/2011 3:00:17 AM - Software Distribution Service 3.0
RP560: 11/26/2011 3:00:17 AM - Software Distribution Service 3.0
RP561: 11/27/2011 3:00:16 AM - Software Distribution Service 3.0
RP562: 11/28/2011 3:00:17 AM - Software Distribution Service 3.0
RP563: 11/29/2011 3:00:17 AM - Software Distribution Service 3.0
RP564: 11/30/2011 3:00:18 AM - Software Distribution Service 3.0
RP565: 12/1/2011 3:00:16 AM - Software Distribution Service 3.0
RP566: 12/2/2011 3:00:17 AM - Software Distribution Service 3.0
RP567: 12/3/2011 3:00:18 AM - Software Distribution Service 3.0
RP568: 12/4/2011 3:00:17 AM - Software Distribution Service 3.0
RP569: 12/5/2011 3:00:17 AM - Software Distribution Service 3.0
RP570: 12/6/2011 3:00:17 AM - Software Distribution Service 3.0
RP571: 12/7/2011 3:00:18 AM - Software Distribution Service 3.0
RP572: 12/8/2011 3:00:19 AM - Software Distribution Service 3.0
RP573: 12/9/2011 3:00:16 AM - Software Distribution Service 3.0
RP574: 12/10/2011 3:00:17 AM - Software Distribution Service 3.0
RP575: 12/11/2011 3:00:19 AM - Software Distribution Service 3.0
RP576: 12/12/2011 3:00:19 AM - Software Distribution Service 3.0
RP577: 12/13/2011 3:00:17 AM - Software Distribution Service 3.0
RP578: 12/14/2011 3:00:52 AM - Software Distribution Service 3.0
RP579: 12/15/2011 3:00:18 AM - Software Distribution Service 3.0
RP580: 12/16/2011 3:00:17 AM - Software Distribution Service 3.0
RP581: 12/17/2011 3:00:17 AM - Software Distribution Service 3.0
RP582: 12/18/2011 3:00:19 AM - Software Distribution Service 3.0
RP583: 12/19/2011 3:00:17 AM - Software Distribution Service 3.0
RP584: 12/20/2011 3:00:17 AM - Software Distribution Service 3.0
RP585: 12/21/2011 3:00:17 AM - Software Distribution Service 3.0
RP586: 12/22/2011 3:00:17 AM - Software Distribution Service 3.0
RP587: 12/23/2011 3:00:18 AM - Software Distribution Service 3.0
RP588: 12/24/2011 3:00:16 AM - Software Distribution Service 3.0
RP589: 12/25/2011 3:00:16 AM - Software Distribution Service 3.0
RP590: 12/26/2011 3:00:17 AM - Software Distribution Service 3.0
RP591: 12/27/2011 3:00:17 AM - Software Distribution Service 3.0
RP592: 12/28/2011 3:00:19 AM - Software Distribution Service 3.0
RP593: 12/29/2011 3:00:18 AM - Software Distribution Service 3.0
RP594: 12/29/2011 11:47:26 AM - Installed AVG 2012
RP595: 12/29/2011 11:49:02 AM - Installed AVG 2012
RP596: 12/30/2011 3:00:18 AM - Software Distribution Service 3.0
RP597: 12/31/2011 3:00:19 AM - Software Distribution Service 3.0
RP598: 1/1/2012 3:00:19 AM - Software Distribution Service 3.0
RP599: 1/2/2012 3:00:17 AM - Software Distribution Service 3.0
RP600: 1/3/2012 3:00:20 AM - Software Distribution Service 3.0
RP601: 1/4/2012 3:00:19 AM - Software Distribution Service 3.0
RP602: 1/5/2012 3:00:20 AM - Software Distribution Service 3.0
RP603: 1/6/2012 3:00:19 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
2007 Microsoft Office system
Adobe Flash Player 10 ActiveX
AVG 2012
Business Contact Manager for Outlook 2007
CCleaner
CL-Works
Configuration Tools for the HP USB POS Keyboard V5.3
Elo XP Universal Driver
Google Chrome
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB895246)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB923232)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Backup and Recovery Manager
HP Help and Support
HP Pole Display Test
HP Product Detection
HP USB Barcode Scanner
HP USB Mini MSR OPOS Driver
HPFlashLoad
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 7
Kaseya Agent (radish_pos1.radish.iug - ggplus.gggroup.net)
Kaspersky Anti-Virus 2010
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Dynamics RMS Store Operations
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft POS for .NET 1.12
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MPS RMS Credit and Gift Installer
MPS RMS EDC Install
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
OPOS Common Control Objects 1.11.000
OPOS for HP Line Display
OPOS Support for Hewlett-Packard printers
OPOS Support for HP POS Keyboard
PDF Complete
Ralink RT2870 Wireless LAN Card
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911164)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Driver Package - Hewlett-Packard Company (HP_USB) USB (06/02/2006 1.0.1.11)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Presentation Foundation
Windows XP Hotfix - KB815304
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885222
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB886199
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
12/31/2011 3:00:33 AM, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
An internal error occurred.
12/30/2011 3:00:31 AM, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
An internal error occurred.
1/6/2012 3:00:34 AM, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
An internal error occurred.
1/5/2012 3:00:33 AM, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
An internal error occurred.
1/4/2012 4:37:04 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
1/4/2012 4:37:03 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 000FFEEB3236 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/4/2012 3:00:33 AM, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
An internal error occurred.
1/3/2012 8:03:42 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips i8042prt intelppm kl1 KLIF
1/3/2012 8:02:23 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/3/2012 3:00:37 AM, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
An internal error occurred.
1/2/2012 8:08:12 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server (MSSQLSERVER) service to connect.
1/2/2012 8:08:12 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Angel service to connect.
1/2/2012 8:08:12 AM, error: Service Control Manager [7000] - The SQL Server (MSSQLSERVER) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/2/2012 8:08:12 AM, error: Service Control Manager [7000] - The PC Angel service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/2/2012 7:12:33 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer MO-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8C5B059D-B0B4-4CCB-9F6. The master browser is stopping or an election is being forced.
1/2/2012 3:00:48 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007054f: Security Update for Windows XP (KB979683).
1/2/2012 3:00:28 AM, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
An internal error occurred.
1/1/2012 3:00:31 AM, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
An internal error occurred.
.
==== End Of File ===========================

dds.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Administrator at 13:12:50 on 2012-01-06
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.180 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\HP\POS_Keyboard\KeyMan\KeyMan.exe
C:\Program Files\HP\POS_Keyboard\CDI\cdimsrclient.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\HP\POS_Keyboard\CDI\cdi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Retail Management System\Store Operations\SOPOSUSER.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\Microsoft Retail Management System\Store Operations\SOMANAGER.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [CherryKeyMan] "c:\program files\hp\pos_keyboard\keyman\KeyMan.exe"
mRun: [CDIMSRClient] "c:\program files\hp\pos_keyboard\cdi\cdimsrclient.exe"
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [KASHGGGRPN08879996955609] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\pos.lnk - c:\program files\microsoft retail management system\store operations\SOPOSUSER.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://red12.dyndns.org:81/DVROcxEx.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270055138468
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxps://ggplus.gggroup.net/inc/kaxRemote.dll
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C5B059D-B0B4-4CCB-9F65-7F831F1794DE} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-10-18 315408]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2010-6-18 377600]
R2 KAGGGRPN08879996955609;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2010-3-30 835584]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-18 366152]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-9-21 576024]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2011-11-21 374112]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2011-11-21 19072]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 Cherry Device Interface;Cherry Device Interface;c:\program files\hp\pos_keyboard\cdi\cdi.exe [2008-6-4 585774]
R3 elomoufiltr;ELO TouchSystems-SRV2;c:\windows\system32\drivers\elofiltr.sys [2010-5-12 53248]
R3 EloUsb;ELO TouchSystems-SRV;c:\windows\system32\drivers\EloUsb.Sys [2010-5-12 92032]
R3 HP_USB;HP_USB.Sys;c:\windows\system32\drivers\HP_USB.sys [2009-9-21 19584]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2010-3-30 17920]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-18 22216]
S0 pgqvmw;pgqvmw;c:\windows\system32\drivers\ycmuvxc.sys --> c:\windows\system32\drivers\ycmuvxc.sys [?]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [2007-6-26 130560]
S3 RaMediaServer;RaMediaServer;c:\program files\ralink\common\RaMediaServer.exe [2011-11-21 619872]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2011-11-21 1139040]
S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\microsoft point of service\Microsoft.PointOfService.Service.exe [2008-2-29 42056]
.
=============== Created Last 30 ================
.
2011-12-29 17:32:56 -------- d--h--w- C:\$AVG
2011-12-29 17:01:10 -------- d-----w- c:\documents and settings\administrator\application data\AVG2012
2011-12-29 16:53:15 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-12-29 16:49:44 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-29 16:49:44 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-12-29 16:47:30 -------- d-----w- c:\program files\AVG
2011-12-29 16:43:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-29 16:34:38 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-12-15 14:36:46 -------- d-----w- c:\documents and settings\administrator\application data\Dropbox
2011-12-15 14:28:35 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Google
.
==================== Find3M ====================
.
2011-10-19 13:38:26 3496848 ----a-w- C:\ccsetup311.exe
2011-10-18 18:10:29 684297 ----a-w- C:\unhide.exe
.
============= FINISH: 13:19:35.93 ===============

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 PM

Posted 09 January 2012 - 02:35 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 radish158

radish158
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 10 January 2012 - 10:10 AM

Here's the Combofix log. No problems during the scan. Though I am curious why it deleted all the CL-Works files. It is a program we aren't using anymore, however.


ComboFix 12-01-09.03 - Administrator 01/09/2012 15:35:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.254 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Start Menu\Programs\System Restore
c:\documents and settings\Administrator\Start Menu\Programs\System Restore\System Restore.lnk
c:\documents and settings\Administrator\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
c:\program files\cas
c:\program files\cas\CL-Works\CASPRTC.dll
c:\program files\cas\CL-Works\CASSERIAL.dll
c:\program files\cas\CL-Works\CASSERVER.dll
c:\program files\cas\CL-Works\CASTCPIP.dll
c:\program files\cas\CL-Works\CL-Works Revision.txt
c:\program files\cas\CL-Works\CL-Works.exe
c:\program files\cas\CL-Works\CLInterpreter.dll
c:\program files\cas\CL-Works\CLJRInterpreter.dll
c:\program files\cas\CL-Works\CLReporter.exe
c:\program files\cas\CL-Works\code_image.dll
c:\program files\cas\CL-Works\Code01.dll
c:\program files\cas\CL-Works\code02.dll
c:\program files\cas\CL-Works\Code09.dll
c:\program files\cas\CL-Works\Code20.dll
c:\program files\cas\CL-Works\Code30.dll
c:\program files\cas\CL-Works\Code32.dll
c:\program files\cas\CL-Works\Code40.dll
c:\program files\cas\CL-Works\code41.dll
c:\program files\cas\CL-Works\Code42.dll
c:\program files\cas\CL-Works\Code43.dll
c:\program files\cas\CL-Works\Code50.dll
c:\program files\cas\CL-Works\codeset\Codeset.cap
c:\program files\cas\CL-Works\config\CLP.ini
c:\program files\cas\CL-Works\config\ClpGlobal.ini
c:\program files\cas\CL-Works\config\CLPmanager.cfg
c:\program files\cas\CL-Works\config\ClpMenu.ini
c:\program files\cas\CL-Works\config\ClpPC.ini
c:\program files\cas\CL-Works\config\CLPPCIP.ini
c:\program files\cas\CL-Works\config\code_last.dat
c:\program files\cas\CL-Works\config\code02.cap
c:\program files\cas\CL-Works\config\codemap.map
c:\program files\cas\CL-Works\config\convdb.ini
c:\program files\cas\CL-Works\config\Country.lst
c:\program files\cas\CL-Works\config\FieldSelect.fld
c:\program files\cas\CL-Works\config\Keypad.exp
c:\program files\cas\CL-Works\config\KeyPad.kpi
c:\program files\cas\CL-Works\config\PLUExpert.exp
c:\program files\cas\CL-Works\config\plustr_import.def
c:\program files\cas\CL-Works\config\plustruct.str
c:\program files\cas\CL-Works\config\Scheduler.cfg
c:\program files\cas\CL-Works\config\Tbl1.exp
c:\program files\cas\CL-Works\config\Tbl1_Origin.exp
c:\program files\cas\CL-Works\config\Tbl3.exp
c:\program files\cas\CL-Works\config\US\Code.txt
c:\program files\cas\CL-Works\config\US\config_us.cap
c:\program files\cas\CL-Works\config\US\Control.txt
c:\program files\cas\CL-Works\config\US\Data.txt
c:\program files\cas\CL-Works\config\US\discount_us.cap
c:\program files\cas\CL-Works\config\US\keypad_us.cap
c:\program files\cas\CL-Works\config\US\label_us.cap
c:\program files\cas\CL-Works\config\US\main_us.cap
c:\program files\cas\CL-Works\config\US\netserver_us.cap
c:\program files\cas\CL-Works\config\US\pluedit_us.cap
c:\program files\cas\CL-Works\config\US\plustruct_us.str
c:\program files\cas\CL-Works\config\US\Property.txt
c:\program files\cas\CL-Works\config\US\report_us.cap
c:\program files\cas\CL-Works\config\US\SafeHandling.cmp
c:\program files\cas\CL-Works\config\US\String.txt
c:\program files\cas\CL-Works\config\US\table1_us.cap
c:\program files\cas\CL-Works\config\US\table2_us.cap
c:\program files\cas\CL-Works\config\US\table3_us.cap
c:\program files\cas\CL-Works\data\CLReport.ldb
c:\program files\cas\CL-Works\data\CLReport.mdb
c:\program files\cas\CL-Works\data\Hanging.set
c:\program files\cas\CL-Works\data\Key.set
c:\program files\cas\CL-Works\data\Log\COMMAND-100513.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100518.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100521.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100522.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100524.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100525.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100527.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100603.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100611.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100621.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100622.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100625.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100626.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100701.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100703.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100707.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100708.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100709.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100713.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100714.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100719.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100720.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100721.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100725.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100804.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100805.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100809.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100817.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100921.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100922.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100926.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100927.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100928.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100929.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-100930.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101001.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101002.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101004.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101007.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101008.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101009.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101010.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101019.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101020.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101028.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101105.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101108.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101206.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-101220.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110107.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110110.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110111.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110113.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110114.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110117.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110119.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110120.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110122.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110125.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110128.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110218.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110301.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110307.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110311.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110315.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110322.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110411.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110413.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110414.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110415.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110429.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110505.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110615.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110630.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110701.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110702.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110703.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110710.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110718.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110727.LG1
c:\program files\cas\CL-Works\data\Log\COMMAND-110728.LG1
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100513.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100518.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100521.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100522.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100524.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100525.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100527.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100603.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100611.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100621.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100622.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100625.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100626.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100701.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100703.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100707.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100708.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100709.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100713.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100714.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100719.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100720.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100721.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100725.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100804.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100805.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100809.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100817.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100921.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100922.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100926.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100927.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100928.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100929.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-100930.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101001.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101002.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101004.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101007.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101008.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101009.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101010.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101019.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101020.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101028.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101105.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101108.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101206.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-101220.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110107.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110110.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110111.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110113.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110114.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110117.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110119.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110120.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110122.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110125.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110128.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110218.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110301.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110307.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110311.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110315.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110322.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110411.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110413.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110414.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110415.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110429.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110505.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110615.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110630.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110701.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110702.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110703.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110710.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110718.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110727.LG2
c:\program files\cas\CL-Works\data\Log\TRANSMIT-110728.LG2
c:\program files\cas\CL-Works\data\MAINDATA.mdb
c:\program files\cas\CL-Works\data\MAINDB.MDB
c:\program files\cas\CL-Works\data\Pole.set
c:\program files\cas\CL-Works\data\PutData\Down_20100513105807.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100513112405.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100513112541.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100518125630.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100521090528.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100521091130.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100521091805.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100521093633.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100521094743.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100521095511.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100522115230.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100524124705.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100524141740.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100524141825.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100524150316.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100524164905.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100524165141.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100524165305.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100525171433.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100525171742.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100525171857.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100525172019.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100525174005.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100525174107.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100525174325.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527110309.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527110836.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527131856.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527131908.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527132044.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527132546.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527133343.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527133401.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527135948.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527140111.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527140127.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100527140229.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100603122343.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100603182933.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100603182952.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611125506.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611125541.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611125649.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611125726.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611130025.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611130416.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611132244.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611132303.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611132327.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611132336.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611132411.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611132435.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611132600.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611141524.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100611182728.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100621164756.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100621164934.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100622121432.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100625214603.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100626115116.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100626122839.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100626122844.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100701221918.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100703103820.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100703104001.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100707123021.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100707125955.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100707130140.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100707153858.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100707154107.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100708113221.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100708115410.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100708222505.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100708222920.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100708223005.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100708223102.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100708223137.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100708223208.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100708223234.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100709110955.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100709133609.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100713171321.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100714201525.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100719130101.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100719130150.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100720144107.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100720144311.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100721121406.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100721130049.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100721153853.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100725111452.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100725111720.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100804112047.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100805161825.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100809215535.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100809215607.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100817170842.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100817170914.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100921123209.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100921123222.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100921165418.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100922182258.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100922182314.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100922182323.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100922182349.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100926122552.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100926122607.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100926161356.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100927101523.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100927101535.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100927115418.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100927120203.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100928115526.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100928115556.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100929131807.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930122347.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930122358.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930122414.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930122826.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930122851.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930162646.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930162654.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930162722.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930162842.dat
c:\program files\cas\CL-Works\data\PutData\Down_20100930162924.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101001132445.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101001132455.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101001132505.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101001132632.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101001132738.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101001132841.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002121749.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002121756.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002121810.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002121816.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002200154.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002200224.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002203900.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002203915.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002203935.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002210340.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101002210350.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004102727.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004102742.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004102907.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004102941.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004103001.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004103022.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004103037.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004103149.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004104020.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004115842.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004120116.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004123613.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004123629.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101004123635.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101007111308.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101007111318.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101007143537.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101008192328.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101008200721.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101009122551.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101009122610.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101009154900.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101009161007.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101009193024.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101009193123.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101010142611.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101010142618.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101019094739.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101019094801.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101020130711.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101020130716.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101028125937.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101028125947.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101105161349.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101105161525.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101105161538.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101108122606.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101108122740.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101108122800.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101108122817.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101108122832.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101108122839.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101206100147.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101206100155.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101220133049.dat
c:\program files\cas\CL-Works\data\PutData\Down_20101220133054.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110107172213.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110107172228.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110110115535.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110110115544.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110110115558.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110110115630.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110110120139.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110110120233.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110110120253.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110110120301.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110111184538.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110111184550.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110111184606.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110113101210.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110113101215.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110113101435.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110113101450.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110113101458.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110113102352.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114111536.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114111610.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114111618.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120123.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120503.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120517.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120533.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120626.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120638.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120647.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120659.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120711.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114120719.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114133553.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114133605.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114133617.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110114133625.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110117131058.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110117131104.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110117131109.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110117131134.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110117131141.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110117133037.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110117133042.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141459.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141515.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141523.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141533.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141554.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141621.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141632.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141737.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141746.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141757.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141805.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141816.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141832.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141856.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141932.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119141950.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119142143.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110119142204.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110120100646.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110120100653.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110122220236.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110122220250.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110122220305.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110122220322.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110122220349.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110122220425.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110122220436.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110122220446.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110125100011.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110125100017.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110125113838.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110125113841.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110125113847.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110128120943.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110128120948.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110218120522.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110301105840.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110307172522.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110307172533.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110307172728.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110311090739.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110311090744.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190022.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190158.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190214.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190229.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190607.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190628.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190647.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190655.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190715.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190733.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190748.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190809.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190833.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190857.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190912.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315190927.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315191008.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315191035.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315191310.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315191329.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110315191336.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110322111434.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110322111515.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110411110717.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110413114726.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110413114736.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110413114746.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110413114818.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110413114823.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414180340.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414180356.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414180416.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414180443.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414180456.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414180517.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414180528.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414185315.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414185331.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414185955.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414190023.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414190343.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110414213921.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110415084448.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110415084522.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110415084531.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110415084538.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110415093943.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110415093957.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110415094009.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110429145024.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110429145709.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110505101628.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110615104944.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110615104952.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110615105019.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110615105025.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630135538.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630135722.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630135730.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630135736.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630135743.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630135753.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630135808.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630164940.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630164954.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165004.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165038.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165107.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165127.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165234.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165256.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165320.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165348.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165402.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165415.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630165439.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630204219.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110630204451.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701103607.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701103627.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701103806.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701103851.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701103912.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701103939.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701103954.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701104014.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701104047.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701171308.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701171511.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110701171738.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110702154844.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110702170152.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110703152303.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110703184851.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110710150317.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110718164502.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110727103821.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110727103855.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110727104901.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110727104906.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110727105210.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728160837.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728160909.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728165526.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728165534.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728165541.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728165629.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728165758.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728165814.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728165945.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728165951.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728171500.dat
c:\program files\cas\CL-Works\data\PutData\Down_20110728171616.dat
c:\program files\cas\CL-Works\data\REPORT.FDB
c:\program files\cas\CL-Works\data\SelfKey.set
c:\program files\cas\CL-Works\data\ServerData.svd
c:\program files\cas\CL-Works\data\Standard.set
c:\program files\cas\CL-Works\data\Test.MDB
c:\program files\cas\CL-Works\data\Test1.MDB
c:\program files\cas\CL-Works\DATAOPTION.INI
c:\program files\cas\CL-Works\excel\Keypad Sample.xls
c:\program files\cas\CL-Works\excel\PLU Sample-ENG.xls
c:\program files\cas\CL-Works\ExportExcel.dll
c:\program files\cas\CL-Works\fbembed.dll
c:\program files\cas\CL-Works\firebird.msg
c:\program files\cas\CL-Works\fonts\FNT-1250-0000-LT2.ROM
c:\program files\cas\CL-Works\fonts\FNT-1251-0000-RUS.ROM
c:\program files\cas\CL-Works\fonts\FNT-1252-0000-ENG.ROM
c:\program files\cas\CL-Works\fonts\FNT-1252-0949-KOR.ROM
c:\program files\cas\CL-Works\fonts\FNT-1253-0000-GRC.ROM
c:\program files\cas\CL-Works\fonts\FNT-1254-0000-TUR.ROM
c:\program files\cas\CL-Works\fonts\FNT-1256-0000-ARB.ROM
c:\program files\cas\CL-Works\fonts\FNT-1257-0000-BAL.ROM
c:\program files\cas\CL-Works\FreeImage.dll
c:\program files\cas\CL-Works\ib_util.dll
c:\program files\cas\CL-Works\icudt30.dll
c:\program files\cas\CL-Works\icuin30.dll
c:\program files\cas\CL-Works\icuuc30.dll
c:\program files\cas\CL-Works\intl\fbintl.dll
c:\program files\cas\CL-Works\keydata\Key.set
c:\program files\cas\CL-Works\keydata\KeyPad.kpi
c:\program files\cas\CL-Works\label\81 (8030)-1.lfm
c:\program files\cas\CL-Works\label\82 (8030)-2.lfm
c:\program files\cas\CL-Works\label\83 (8030)-3.lfm
c:\program files\cas\CL-Works\label\84 (8040)-1.lfm
c:\program files\cas\CL-Works\label\85 (8040)-2.lfm
c:\program files\cas\CL-Works\label\86 (8040)-3.lfm
c:\program files\cas\CL-Works\label\CanadianNFT.LFM
c:\program files\cas\CL-Works\label\Label-1.lfm
c:\program files\cas\CL-Works\label\Label-10.lfm
c:\program files\cas\CL-Works\label\Label-11.lfm
c:\program files\cas\CL-Works\label\Label-12.lfm
c:\program files\cas\CL-Works\label\Label-13.lfm
c:\program files\cas\CL-Works\label\Label-14.lfm
c:\program files\cas\CL-Works\label\Label-15.lfm
c:\program files\cas\CL-Works\label\Label-16.lfm
c:\program files\cas\CL-Works\label\Label-17.lfm
c:\program files\cas\CL-Works\label\Label-18.lfm
c:\program files\cas\CL-Works\label\Label-19.lfm
c:\program files\cas\CL-Works\label\Label-2.lfm
c:\program files\cas\CL-Works\label\Label-20.lfm
c:\program files\cas\CL-Works\label\Label-21.lfm
c:\program files\cas\CL-Works\label\Label-22.lfm
c:\program files\cas\CL-Works\label\Label-23.lfm
c:\program files\cas\CL-Works\label\Label-24.lfm
c:\program files\cas\CL-Works\label\Label-25.lfm
c:\program files\cas\CL-Works\label\Label-26.lfm
c:\program files\cas\CL-Works\label\Label-27.lfm
c:\program files\cas\CL-Works\label\Label-28.lfm
c:\program files\cas\CL-Works\label\Label-29.lfm
c:\program files\cas\CL-Works\label\Label-3.lfm
c:\program files\cas\CL-Works\label\Label-30.lfm
c:\program files\cas\CL-Works\label\Label-31.lfm
c:\program files\cas\CL-Works\label\Label-32.lfm
c:\program files\cas\CL-Works\label\Label-33.lfm
c:\program files\cas\CL-Works\label\Label-34.lfm
c:\program files\cas\CL-Works\label\Label-35.lfm
c:\program files\cas\CL-Works\label\Label-36.lfm
c:\program files\cas\CL-Works\label\Label-37.lfm
c:\program files\cas\CL-Works\label\Label-38.lfm
c:\program files\cas\CL-Works\label\Label-39.lfm
c:\program files\cas\CL-Works\label\Label-4.lfm
c:\program files\cas\CL-Works\label\Label-40.lfm
c:\program files\cas\CL-Works\label\Label-41.lfm
c:\program files\cas\CL-Works\label\Label-42.lfm
c:\program files\cas\CL-Works\label\Label-43.lfm
c:\program files\cas\CL-Works\label\Label-44.lfm
c:\program files\cas\CL-Works\label\Label-45.lfm
c:\program files\cas\CL-Works\label\Label-5.lfm
c:\program files\cas\CL-Works\label\Label-6.lfm
c:\program files\cas\CL-Works\label\Label-7.lfm
c:\program files\cas\CL-Works\label\Label-8.lfm
c:\program files\cas\CL-Works\label\Label-9.lfm
c:\program files\cas\CL-Works\label\Label-91(Currency).lfm
c:\program files\cas\CL-Works\label\Label-92(Currency).lfm
c:\program files\cas\CL-Works\label\Label-93(KorTraceability).lfm
c:\program files\cas\CL-Works\label\Label-93(Traceability).lfm
c:\program files\cas\CL-Works\label\Label-94(Nutrition).lfm
c:\program files\cas\CL-Works\label\LP17\AccLabel-0.LFM
c:\program files\cas\CL-Works\label\LP17\Label-1.lfm
c:\program files\cas\CL-Works\label\LP17\Label-10.lfm
c:\program files\cas\CL-Works\label\LP17\Label-11.lfm
c:\program files\cas\CL-Works\label\LP17\Label-12.lfm
c:\program files\cas\CL-Works\label\LP17\Label-13.lfm
c:\program files\cas\CL-Works\label\LP17\Label-14.lfm
c:\program files\cas\CL-Works\label\LP17\Label-15.lfm
c:\program files\cas\CL-Works\label\LP17\Label-16.lfm
c:\program files\cas\CL-Works\label\LP17\Label-17.lfm
c:\program files\cas\CL-Works\label\LP17\Label-18.lfm
c:\program files\cas\CL-Works\label\LP17\Label-19.lfm
c:\program files\cas\CL-Works\label\LP17\Label-2.lfm
c:\program files\cas\CL-Works\label\LP17\Label-20.lfm
c:\program files\cas\CL-Works\label\LP17\Label-21.lfm
c:\program files\cas\CL-Works\label\LP17\Label-22.lfm
c:\program files\cas\CL-Works\label\LP17\Label-23.lfm
c:\program files\cas\CL-Works\label\LP17\Label-24.lfm
c:\program files\cas\CL-Works\label\LP17\Label-25.lfm
c:\program files\cas\CL-Works\label\LP17\Label-26.lfm
c:\program files\cas\CL-Works\label\LP17\Label-27.lfm
c:\program files\cas\CL-Works\label\LP17\Label-28.lfm
c:\program files\cas\CL-Works\label\LP17\Label-3.lfm
c:\program files\cas\CL-Works\label\LP17\Label-4.lfm
c:\program files\cas\CL-Works\label\LP17\Label-5.lfm
c:\program files\cas\CL-Works\label\LP17\Label-6.lfm
c:\program files\cas\CL-Works\label\LP17\Label-7.lfm
c:\program files\cas\CL-Works\label\LP17\Label-8.lfm
c:\program files\cas\CL-Works\label\LP17\Label-9.lfm
c:\program files\cas\CL-Works\LP17Interpreter.dll
c:\program files\cas\CL-Works\LPInterpreter.dll
c:\program files\cas\CL-Works\LPRUSInterpreter.dll
c:\program files\cas\CL-Works\msvcp71.dll
c:\program files\cas\CL-Works\msvcr71.dll
c:\program files\cas\CL-Works\picture\cas\Factory.gif
c:\program files\cas\CL-Works\picture\english\010100-Spinash(Samgae).gif
c:\program files\cas\CL-Works\picture\english\010100-Spinash.jpg
c:\program files\cas\CL-Works\picture\english\010200-Bok Cabbage.jpg
c:\program files\cas\CL-Works\picture\english\010200-Cabbage-1.jpg
c:\program files\cas\CL-Works\picture\english\010200-Cabbage-2.jpg
c:\program files\cas\CL-Works\picture\english\010200-Celery Cabbage.jpg
c:\program files\cas\CL-Works\picture\english\010200-Chinese Cabbage.jpg
c:\program files\cas\CL-Works\picture\english\010200-Napa Cabbage.jpg
c:\program files\cas\CL-Works\picture\english\010300-Lettuce.jpg
c:\program files\cas\CL-Works\picture\english\010303-Boston Lettuce.jpg
c:\program files\cas\CL-Works\picture\english\010303-Green Leaf Lettuce.gif
c:\program files\cas\CL-Works\picture\english\010303-Lettuce.gif
c:\program files\cas\CL-Works\picture\english\010400-Perilla Leaf.jpg
c:\program files\cas\CL-Works\picture\english\010500-Stone Leek.gif
c:\program files\cas\CL-Works\picture\english\010700-Black Leaf Lettuce.gif
c:\program files\cas\CL-Works\picture\english\010800-Suger Beet-1.gif
c:\program files\cas\CL-Works\picture\english\010800-Suger Beet-2.gif
c:\program files\cas\CL-Works\picture\english\010900-Savoy Cabbage.jpg
c:\program files\cas\CL-Works\picture\english\011000-Crown daisy.gif
c:\program files\cas\CL-Works\picture\english\020100-Sweet Potato.jpg
c:\program files\cas\CL-Works\picture\english\020300-Lotus Root-2.jpg
c:\program files\cas\CL-Works\picture\english\020300-Lotus Root.jpg
c:\program files\cas\CL-Works\picture\english\020400-Red Radish.jpg
c:\program files\cas\CL-Works\picture\english\020500-White Radish.jpg
c:\program files\cas\CL-Works\picture\english\020600-Carrot.jpg
c:\program files\cas\CL-Works\picture\english\020801-Red Beet.jpg
c:\program files\cas\CL-Works\picture\english\021100-Onion.jpg
c:\program files\cas\CL-Works\picture\english\030100-SoyBean-1.jpg
c:\program files\cas\CL-Works\picture\english\030100-SoyBean-2.jpg
c:\program files\cas\CL-Works\picture\english\030200-Bean.jpg
c:\program files\cas\CL-Works\picture\english\030200-Kidney Bean.jpg
c:\program files\cas\CL-Works\picture\english\030300-Egg Beautyhybrid.jpg
c:\program files\cas\CL-Works\picture\english\030300-Eggplant.gif
c:\program files\cas\CL-Works\picture\english\030300-Eggsnowy.jpg
c:\program files\cas\CL-Works\picture\english\030400-Cayenne pepper.gif
c:\program files\cas\CL-Works\picture\english\030400-Chili Pepper 5.jpg
c:\program files\cas\CL-Works\picture\english\030400-Holland Bell pepper.jpg
c:\program files\cas\CL-Works\picture\english\030400-Hungarian Wax Pepper.jpg
c:\program files\cas\CL-Works\picture\english\030400-Red Chili Pepper.jpg
c:\program files\cas\CL-Works\picture\english\030500-Ball Tomato.gif
c:\program files\cas\CL-Works\picture\english\030500-Nepal Tomato.gif
c:\program files\cas\CL-Works\picture\english\030600-Cucumber.jpg
c:\program files\cas\CL-Works\picture\english\030600-Pickle Cucumber.gif
c:\program files\cas\CL-Works\picture\english\030700-Korean Star Evergreen.gif
c:\program files\cas\CL-Works\picture\english\050100-Lemon.jpg
c:\program files\cas\CL-Works\picture\english\050200-Apple.jpg
c:\program files\cas\CL-Works\picture\english\050300-Banana.jpg
c:\program files\cas\CL-Works\picture\english\050400-Orange.jpg
c:\program files\cas\CL-Works\picture\english\050500-Fine Apple.gif
c:\program files\cas\CL-Works\picture\english\Artichoke.jpg
c:\program files\cas\CL-Works\picture\english\Bean Cake.jpg
c:\program files\cas\CL-Works\picture\english\Coffee Bean.jpg
c:\program files\cas\CL-Works\picture\english\Green Pepper.jpg
c:\program files\cas\CL-Works\picture\english\Ground Cherry.jpg
c:\program files\cas\CL-Works\picture\english\Indian corn.jpg
c:\program files\cas\CL-Works\picture\english\Indian Millet.jpg
c:\program files\cas\CL-Works\picture\english\Kiwi.jpg
c:\program files\cas\CL-Works\picture\english\Millet.jpg
c:\program files\cas\CL-Works\picture\english\Pea.jpg
c:\program files\cas\CL-Works\picture\english\Peanut.jpg
c:\program files\cas\CL-Works\picture\english\Perilla Leaf.jpg
c:\program files\cas\CL-Works\picture\english\Perilla Oil.jpg
c:\program files\cas\CL-Works\picture\english\Pickled Radish.jpg
c:\program files\cas\CL-Works\picture\english\PopCorn.jpg
c:\program files\cas\CL-Works\picture\english\post-cabbage.jpg
c:\program files\cas\CL-Works\picture\english\Potato.jpg
c:\program files\cas\CL-Works\picture\english\Pumpkin-1.jpg
c:\program files\cas\CL-Works\picture\english\Pumpkin Seed.jpg
c:\program files\cas\CL-Works\picture\english\Radish.jpg
c:\program files\cas\CL-Works\picture\english\Red Leaf Lettuce.jpg
c:\program files\cas\CL-Works\picture\english\Red pepper.jpg
c:\program files\cas\CL-Works\picture\english\Rice Cake.jpg
c:\program files\cas\CL-Works\picture\english\Rice.jpg
c:\program files\cas\CL-Works\picture\english\Safe Handling Logo.bmp
c:\program files\cas\CL-Works\picture\english\Safe Handling Logo2.bmp
c:\program files\cas\CL-Works\picture\english\Salted Radish.jpg
c:\program files\cas\CL-Works\picture\english\Sesame Oil.jpg
c:\program files\cas\CL-Works\Put.exe
c:\program files\cas\CL-Works\udf\fbudf.dll
c:\program files\cas\CL-Works\udf\fbudf.sql
c:\program files\cas\CL-Works\udf\ib_udf.dll
c:\program files\cas\CL-Works\udf\ib_udf.sql
c:\recycler\k-1-3542-4232123213-7676767-8888886
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-12-09 to 2012-01-09 )))))))))))))))))))))))))))))))
.
.
2011-12-29 17:32 . 2011-12-29 17:32 -------- d-----w- C:\$AVG
2011-12-29 17:01 . 2011-12-29 17:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG2012
2011-12-29 16:53 . 2011-12-29 16:53 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-12-29 16:49 . 2012-01-04 13:52 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-29 16:49 . 2011-12-29 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-12-29 16:47 . 2011-12-29 16:47 -------- d-----w- c:\program files\AVG
2011-12-29 16:34 . 2012-01-04 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-12-15 14:36 . 2011-12-15 18:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox
2011-12-15 14:28 . 2011-12-15 14:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 13:38 . 2011-10-19 13:37 3496848 ----a-w- C:\ccsetup311.exe
2011-10-18 18:10 . 2011-10-18 18:16 684297 ----a-w- C:\unhide.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CherryKeyMan"="c:\program files\HP\POS_Keyboard\KeyMan\KeyMan.exe" [2008-05-14 237620]
"CDIMSRClient"="c:\program files\HP\POS_Keyboard\CDI\cdimsrclient.exe" [2007-08-23 53303]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-14 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-14 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-14 137752]
"KASHGGGRPN08879996955609"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2011-01-26 380928]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2010-06-18 377600]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
POS.lnk - c:\program files\Microsoft Retail Management System\Store Operations\SOPOSUSER.exe [2009-6-23 8038304]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2011-11-21 11474272]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KAGGGRPN08879996955609]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\GGPlusTemp\\kf51751.exe"=
"c:\\GGPlusTemp\\kf58611.exe"=
"c:\\GGPlusTemp\\KRlyCCon.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 KAGGGRPN08879996955609;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [3/30/2010 1:29 PM 835584]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/18/2011 10:37 AM 366152]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [9/21/2009 3:09 PM 576024]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [11/21/2011 5:17 PM 19072]
R3 Cherry Device Interface;Cherry Device Interface;c:\program files\HP\POS_Keyboard\CDI\cdi.exe [6/4/2008 5:57 PM 585774]
R3 elomoufiltr;ELO TouchSystems-SRV2;c:\windows\system32\drivers\elofiltr.sys [5/12/2010 11:34 AM 53248]
R3 EloUsb;ELO TouchSystems-SRV;c:\windows\system32\drivers\EloUsb.Sys [5/12/2010 11:34 AM 92032]
R3 HP_USB;HP_USB.Sys;c:\windows\system32\drivers\HP_USB.sys [9/21/2009 2:39 PM 19584]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [3/30/2010 1:29 PM 17920]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/18/2011 10:37 AM 22216]
S0 pgqvmw;pgqvmw;c:\windows\system32\drivers\ycmuvxc.sys --> c:\windows\system32\drivers\ycmuvxc.sys [?]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [6/26/2007 4:38 PM 130560]
S3 RaMediaServer;RaMediaServer;c:\program files\Ralink\Common\RaMediaServer.exe [11/21/2011 5:17 PM 619872]
S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\Microsoft Point Of Service\Microsoft.PointOfService.Service.exe [2/29/2008 8:25 PM 42056]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-319598781-1850958345-3917305692-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-15 14:28]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-319598781-1850958345-3917305692-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-15 14:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.237.161.12 71.250.0.12
DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://red12.dyndns.org:81/DVROcxEx.cab
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-EloTouchscreen - c:\program files\EloTouchSystems\EloSetup
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-09 18:15
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\ImgUtil.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\EloSrvce.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Ralink\Common\RaRegistry.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\EloDkMon.exe
c:\windows\system32\EloTTray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-09 18:33:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-09 23:33
.
Pre-Run: 47,691,776,000 bytes free
Post-Run: 48,388,280,320 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E4CCA7A81EAED5A0E6AFDF7F81E1BCF9

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 PM

Posted 10 January 2012 - 12:16 PM

Hello

are you still getting redirected?


I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 radish158

radish158
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 10 January 2012 - 03:30 PM

It was still redirecting before I ran TDSSKiller, but now it seems to be okay!

15:23:03.0132 1884 TDSS rootkit removing tool 2.7.0.0 Jan 10 2012 09:14:26
15:23:03.0554 1884 ============================================================
15:23:03.0554 1884 Current date / time: 2012/01/10 15:23:03.0554
15:23:03.0554 1884 SystemInfo:
15:23:03.0554 1884
15:23:03.0554 1884 OS Version: 5.1.2600 ServicePack: 2.0
15:23:03.0554 1884 Product type: Workstation
15:23:03.0554 1884 ComputerName: RADISH_POS1
15:23:03.0554 1884 UserName: Administrator
15:23:03.0554 1884 Windows directory: C:\WINDOWS
15:23:03.0554 1884 System windows directory: C:\WINDOWS
15:23:03.0554 1884 Processor architecture: Intel x86
15:23:03.0554 1884 Number of processors: 2
15:23:03.0554 1884 Page size: 0x1000
15:23:03.0554 1884 Boot type: Normal boot
15:23:03.0554 1884 ============================================================
15:23:06.0226 1884 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000, SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
15:23:06.0382 1884 Initialize success
15:23:08.0539 4908 ============================================================
15:23:08.0539 4908 Scan started
15:23:08.0539 4908 Mode: Manual;
15:23:08.0539 4908 ============================================================
15:23:09.0054 4908 Abiosdsk - ok
15:23:09.0070 4908 abp480n5 - ok
15:23:09.0164 4908 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
15:23:09.0164 4908 ac97intc - ok
15:23:09.0195 4908 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:23:09.0211 4908 ACPI - ok
15:23:09.0226 4908 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:23:09.0226 4908 ACPIEC - ok
15:23:09.0273 4908 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
15:23:09.0273 4908 adpu160m - ok
15:23:09.0320 4908 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
15:23:09.0320 4908 adpu320 - ok
15:23:09.0398 4908 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
15:23:09.0398 4908 aec - ok
15:23:09.0476 4908 AFD (6a0397376853e604de8e1e7a87fc08ac) C:\WINDOWS\System32\drivers\afd.sys
15:23:09.0476 4908 AFD - ok
15:23:09.0523 4908 Aha154x - ok
15:23:09.0554 4908 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
15:23:09.0554 4908 aic78u2 - ok
15:23:09.0570 4908 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
15:23:09.0586 4908 aic78xx - ok
15:23:09.0617 4908 AliIde - ok
15:23:09.0632 4908 amsint - ok
15:23:09.0664 4908 asc - ok
15:23:09.0726 4908 asc3350p - ok
15:23:09.0773 4908 asc3550 - ok
15:23:09.0851 4908 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:23:09.0851 4908 AsyncMac - ok
15:23:09.0882 4908 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:23:09.0898 4908 atapi - ok
15:23:09.0914 4908 Atdisk - ok
15:23:09.0976 4908 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:23:09.0976 4908 Atmarpc - ok
15:23:10.0023 4908 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:23:10.0023 4908 audstub - ok
15:23:10.0101 4908 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
15:23:10.0101 4908 AVGIDSDriver - ok
15:23:10.0132 4908 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
15:23:10.0148 4908 AVGIDSEH - ok
15:23:10.0179 4908 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
15:23:10.0179 4908 AVGIDSFilter - ok
15:23:10.0242 4908 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
15:23:10.0242 4908 AVGIDSShim - ok
15:23:10.0289 4908 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
15:23:10.0304 4908 Avgldx86 - ok
15:23:10.0336 4908 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
15:23:10.0336 4908 Avgmfx86 - ok
15:23:10.0367 4908 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
15:23:10.0367 4908 Avgrkx86 - ok
15:23:10.0414 4908 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
15:23:10.0429 4908 Avgtdix - ok
15:23:10.0507 4908 b57w2k (fbc80c5ad5d6995614cd99d505ec812d) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
15:23:10.0507 4908 b57w2k - ok
15:23:10.0586 4908 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:23:10.0586 4908 Beep - ok
15:23:10.0632 4908 catchme - ok
15:23:10.0679 4908 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:23:10.0695 4908 cbidf2k - ok
15:23:10.0711 4908 cd20xrnt - ok
15:23:10.0757 4908 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:23:10.0773 4908 Cdaudio - ok
15:23:10.0820 4908 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
15:23:10.0820 4908 Cdfs - ok
15:23:10.0851 4908 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:23:10.0851 4908 Cdrom - ok
15:23:10.0898 4908 Ch2kPS2 (970dddebaa177ad1f738a24c8d9c0735) C:\WINDOWS\system32\DRIVERS\Ch2kPS2.sys
15:23:10.0898 4908 Ch2kPS2 - ok
15:23:10.0929 4908 Changer - ok
15:23:11.0007 4908 CmdIde - ok
15:23:11.0023 4908 Cpqarray - ok
15:23:11.0054 4908 dac2w2k - ok
15:23:11.0070 4908 dac960nt - ok
15:23:11.0132 4908 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
15:23:11.0132 4908 Disk - ok
15:23:11.0211 4908 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
15:23:11.0242 4908 dmboot - ok
15:23:11.0273 4908 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
15:23:11.0289 4908 dmio - ok
15:23:11.0304 4908 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:23:11.0320 4908 dmload - ok
15:23:11.0351 4908 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
15:23:11.0367 4908 DMusic - ok
15:23:11.0429 4908 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
15:23:11.0429 4908 dpti2o - ok
15:23:11.0492 4908 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
15:23:11.0507 4908 drmkaud - ok
15:23:11.0539 4908 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
15:23:11.0539 4908 E100B - ok
15:23:11.0601 4908 elomoufiltr (8c8e031f32d5f1808a5ae4c912b57607) C:\WINDOWS\system32\DRIVERS\elofiltr.sys
15:23:11.0601 4908 elomoufiltr - ok
15:23:11.0648 4908 EloUsb (8ebf908ba3909488b7ad3d696c9059b7) C:\WINDOWS\system32\DRIVERS\EloUsb.sys
15:23:11.0664 4908 EloUsb - ok
15:23:11.0711 4908 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
15:23:11.0711 4908 Fastfat - ok
15:23:11.0757 4908 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
15:23:11.0757 4908 Fdc - ok
15:23:11.0804 4908 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
15:23:11.0820 4908 Fips - ok
15:23:11.0882 4908 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:23:11.0882 4908 Flpydisk - ok
15:23:11.0945 4908 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
15:23:11.0945 4908 FltMgr - ok
15:23:11.0992 4908 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:23:11.0992 4908 Fs_Rec - ok
15:23:12.0023 4908 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:23:12.0023 4908 Ftdisk - ok
15:23:12.0070 4908 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:23:12.0070 4908 Gpc - ok
15:23:12.0117 4908 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:23:12.0117 4908 HDAudBus - ok
15:23:12.0164 4908 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:23:12.0164 4908 HidUsb - ok
15:23:12.0179 4908 hpn - ok
15:23:12.0226 4908 HP_USB (b41179a201ea5d969ceb45f2c328fcf2) C:\WINDOWS\system32\Drivers\HP_USB.sys
15:23:12.0226 4908 HP_USB - ok
15:23:12.0289 4908 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
15:23:12.0304 4908 HTTP - ok
15:23:12.0336 4908 i2omgmt - ok
15:23:12.0398 4908 i2omp - ok
15:23:12.0476 4908 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:23:12.0476 4908 i8042prt - ok
15:23:12.0507 4908 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
15:23:12.0507 4908 i81x - ok
15:23:12.0539 4908 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
15:23:12.0539 4908 iAimFP0 - ok
15:23:12.0554 4908 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
15:23:12.0554 4908 iAimFP1 - ok
15:23:12.0586 4908 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
15:23:12.0586 4908 iAimFP2 - ok
15:23:12.0632 4908 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
15:23:12.0632 4908 iAimFP3 - ok
15:23:12.0648 4908 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
15:23:12.0648 4908 iAimFP4 - ok
15:23:12.0679 4908 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
15:23:12.0679 4908 iAimFP5 - ok
15:23:12.0726 4908 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
15:23:12.0726 4908 iAimFP6 - ok
15:23:12.0773 4908 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
15:23:12.0773 4908 iAimFP7 - ok
15:23:12.0820 4908 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
15:23:12.0836 4908 iAimTV0 - ok
15:23:12.0867 4908 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
15:23:12.0882 4908 iAimTV1 - ok
15:23:12.0929 4908 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
15:23:12.0929 4908 iAimTV3 - ok
15:23:12.0961 4908 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
15:23:12.0961 4908 iAimTV4 - ok
15:23:12.0992 4908 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
15:23:12.0992 4908 iAimTV5 - ok
15:23:13.0054 4908 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
15:23:13.0054 4908 iAimTV6 - ok
15:23:13.0336 4908 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
15:23:14.0070 4908 ialm - ok
15:23:14.0211 4908 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:23:14.0226 4908 Imapi - ok
15:23:14.0304 4908 ini910u - ok
15:23:14.0492 4908 IntcAzAudAddService (744a7507d7a69a2a54638b8e5b630c0b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:23:14.0648 4908 IntcAzAudAddService - ok
15:23:14.0742 4908 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
15:23:14.0742 4908 IntelIde - ok
15:23:14.0789 4908 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:23:14.0804 4908 intelppm - ok
15:23:14.0851 4908 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
15:23:14.0851 4908 Ip6Fw - ok
15:23:14.0914 4908 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:23:14.0914 4908 IpFilterDriver - ok
15:23:14.0945 4908 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:23:14.0961 4908 IpInIp - ok
15:23:15.0023 4908 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:23:15.0039 4908 IpNat - ok
15:23:15.0054 4908 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:23:15.0070 4908 IPSec - ok
15:23:15.0086 4908 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:23:15.0101 4908 IRENUM - ok
15:23:15.0132 4908 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:23:15.0132 4908 isapnp - ok
15:23:15.0211 4908 KAPFA (f0c4a6d81d30866aaf8cfa983d9d13d7) C:\WINDOWS\system32\drivers\KAPFA.SYS
15:23:15.0211 4908 KAPFA - ok
15:23:15.0289 4908 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:23:15.0289 4908 Kbdclass - ok
15:23:15.0351 4908 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:23:15.0351 4908 kbdhid - ok
15:23:15.0398 4908 kl1 (ce3958f58547454884e97bda78cd7040) c:\WINDOWS\system32\drivers\kl1.sys
15:23:15.0398 4908 kl1 - ok
15:23:15.0429 4908 klbg (53eedab3f0511321ac3ae8bc968b158c) C:\WINDOWS\system32\drivers\klbg.sys
15:23:15.0429 4908 klbg - ok
15:23:15.0461 4908 KLIF (439c778700fce23f2852535d6fa5996d) C:\WINDOWS\system32\DRIVERS\klif.sys
15:23:15.0476 4908 KLIF - ok
15:23:15.0507 4908 klim5 (fbdc2034b58d2135d25fe99eb8b747c3) C:\WINDOWS\system32\DRIVERS\klim5.sys
15:23:15.0507 4908 klim5 - ok
15:23:15.0554 4908 klmouflt (1f351c4ba53bfe58a1ca5fcdd11e1f81) C:\WINDOWS\system32\DRIVERS\klmouflt.sys
15:23:15.0554 4908 klmouflt - ok
15:23:15.0617 4908 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
15:23:15.0617 4908 kmixer - ok
15:23:15.0695 4908 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
15:23:15.0695 4908 KSecDD - ok
15:23:15.0742 4908 lbrtfdc - ok
15:23:15.0820 4908 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
15:23:15.0820 4908 MBAMProtector - ok
15:23:15.0898 4908 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:23:15.0898 4908 mnmdd - ok
15:23:15.0945 4908 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
15:23:15.0945 4908 Modem - ok
15:23:15.0976 4908 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:23:15.0992 4908 Mouclass - ok
15:23:16.0054 4908 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:23:16.0054 4908 mouhid - ok
15:23:16.0070 4908 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
15:23:16.0086 4908 MountMgr - ok
15:23:16.0086 4908 mraid35x - ok
15:23:16.0132 4908 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:23:16.0132 4908 MRxDAV - ok
15:23:16.0211 4908 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:23:16.0226 4908 MRxSmb - ok
15:23:16.0289 4908 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
15:23:16.0304 4908 Msfs - ok
15:23:16.0336 4908 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:23:16.0336 4908 MSKSSRV - ok
15:23:16.0382 4908 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:23:16.0382 4908 MSPCLOCK - ok
15:23:16.0398 4908 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
15:23:16.0398 4908 MSPQM - ok
15:23:16.0429 4908 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:23:16.0445 4908 mssmbios - ok
15:23:16.0476 4908 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
15:23:16.0492 4908 Mup - ok
15:23:16.0523 4908 NDIS (83f1b9dd1bc1f8d0a4a00f1b34dde5ef) C:\WINDOWS\system32\drivers\NDIS.sys
15:23:16.0523 4908 NDIS - ok
15:23:16.0554 4908 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:23:16.0570 4908 NdisTapi - ok
15:23:16.0586 4908 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:23:16.0586 4908 Ndisuio - ok
15:23:16.0632 4908 NdisWan (ad317f5ea88992e92de6e6b957db280b) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:23:16.0632 4908 NdisWan - ok
15:23:16.0695 4908 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
15:23:16.0695 4908 NDProxy - ok
15:23:16.0726 4908 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:23:16.0726 4908 NetBIOS - ok
15:23:16.0757 4908 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:23:16.0773 4908 NetBT - ok
15:23:16.0836 4908 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
15:23:16.0851 4908 Npfs - ok
15:23:16.0914 4908 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
15:23:16.0929 4908 Ntfs - ok
15:23:16.0976 4908 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:23:16.0992 4908 Null - ok
15:23:17.0039 4908 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:23:17.0039 4908 NwlnkFlt - ok
15:23:17.0086 4908 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:23:17.0101 4908 NwlnkFwd - ok
15:23:17.0148 4908 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys
15:23:17.0148 4908 P3 - ok
15:23:17.0211 4908 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
15:23:17.0226 4908 Parport - ok
15:23:17.0273 4908 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
15:23:17.0273 4908 PartMgr - ok
15:23:17.0304 4908 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:23:17.0304 4908 ParVdm - ok
15:23:17.0367 4908 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
15:23:17.0367 4908 PCI - ok
15:23:17.0382 4908 PCIDump - ok
15:23:17.0414 4908 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:23:17.0429 4908 PCIIde - ok
15:23:17.0461 4908 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:23:17.0461 4908 Pcmcia - ok
15:23:17.0507 4908 PDCOMP - ok
15:23:17.0523 4908 PDFRAME - ok
15:23:17.0554 4908 PDRELI - ok
15:23:17.0570 4908 PDRFRAME - ok
15:23:17.0617 4908 perc2 - ok
15:23:17.0632 4908 perc2hib - ok
15:23:17.0679 4908 pgqvmw - ok
15:23:17.0742 4908 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:23:17.0757 4908 PptpMiniport - ok
15:23:17.0804 4908 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
15:23:17.0804 4908 PSched - ok
15:23:17.0836 4908 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:23:17.0836 4908 Ptilink - ok
15:23:17.0882 4908 ql1080 - ok
15:23:17.0929 4908 Ql10wnt - ok
15:23:17.0976 4908 ql12160 - ok
15:23:18.0023 4908 ql1240 - ok
15:23:18.0086 4908 ql1280 - ok
15:23:18.0132 4908 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:23:18.0132 4908 RasAcd - ok
15:23:18.0211 4908 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:23:18.0211 4908 Rasl2tp - ok
15:23:18.0226 4908 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:23:18.0242 4908 RasPppoe - ok
15:23:18.0257 4908 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:23:18.0257 4908 Raspti - ok
15:23:18.0304 4908 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:23:18.0320 4908 Rdbss - ok
15:23:18.0336 4908 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:23:18.0351 4908 RDPCDD - ok
15:23:18.0382 4908 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:23:18.0398 4908 rdpdr - ok
15:23:18.0476 4908 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
15:23:18.0476 4908 RDPWD - ok
15:23:18.0539 4908 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:23:18.0554 4908 redbook - ok
15:23:18.0695 4908 rt2870 (0a7293edc2537652a4914018a7589f14) C:\WINDOWS\system32\DRIVERS\rt2870.sys
15:23:18.0742 4908 rt2870 - ok
15:23:18.0804 4908 Scutum50 (f34c06d1c706a6d9433570b087a18b02) C:\WINDOWS\system32\Drivers\Scutum50.sys
15:23:18.0804 4908 Scutum50 - ok
15:23:18.0851 4908 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:23:18.0851 4908 Secdrv - ok
15:23:18.0914 4908 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:23:18.0914 4908 serenum - ok
15:23:18.0961 4908 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
15:23:18.0961 4908 Serial - ok
15:23:19.0007 4908 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:23:19.0023 4908 Sfloppy - ok
15:23:19.0070 4908 Simbad - ok
15:23:19.0117 4908 Sparrow - ok
15:23:19.0164 4908 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
15:23:19.0179 4908 splitter - ok
15:23:19.0242 4908 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
15:23:19.0242 4908 sr - ok
15:23:19.0304 4908 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
15:23:19.0320 4908 Srv - ok
15:23:19.0367 4908 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:23:19.0367 4908 swenum - ok
15:23:19.0382 4908 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
15:23:19.0398 4908 swmidi - ok
15:23:19.0429 4908 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
15:23:19.0445 4908 symc810 - ok
15:23:19.0476 4908 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
15:23:19.0476 4908 symc8xx - ok
15:23:19.0492 4908 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
15:23:19.0507 4908 Symmpi - ok
15:23:19.0523 4908 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
15:23:19.0523 4908 sym_hi - ok
15:23:19.0570 4908 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
15:23:19.0586 4908 sym_u3 - ok
15:23:19.0617 4908 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
15:23:19.0617 4908 sysaudio - ok
15:23:19.0711 4908 Tcpip (744e57c99232201ae98c49168b918f48) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:23:19.0726 4908 Tcpip - ok
15:23:19.0757 4908 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:23:19.0773 4908 TDPIPE - ok
15:23:19.0789 4908 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
15:23:19.0789 4908 TDTCP - ok
15:23:19.0820 4908 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:23:19.0820 4908 TermDD - ok
15:23:19.0882 4908 TosIde - ok
15:23:19.0961 4908 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
15:23:19.0961 4908 Udfs - ok
15:23:19.0992 4908 ultra - ok
15:23:20.0070 4908 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:23:20.0070 4908 usbccgp - ok
15:23:20.0148 4908 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:23:20.0148 4908 usbehci - ok
15:23:20.0195 4908 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:23:20.0195 4908 usbhub - ok
15:23:20.0273 4908 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:23:20.0289 4908 usbprint - ok
15:23:20.0351 4908 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:23:20.0351 4908 USBSTOR - ok
15:23:20.0382 4908 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:23:20.0398 4908 usbuhci - ok
15:23:20.0414 4908 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
15:23:20.0429 4908 VgaSave - ok
15:23:20.0476 4908 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
15:23:20.0476 4908 ViaIde - ok
15:23:20.0523 4908 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
15:23:20.0523 4908 VolSnap - ok
15:23:20.0586 4908 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:23:20.0601 4908 Wanarp - ok
15:23:20.0617 4908 WDICA - ok
15:23:20.0679 4908 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
15:23:20.0695 4908 wdmaud - ok
15:23:20.0836 4908 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
15:23:20.0851 4908 WmiAcpi - ok
15:23:20.0929 4908 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:23:20.0929 4908 WS2IFSL - ok
15:23:21.0007 4908 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
15:23:21.0023 4908 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - infected
15:23:21.0023 4908 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
15:23:21.0039 4908 Boot (0x1200) (7a356643eb18b56d3ce0f4d12ea0e783) \Device\Harddisk0\DR0\Partition0
15:23:21.0039 4908 \Device\Harddisk0\DR0\Partition0 - ok
15:23:21.0070 4908 Boot (0x1200) (75baf0278dcba656a5668c303e6a6f0b) \Device\Harddisk0\DR0\Partition1
15:23:21.0070 4908 \Device\Harddisk0\DR0\Partition1 - ok
15:23:21.0070 4908 ============================================================
15:23:21.0070 4908 Scan finished
15:23:21.0070 4908 ============================================================
15:23:21.0086 4840 Detected object count: 1
15:23:21.0086 4840 Actual detected object count: 1
15:23:38.0898 4840 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - will be cured on reboot
15:23:38.0898 4840 \Device\Harddisk0\DR0 - ok
15:23:38.0898 4840 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - User select action: Cure
15:23:42.0273 4520 Deinitialize success

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 PM

Posted 10 January 2012 - 06:45 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 radish158

radish158
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 11 January 2012 - 10:48 AM

No problems encountered thus far.

ComboFix 12-01-10.02 - Administrator 01/11/2012 10:28:31.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.310 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-11 to 2012-01-11 )))))))))))))))))))))))))))))))
.
.
2011-12-29 17:32 . 2011-12-29 17:32 -------- d-----w- C:\$AVG
2011-12-29 17:01 . 2011-12-29 17:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG2012
2011-12-29 16:53 . 2011-12-29 16:53 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-12-29 16:49 . 2012-01-11 14:10 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-29 16:49 . 2011-12-29 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-12-29 16:47 . 2011-12-29 16:47 -------- d-----w- c:\program files\AVG
2011-12-29 16:34 . 2012-01-11 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-12-15 14:36 . 2011-12-15 18:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox
2011-12-15 14:28 . 2011-12-15 14:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 13:38 . 2011-10-19 13:37 3496848 ----a-w- C:\ccsetup311.exe
2011-10-18 18:10 . 2011-10-18 18:16 684297 ----a-w- C:\unhide.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-09_23.17.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-11 08:18 . 2012-01-11 08:18 16384 c:\windows\Temp\Perflib_Perfdata_864.dat
+ 2012-01-11 08:01 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB979683\update\spcustom.dll
+ 2011-10-26 14:45 . 2010-03-05 14:54 16896 c:\windows\$hf_mig$\KB979683\update\mpsyschk.dll
+ 2012-01-11 08:01 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB979683\spmsg.dll
+ 2012-01-11 08:01 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB979683\update\updspapi.dll
+ 2012-01-11 08:01 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB979683\update\update.exe
+ 2012-01-11 08:01 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB979683\spuninst.exe
+ 2006-02-28 10:00 . 2010-02-16 17:35 2143744 c:\windows\system32\ntoskrnl.exe
+ 2006-02-28 10:00 . 2010-02-16 16:57 2021888 c:\windows\system32\ntkrnlpa.exe
+ 2009-10-15 01:08 . 2010-02-16 17:37 2186880 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2009-10-15 01:08 . 2010-02-16 16:57 2021888 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-10-15 01:08 . 2010-02-17 15:57 2063744 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-10-15 01:08 . 2010-02-16 17:35 2143744 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2009-09-21 19:59 . 2010-02-16 17:37 2186880 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-09-21 19:59 . 2010-02-16 16:57 2021888 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-09-21 19:59 . 2010-02-17 15:57 2063744 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-09-21 19:59 . 2010-02-16 17:35 2143744 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2011-10-26 14:45 . 2010-02-16 12:52 2190080 c:\windows\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe
+ 2011-10-26 14:45 . 2010-02-16 12:12 2024448 c:\windows\$hf_mig$\KB979683\SP3QFE\ntkrpamp.exe
+ 2011-10-26 14:45 . 2010-02-16 12:12 2066944 c:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe
+ 2011-10-26 14:45 . 2010-02-16 12:50 2146304 c:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlmp.exe
+ 2010-02-17 13:10 . 2010-02-17 13:10 2189952 c:\windows\$hf_mig$\KB979683\SP3GDR\ntoskrnl.exe
+ 2011-10-26 14:45 . 2010-02-16 13:25 2024448 c:\windows\$hf_mig$\KB979683\SP3GDR\ntkrpamp.exe
+ 2011-10-26 14:45 . 2010-02-16 13:25 2066816 c:\windows\$hf_mig$\KB979683\SP3GDR\ntkrnlpa.exe
+ 2011-10-26 14:45 . 2010-02-16 14:08 2146304 c:\windows\$hf_mig$\KB979683\SP3GDR\ntkrnlmp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CherryKeyMan"="c:\program files\HP\POS_Keyboard\KeyMan\KeyMan.exe" [2008-05-14 237620]
"CDIMSRClient"="c:\program files\HP\POS_Keyboard\CDI\cdimsrclient.exe" [2007-08-23 53303]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-14 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-14 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-14 137752]
"KASHGGGRPN08879996955609"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2011-01-26 380928]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2010-06-18 377600]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
POS.lnk - c:\program files\Microsoft Retail Management System\Store Operations\SOPOSUSER.exe [2009-6-23 8038304]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2011-11-21 11474272]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KAGGGRPN08879996955609]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\GGPlusTemp\\kf51751.exe"=
"c:\\GGPlusTemp\\kf58611.exe"=
"c:\\GGPlusTemp\\KRlyCCon.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 KAGGGRPN08879996955609;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [3/30/2010 1:29 PM 835584]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/18/2011 10:37 AM 366152]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [9/21/2009 3:09 PM 576024]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [11/21/2011 5:17 PM 19072]
R3 Cherry Device Interface;Cherry Device Interface;c:\program files\HP\POS_Keyboard\CDI\cdi.exe [6/4/2008 5:57 PM 585774]
R3 elomoufiltr;ELO TouchSystems-SRV2;c:\windows\system32\drivers\elofiltr.sys [5/12/2010 11:34 AM 53248]
R3 EloUsb;ELO TouchSystems-SRV;c:\windows\system32\drivers\EloUsb.Sys [5/12/2010 11:34 AM 92032]
R3 HP_USB;HP_USB.Sys;c:\windows\system32\drivers\HP_USB.sys [9/21/2009 2:39 PM 19584]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [3/30/2010 1:29 PM 17920]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/18/2011 10:37 AM 22216]
S0 pgqvmw;pgqvmw;c:\windows\system32\drivers\ycmuvxc.sys --> c:\windows\system32\drivers\ycmuvxc.sys [?]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [6/26/2007 4:38 PM 130560]
S3 RaMediaServer;RaMediaServer;c:\program files\Ralink\Common\RaMediaServer.exe [11/21/2011 5:17 PM 619872]
S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\Microsoft Point Of Service\Microsoft.PointOfService.Service.exe [2/29/2008 8:25 PM 42056]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-319598781-1850958345-3917305692-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-15 14:28]
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-319598781-1850958345-3917305692-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-15 14:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.237.161.12 71.250.0.12
DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://red12.dyndns.org:81/DVROcxEx.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-11 10:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4724)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-01-11 10:44:53
ComboFix-quarantined-files.txt 2012-01-11 15:44
ComboFix2.txt 2012-01-09 23:33
.
Pre-Run: 48,280,588,288 bytes free
Post-Run: 48,265,740,288 bytes free
.
- - End Of File - - 9F252E1CED20AEE05D1472E4A5402D1C

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 PM

Posted 11 January 2012 - 10:54 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Java™ 6 Update 7

and click on remove



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 radish158

radish158
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 12 January 2012 - 08:34 AM

Here are the new logs:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.12.02

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.13
Administrator :: RADISH_POS1 [administrator]

Protection: Enabled

1/12/2012 8:23:42 AM
mbam-log-2012-01-12 (08-23-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 160289
Time elapsed: 6 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


----

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:32:06 AM, on 1/12/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\HP\POS_Keyboard\KeyMan\KeyMan.exe
C:\Program Files\HP\POS_Keyboard\CDI\cdimsrclient.exe
C:\Program Files\HP\POS_Keyboard\CDI\cdi.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CherryKeyMan] "C:\Program Files\HP\POS_Keyboard\KeyMan\KeyMan.exe"
O4 - HKLM\..\Run: [CDIMSRClient] "C:\Program Files\HP\POS_Keyboard\CDI\cdimsrclient.exe"
O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KASHGGGRPN08879996955609] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVP] "c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - Startup: POS.lnk = C:\Program Files\Microsoft Retail Management System\Store Operations\SOPOSUSER.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} (DVROcxEx Control) - http://red12.dyndns.org:81/DVROcxEx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270055138468
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - https://ggplus.gggroup.net/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: Cherry Device Interface - Cherry, Auerbach Germany, www.cherry.de - C:\Program Files\HP\POS_Keyboard\CDI\cdi.exe
O23 - Service: EloSystemService - Elo Touchsystems - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kaseya Agent (KAGGGRPN08879996955609) - Kaseya International Limited - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\Ralink\Common\RaRegistry.exe
O23 - Service: RaMediaServer - Unknown owner - C:\Program Files\Ralink\Common\RaMediaServer.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8425 bytes

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 PM

Posted 12 January 2012 - 01:30 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
      O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users