Computing.Net > Forums > Security and Virus > fake Windows Defender

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

The Lounge

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

fake Windows Defender

Reply to Message Icon
Original Message
Name: santiago1
Date: January 21, 2008 at 15:55:16 Pacific
Subject: fake Windows Defender
OS: windows xp home edition
CPU/Ram: AMD Athlon Xp 2000 1.67 G
Comment:

i have had a bunch of spyware recently and i been getting rid of it little by little but i cant get rid of this fake WD i have, help! its like an icon on the bottom right corner and it says my computer is being attack by spyware and its making my computer lag


Report Offensive Message For Removal


Response Number 1
Name: jabuck
Date: January 21, 2008 at 19:02:30 Pacific
Reply: (edit)

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report Offensive Follow Up For Removal

Response Number 2
Name: plrpro
Date: January 21, 2008 at 19:25:07 Pacific
Reply: (edit)

Here is a spyware removal guide that might help out as well. Be sure and post your high jack log here.

http://www.windowvistarepair.com/ar...


Report Offensive Follow Up For Removal

Response Number 3
Name: santiago1
Date: January 22, 2008 at 21:01:22 Pacific
Reply: (edit)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:18 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wdu27.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\wdu27 .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc24.exe
O4 - HKLM\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda25.exe
O4 - HKLM\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm26.exe
O4 - HKLM\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu27.exe
O4 - HKCU\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc28.exe
O4 - HKCU\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda29.exe
O4 - HKCU\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm26.exe
O4 - HKCU\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu27.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4283 bytes


Report Offensive Follow Up For Removal

Response Number 4
Name: jabuck
Date: January 23, 2008 at 03:44:18 Pacific
Reply: (edit)

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

O4 - HKLM\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc24.exe


O4 - HKLM\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda25.exe


O4 - HKLM\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm26.exe


O4 - HKLM\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu27.exe


O4 - HKCU\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc28.exe


O4 - HKCU\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda29.exe

O4 - HKCU\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm26.exe

O4 - HKCU\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu27.exe

Exit Hijack This.

Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.

Navigate to and delete these files if found:


C:\WINDOWS\wdu27.exe
C:\WINDOWS\wdu28.exe
C:\WINDOWS\wdu29.exe
C:\WINDOWS\wdu24.exe
C:\WINDOWS\wdu25.exe

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.


Report Offensive Follow Up For Removal

Response Number 5
Name: santiago1
Date: January 23, 2008 at 20:13:00 Pacific
Reply: (edit)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:42 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc24.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc24 .exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc1A.exe
O4 - HKLM\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda1B.exe
O4 - HKLM\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm1C.exe
O4 - HKLM\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu1D.exe
O4 - HKCU\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc1E.exe
O4 - HKCU\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda1F.exe
O4 - HKCU\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm20.exe
O4 - HKCU\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu21.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4059 bytes


Report Offensive Follow Up For Removal


Response Number 6
Name: santiago1
Date: January 23, 2008 at 20:22:31 Pacific
Reply: (edit)

i think my teatimer is blocking them or bloking my original WD


Report Offensive Follow Up For Removal

Response Number 7
Name: jabuck
Date: January 24, 2008 at 03:30:45 Pacific
Reply: (edit)

You must turn tea timer off, in response #4 click the Realtime Protection link for directions on how to turn it off.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


Report Offensive Follow Up For Removal

Response Number 8
Name: laurieg
Date: January 24, 2008 at 17:33:41 Pacific
Reply: (edit)

Can you help me? I have seen the threads where you've cleaned up the exact same syptoms I'm having. I just posted my most current SmitFraudFix report and HiJackThis report on a thread titled "Yellow triangle w Exlamation Mark.
Thank you so much!


Report Offensive Follow Up For Removal

Response Number 9
Name: santiago1
Date: January 24, 2008 at 20:45:15 Pacific
Reply: (edit)

ComboFix 08-01-23.1C - Owner 2008-01-24 20:12:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.691 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\DOCUME~1\Owner\LOCALS~1\Temp\wda1B.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc1A.exe
C:\Documents and Settings\amparo.baby.!\Application Data\FunWebProducts
C:\Documents and Settings\amparo.baby.!\Application Data\FunWebProducts\Data\amparo.baby.!\avatar.dat
C:\Documents and Settings\amparo.baby.!\Application Data\FunWebProducts\Data\amparo.baby.!\zwinky.dat
C:\Documents and Settings\Owner\Application Data\antivirus.exe
C:\Documents and Settings\Owner\Application Data\trant.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda1D .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda1D.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda22 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda22.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda25 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda25.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda29 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda29.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc21 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc21.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc24 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc24.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc28 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc28.exe
C:\Documents and Settings\Owner\My Documents\ICROSO~1
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\pos10.tmp
C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos1025.tmp
C:\pos1026.tmp
C:\pos1027.tmp
C:\pos1028.tmp
C:\pos1029.tmp
C:\pos102A.tmp
C:\pos102B.tmp
C:\pos102C.tmp
C:\pos102D.tmp
C:\pos102E.tmp
C:\pos102F.tmp
C:\pos103.tmp
C:\pos1030.tmp
C:\pos1031.tmp
C:\pos1032.tmp
C:\pos1033.tmp
C:\pos1034.tmp
C:\pos1035.tmp
C:\pos1036.tmp
C:\pos1037.tmp
C:\pos1038.tmp
C:\pos1039.tmp
C:\pos103A.tmp
C:\pos103B.tmp
C:\pos103D.tmp
C:\pos103E.tmp
C:\pos103F.tmp
C:\pos104.tmp
C:\pos1040.tmp
C:\pos1041.tmp
C:\pos1042.tmp
C:\pos1043.tmp
C:\pos1044.tmp
C:\pos1045.tmp
C:\pos1046.tmp
C:\pos1047.tmp
C:\pos1048.tmp
C:\pos1049.tmp
C:\pos104A.tmp
C:\pos104B.tmp
C:\pos104C.tmp
C:\pos104D.tmp
C:\pos104E.tmp
C:\pos104F.tmp
C:\pos105.tmp
C:\pos1050.tmp
C:\pos1051.tmp
C:\pos1052.tmp
C:\pos1053.tmp
C:\pos1054.tmp
C:\pos1055.tmp
C:\pos1056.tmp
C:\pos1057.tmp
C:\pos1058.tmp
C:\pos1059.tmp
C:\pos105A.tmp
C:\pos105B.tmp
C:\pos105C.tmp
C:\pos105D.tmp
C:\pos105E.tmp
C:\pos105F.tmp
C:\pos106.tmp
C:\pos1060.tmp
C:\pos1061.tmp
C:\pos1062.tmp
C:\pos1063.tmp
C:\pos1064.tmp
C:\pos1065.tmp
C:\pos1066.tmp
C:\pos1067.tmp
C:\pos1068.tmp
C:\pos1069.tmp
C:\pos106A.tmp
C:\pos106B.tmp
C:\pos106C.tmp
C:\pos106D.tmp
C:\pos106E.tmp
C:\pos106F.tmp
C:\pos107.tmp
C:\pos1070.tmp
C:\pos1071.tmp
C:\pos1072.tmp
C:\pos1073.tmp
C:\pos1074.tmp
C:\pos1075.tmp
C:\pos1076.tmp
C:\pos1077.tmp
C:\pos1078.tmp
C:\pos1079.tmp
C:\pos107A.tmp
C:\pos107B.tmp
C:\pos107C.tmp
C:\pos107D.tmp
C:\pos107E.tmp
C:\pos107F.tmp
C:\pos108.tmp
C:\pos1080.tmp
C:\pos1081.tmp
C:\pos1082.tmp
C:\pos1083.tmp
C:\pos1084.tmp
C:\pos1085.tmp
C:\pos1086.tmp
C:\pos1087.tmp
C:\pos1088.tmp
C:\pos1089.tmp
C:\pos108A.tmp
C:\pos108B.tmp
C:\pos108C.tmp
C:\pos108D.tmp
C:\pos108E.tmp
C:\pos108F.tmp
C:\pos109.tmp
C:\pos1090.tmp
C:\pos1091.tmp
C:\pos1092.tmp
C:\pos1093.tmp
C:\pos1094.tmp
C:\pos1095.tmp
C:\pos1096.tmp
C:\pos1097.tmp
C:\pos1098.tmp
C:\pos1099.tmp
C:\pos109A.tmp
C:\pos109B.tmp
C:\pos109C.tmp
C:\pos109D.tmp
C:\pos109E.tmp
C:\pos109F.tmp
C:\pos10A.tmp
C:\pos10A0.tmp
C:\pos10A1.tmp
C:\pos10A3.tmp
C:\pos10A4.tmp
C:\pos10A5.tmp
C:\pos10A6.tmp
C:\pos10A7.tmp
C:\pos10A8.tmp
C:\pos10A9.tmp
C:\pos10AA.tmp
C:\pos10AB.tmp
C:\pos10AC.tmp
C:\pos10AD.tmp
C:\pos10AE.tmp
C:\pos10AF.tmp
C:\pos10B.tmp
C:\pos10B0.tmp
C:\pos10B1.tmp
C:\pos10B2.tmp
C:\pos10B3.tmp
C:\pos10B4.tmp
C:\pos10B5.tmp
C:\pos10B6.tmp
C:\pos10B7.tmp
C:\pos10B8.tmp
C:\pos10B9.tmp
C:\pos10BA.tmp
C:\pos10BB.tmp
C:\pos10BC.tmp
C:\pos10BD.tmp
C:\pos10BE.tmp
C:\pos10BF.tmp
C:\pos10C.tmp
C:\pos10C1.tmp
C:\pos10C2.tmp
C:\pos10C3.tmp
C:\pos10C4.tmp
C:\pos10C8.tmp
C:\pos10C9.tmp
C:\pos10CA.tmp
C:\pos10CB.tmp
C:\pos10CC.tmp
C:\pos10CD.tmp
C:\pos10CE.tmp
C:\pos10CF.tmp
C:\pos10D.tmp
C:\pos10D0.tmp
C:\pos10D1.tmp
C:\pos10D2.tmp
C:\pos10D3.tmp
C:\pos10D4.tmp
C:\pos10D5.tmp
C:\pos10D6.tmp
C:\pos10D7.tmp
C:\pos10D8.tmp
C:\pos10D9.tmp
C:\pos10DA.tmp
C:\pos10DB.tmp
C:\pos10DC.tmp
C:\pos10DD.tmp
C:\pos10DE.tmp
C:\pos10DF.tmp
C:\pos10E.tmp
C:\pos10E0.tmp
C:\pos10E1.tmp
C:\pos10E2.tmp
C:\pos10E3.tmp
C:\pos10E4.tmp
C:\pos10E5.tmp
C:\pos10E6.tmp
C:\pos10E7.tmp
C:\pos10E9.tmp
C:\pos10EA.tmp
C:\pos10EB.tmp
C:\pos10EC.tmp
C:\pos10ED.tmp
C:\pos10EE.tmp
C:\pos10EF.tmp
C:\pos10F.tmp
C:\pos10F0.tmp
C:\pos10F1.tmp
C:\pos10F2.tmp
C:\pos10F3.tmp
C:\pos10F4.tmp
C:\pos10F5.tmp
C:\pos10F6.tmp
C:\pos10F7.tmp
C:\pos10F8.tmp
C:\pos10F9.tmp
C:\pos10FA.tmp
C:\pos10FB.tmp
C:\pos10FC.tmp
C:\pos10FD.tmp
C:\pos10FE.tmp
C:\pos10FF.tmp
C:\pos11.tmp
C:\pos110.tmp
C:\pos1100.tmp
C:\pos1101.tmp
C:\pos1102.tmp
C:\pos1103.tmp
C:\pos1104.tmp
C:\pos1105.tmp
C:\pos1106.tmp
C:\pos1107.tmp
C:\pos1108.tmp
C:\pos1109.tmp
C:\pos110A.tmp
C:\pos110B.tmp
C:\pos110C.tmp
C:\pos110D.tmp
C:\pos110E.tmp
C:\pos110F.tmp
C:\pos111.tmp
C:\pos1110.tmp
C:\pos1111.tmp
C:\pos1112.tmp
C:\pos1113.tmp
C:\pos1114.tmp
C:\pos1115.tmp
C:\pos1116.tmp
C:\pos1117.tmp
C:\pos1118.tmp
C:\pos1119.tmp
C:\pos111A.tmp
C:\pos111B.tmp
C:\pos111C.tmp
C:\pos111D.tmp
C:\pos111E.tmp
C:\pos111F.tmp
C:\pos112.tmp
C:\pos1120.tmp
C:\pos1121.tmp
C:\pos1122.tmp
C:\pos1123.tmp
C:\pos1124.tmp
C:\pos1125.tmp
C:\pos1126.tmp
C:\pos1127.tmp
C:\pos1128.tmp
C:\pos1129.tmp
C:\pos112A.tmp
C:\pos112B.tmp
C:\pos112C.tmp
C:\pos112D.tmp
C:\pos112E.tmp
C:\pos112F.tmp
C:\pos113.tmp
C:\pos1130.tmp
C:\pos1131.tmp
C:\pos1132.tmp
C:\pos1133.tmp
C:\pos1134.tmp
C:\pos1135.tmp
C:\pos1136.tmp
C:\pos1137.tmp
C:\pos1138.tmp
C:\pos1139.tmp
C:\pos113A.tmp
C:\pos113B.tmp
C:\pos113C.tmp
C:\pos113D.tmp
C:\pos113E.tmp
C:\pos113F.tmp
C:\pos114.tmp
C:\pos1140.tmp
C:\pos1141.tmp
C:\pos1142.tmp
C:\pos1143.tmp
C:\pos1144.tmp
C:\pos1145.tmp
C:\pos1146.tmp
C:\pos1147.tmp
C:\pos1148.tmp
C:\pos1149.tmp
C:\pos114A.tmp
C:\pos114B.tmp
C:\pos114C.tmp
C:\pos114D.tmp
C:\pos114E.tmp
C:\pos114F.tmp
C:\pos115.tmp
C:\pos1150.tmp
C:\pos1151.tmp
C:\pos1152.tmp
C:\pos1153.tmp
C:\pos1154.tmp
C:\pos1155.tmp
C:\pos1156.tmp
C:\pos1157.tmp
C:\pos1158.tmp
C:\pos1159.tmp
C:\pos115A.tmp
C:\pos115B.tmp
C:\pos115C.tmp
C:\pos115D.tmp
C:\pos115E.tmp
C:\pos115F.tmp
C:\pos116.tmp
C:\pos1160.tmp
C:\pos1161.tmp
C:\pos1162.tmp
C:\pos1163.tmp
C:\pos1164.tmp
C:\pos1165.tmp
C:\pos1166.tmp
C:\pos1167.tmp
C:\pos1168.tmp
C:\pos1169.tmp
C:\pos116A.tmp
C:\pos116B.tmp
C:\pos116C.tmp
C:\pos116D.tmp
C:\pos116E.tmp
C:\pos116F.tmp
C:\pos117.tmp
C:\pos1170.tmp
C:\pos1171.tmp
C:\pos1172.tmp
C:\pos1173.tmp
C:\pos1174.tmp
C:\pos1175.tmp
C:\pos1176.tmp
C:\pos1177.tmp
C:\pos1178.tmp
C:\pos1179.tmp
C:\pos117A.tmp
C:\pos117B.tmp
C:\pos117C.tmp
C:\pos117D.tmp
C:\pos117E.tmp
C:\pos117F.tmp
C:\pos118.tmp
C:\pos1180.tmp
C:\pos1181.tmp
C:\pos1182.tmp
C:\pos1183.tmp
C:\pos1184.tmp
C:\pos1185.tmp
C:\pos1186.tmp
C:\pos1187.tmp
C:\pos1188.tmp
C:\pos1189.tmp
C:\pos118A.tmp
C:\pos118B.tmp
C:\pos118C.tmp
C:\pos118D.tmp
C:\pos118E.tmp
C:\pos118F.tmp
C:\pos119.tmp
C:\pos1190.tmp
C:\pos1191.tmp
C:\pos1192.tmp
C:\pos1193.tmp
C:\pos1194.tmp
C:\pos1195.tmp
C:\pos1196.tmp
C:\pos1197.tmp
C:\pos1198.tmp
C:\pos1199.tmp
C:\pos119A.tmp
C:\pos119B.tmp
C:\pos119C.tmp
C:\pos119D.tmp
C:\pos119E.tmp
C:\pos119F.tmp
C:\pos11A.tmp
C:\pos11A0.tmp
C:\pos11A1.tmp
C:\pos11A2.tmp
C:\pos11A3.tmp
C:\pos11A4.tmp
C:\pos11A5.tmp
C:\pos11A6.tmp
C:\pos11A7.tmp
C:\pos11A8.tmp
C:\pos11A9.tmp
C:\pos11AA.tmp
C:\pos11AB.tmp
C:\pos11AC.tmp
C:\pos11AD.tmp
C:\pos11AE.tmp
C:\pos11AF.tmp
C:\pos11B.tmp
C:\pos11B0.tmp
C:\pos11B1.tmp
C:\pos11B2.tmp
C:\pos11B3.tmp
C:\pos11B4.tmp
C:\pos11B5.tmp
C:\pos11B6.tmp
C:\pos11B7.tmp
C:\pos11B8.tmp
C:\pos11B9.tmp
C:\pos11BA.tmp
C:\pos11BB.tmp
C:\pos11BC.tmp
C:\pos11BD.tmp
C:\pos11BE.tmp
C:\pos11BF.tmp
C:\pos11C.tmp
C:\pos11C0.tmp
C:\pos11C1.tmp
C:\pos11C2.tmp
C:\pos11C3.tmp
C:\pos11C4.tmp
C:\pos11C5.tmp
C:\pos11C6.tmp
C:\pos11C7.tmp
C:\pos11C8.tmp
C:\pos11C9.tmp
C:\pos11CA.tmp
C:\pos11CB.tmp
C:\pos11CC.tmp
C:\pos11CD.tmp
C:\pos11CE.tmp
C:\pos11CF.tmp
C:\pos11D.tmp
C:\pos11D0.tmp
C:\pos11D1.tmp
C:\pos11D2.tmp
C:\pos11D3.tmp
C:\pos11D4.tmp
C:\pos11D5.tmp
C:\pos11D6.tmp
C:\pos11D7.tmp
C:\pos11D8.tmp
C:\pos11D9.tmp
C:\pos11DA.tmp
C:\pos11DB.tmp
C:\pos11DC.tmp
C:\pos11DD.tmp
C:\pos11DE.tmp
C:\pos11DF.tmp
C:\pos11E.tmp
C:\pos11E0.tmp
C:\pos11E1.tmp
C:\pos11E2.tmp
C:\pos11E3.tmp
C:\pos11E4.tmp
C:\pos11E5.tmp
C:\pos11E6.tmp
C:\pos11E7.tmp
C:\pos11E8.tmp
C:\pos11E9.tmp
C:\pos11EA.tmp
C:\pos11EB.tmp
C:\pos11EC.tmp
C:\pos11ED.tmp
C:\pos11EE.tmp
C:\pos11EF.tmp
C:\pos11F.tmp
C:\pos11F0.tmp
C:\pos11F1.tmp
C:\pos11F2.tmp
C:\pos11F3.tmp
C:\pos11F4.tmp
C:\pos11F5.tmp
C:\pos11F6.tmp
C:\pos11F7.tmp
C:\pos11F8.tmp
C:\pos11F9.tmp
C:\pos11FA.tmp
C:\pos11FB.tmp
C:\pos11FC.tmp
C:\pos11FD.tmp
C:\pos11FE.tmp
C:\pos11FF.tmp
C:\pos12.tmp
C:\pos120.tmp
C:\pos1200.tmp
C:\pos1201.tmp
C:\pos1202.tmp
C:\pos1203.tmp
C:\pos1204.tmp
C:\pos1205.tmp
C:\pos1206.tmp
C:\pos1207.tmp
C:\pos1208.tmp
C:\pos1209.tmp
C:\pos120A.tmp
C:\pos120B.tmp
C:\pos120C.tmp
C:\pos120D.tmp
C:\pos120E.tmp
C:\pos120F.tmp
C:\pos121.tmp
C:\pos1210.tmp
C:\pos1211.tmp
C:\pos1212.tmp
C:\pos1213.tmp
C:\pos1214.tmp
C:\pos1215.tmp
C:\pos1216.tmp
C:\pos1217.tmp
C:\pos1218.tmp
C:\pos1219.tmp
C:\pos121A.tmp
C:\pos121B.tmp
C:\pos121C.tmp
C:\pos121D.tmp
C:\pos121E.tmp
C:\pos121F.tmp
C:\pos122.tmp
C:\pos123.tmp
C:\pos124.tmp
C:\pos125.tmp
C:\pos126.tmp
C:\pos127.tmp
C:\pos128.tmp
C:\pos129.tmp
C:\pos12A.tmp
C:\pos12B.tmp
C:\pos12C.tmp
C:\pos12D.tmp
C:\pos12E.tmp
C:\pos12F.tmp
C:\pos13.tmp
C:\pos130.tmp
C:\pos131.tmp
C:\pos132.tmp
C:\pos133.tmp
C:\pos134.tmp
C:\pos135.tmp
C:\pos136.tmp
C:\pos137.tmp
C:\pos138.tmp
C:\pos139.tmp
C:\pos13A.tmp
C:\pos13B.tmp
C:\pos13C.tmp
C:\pos13D.tmp
C:\pos13E.tmp
C:\pos13F.tmp
C:\pos14.tmp
C:\pos140.tmp
C:\pos141.tmp
C:\pos142.tmp
C:\pos143.tmp
C:\pos144.tmp
C:\pos145.tmp
C:\pos146.tmp
C:\pos147.tmp
C:\pos148.tmp
C:\pos149.tmp
C:\pos14A.tmp
C:\pos14B.tmp
C:\pos14C.tmp
C:\pos14D.tmp
C:\pos14E.tmp
C:\pos14F.tmp
C:\pos15.tmp
C:\pos150.tmp
C:\pos151.tmp
C:\pos152.tmp
C:\pos153.tmp
C:\pos154.tmp
C:\pos155.tmp
C:\pos156.tmp
C:\pos157.tmp
C:\pos158.tmp
C:\pos159.tmp
C:\pos15A.tmp
C:\pos15B.tmp
C:\pos15C.tmp
C:\pos15D.tmp
C:\pos15E.tmp
C:\pos15F.tmp
C:\pos16.tmp
C:\pos160.tmp
C:\pos161.tmp
C:\pos162.tmp
C:\pos163.tmp
C:\pos164.tmp
C:\pos165.tmp
C:\pos166.tmp
C:\pos167.tmp
C:\pos168.tmp
C:\pos169.tmp
C:\pos16A.tmp
C:\pos16B.tmp
C:\pos16C.tmp
C:\pos16D.tmp
C:\pos16E.tmp
C:\pos16F.tmp
C:\pos17.tmp
C:\pos170.tmp
C:\pos171.tmp
C:\pos172.tmp
C:\pos173.tmp
C:\pos174.tmp
C:\pos175.tmp
C:\pos176.tmp
C:\pos177.tmp
C:\pos178.tmp
C:\pos179.tmp
C:\pos17A.tmp
C:\pos17B.tmp
C:\pos17C.tmp
C:\pos17D.tmp
C:\pos17E.tmp
C:\pos17F.tmp
C:\pos18.tmp
C:\pos180.tmp
C:\pos181.tmp
C:\pos182.tmp
C:\pos183.tmp
C:\pos184.tmp
C:\pos185.tmp
C:\pos186.tmp
C:\pos187.tmp
C:\pos188.tmp
C:\pos189.tmp
C:\pos18A.tmp
C:\pos18B.tmp
C:\pos18C.tmp
C:\pos18D.tmp
C:\pos18E.tmp
C:\pos18F.tmp
C:\pos19.tmp
C:\pos190.tmp
C:\pos191.tmp
C:\pos192.tmp
C:\pos193.tmp
C:\pos194.tmp
C:\pos195.tmp
C:\pos196.tmp
C:\pos197.tmp
C:\pos198.tmp
C:\pos199.tmp
C:\pos19A.tmp
C:\pos19B.tmp
C:\pos19C.tmp
C:\pos19D.tmp
C:\pos19E.tmp
C:\pos19F.tmp
C:\pos1A.tmp
C:\pos1A0.tmp
C:\pos1A1.tmp
C:\pos1A2.tmp
C:\pos1A3.tmp
C:\pos1A4.tmp
C:\pos1A5.tmp
C:\pos1A6.tmp
C:\pos1A7.tmp
C:\pos1A8.tmp
C:\pos1A9.tmp
C:\pos1AA.tmp
C:\pos1AB.tmp
C:\pos1AC.tmp
C:\pos1AD.tmp
C:\pos1AE.tmp
C:\pos1AF.tmp
C:\pos1B.tmp
C:\pos1B0.tmp
C:\pos1B1.tmp
C:\pos1B2.tmp
C:\pos1B3.tmp
C:\pos1B4.tmp
C:\pos1B5.tmp
C:\pos1B6.tmp
C:\pos1B7.tmp
C:\pos1B8.tmp
C:\pos1B9.tmp
C:\pos1BA.tmp
C:\pos1BB.tmp
C:\pos1BC.tmp
C:\pos1BD.tmp
C:\pos1BE.tmp
C:\pos1BF.tmp
C:\pos1C.tmp
C:\pos1C0.tmp
C:\pos1C1.tmp
C:\pos1C2.tmp
C:\pos1C3.tmp
C:\pos1C4.tmp
C:\pos1C5.tmp
C:\pos1C6.tmp
C:\pos1C7.tmp
C:\pos1C8.tmp
C:\pos1C9.tmp
C:\pos1CA.tmp
C:\pos1CB.tmp
C:\pos1CC.tmp
C:\pos1CD.tmp
C:\pos1CE.tmp
C:\pos1CF.tmp
C:\pos1D.tmp
C:\pos1D0.tmp
C:\pos1D1.tmp
C:\pos1D2.tmp
C:\pos1D3.tmp
C:\pos1D4.tmp
C:\pos1D5.tmp
C:\pos1D6.tmp
C:\pos1D7.tmp
C:\pos1D8.tmp
C:\pos1D9.tmp
C:\pos1DA.tmp
C:\pos1DB.tmp
C:\pos1DC.tmp
C:\pos1DD.tmp
C:\pos1DE.tmp
C:\pos1DF.tmp
C:\pos1E.tmp
C:\pos1E0.tmp
C:\pos1E1.tmp
C:\pos1E2.tmp
C:\pos1E3.tmp
C:\pos1E4.tmp
C:\pos1E5.tmp
C:\pos1E6.tmp
C:\pos1E7.tmp
C:\pos1E8.tmp
C:\pos1E9.tmp
C:\pos1EA.tmp
C:\pos1EB.tmp
C:\pos1EC.tmp
C:\pos1ED.tmp
C:\pos1EE.tmp
C:\pos1EF.tmp
C:\pos1F.tmp
C:\pos1F0.tmp
C:\pos1F1.tmp
C:\pos1F2.tmp
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos1FC.tmp
C:\pos1FD.tmp
C:\pos1FE.tmp
C:\pos1FF.tmp
C:\pos20.tmp
C:\pos200.tmp
C:\pos201.tmp
C:\pos202.tmp
C:\pos203.tmp
C:\pos204.tmp
C:\pos205.tmp
C:\pos206.tmp
C:\pos207.tmp
C:\pos208.tmp
C:\pos209.tmp
C:\pos20A.tmp
C:\pos20B.tmp
C:\pos20C.tmp
C:\pos20D.tmp
C:\pos20E.tmp
C:\pos20F.tmp
C:\pos21.tmp
C:\pos210.tmp
C:\pos211.tmp
C:\pos212.tmp
C:\pos213.tmp
C:\pos214.tmp
C:\pos215.tmp
C:\pos216.tmp
C:\pos217.tmp
C:\pos218.tmp
C:\pos219.tmp
C:\pos21A.tmp
C:\pos21B.tmp
C:\pos21C.tmp
C:\pos21D.tmp
C:\pos21E.tmp
C:\pos21F.tmp
C:\pos22.tmp
C:\pos221.tmp
C:\pos224.tmp
C:\pos225.tmp
C:\pos226.tmp
C:\pos227.tmp
C:\pos228.tmp
C:\pos22A.tmp
C:\pos22B.tmp
C:\pos22C.tmp
C:\pos22D.tmp
C:\pos22E.tmp
C:\pos22F.tmp
C:\pos23.tmp
C:\pos230.tmp
C:\pos231.tmp
C:\pos232.tmp
C:\pos233.tmp
C:\pos234.tmp
C:\pos235.tmp
C:\pos236.tmp
C:\pos237.tmp
C:\pos238.tmp
C:\pos23B.tmp
C:\pos23C.tmp
C:\pos23D.tmp
C:\pos23F.tmp
C:\pos24.tmp
C:\pos240.tmp
C:\pos241.tmp
C:\pos242.tmp
C:\pos245.tmp
C:\pos246.tmp
C:\pos247.tmp
C:\pos248.tmp
C:\pos249.tmp
C:\pos24A.tmp
C:\pos24B.tmp
C:\pos24C.tmp
C:\pos24E.tmp
C:\pos24F.tmp
C:\pos25.tmp
C:\pos250.tmp
C:\pos251.tmp
C:\pos252.tmp
C:\pos253.tmp
C:\pos255.tmp
C:\pos256.tmp
C:\pos257.tmp
C:\pos258.tmp
C:\pos259.tmp
C:\pos25A.tmp
C:\pos25B.tmp
C:\pos25C.tmp
C:\pos25D.tmp
C:\pos25E.tmp
C:\pos25F.tmp
C:\pos26.tmp
C:\pos260.tmp
C:\pos261.tmp
C:\pos262.tmp
C:\pos263.tmp
C:\pos264.tmp
C:\pos265.tmp
C:\pos266.tmp
C:\pos267.tmp
C:\pos268.tmp
C:\pos269.tmp
C:\pos26A.tmp
C:\pos26B.tmp
C:\pos26C.tmp
C:\pos26D.tmp
C:\pos26E.tmp
C:\pos26F.tmp
C:\pos27.tmp
C:\pos270.tmp
C:\pos271.tmp
C:\pos272.tmp
C:\pos273.tmp
C:\pos274.tmp
C:\pos275.tmp
C:\pos276.tmp
C:\pos277.tmp
C:\pos278.tmp
C:\pos279.tmp
C:\pos27A.tmp
C:\pos27B.tmp
C:\pos27C.tmp
C:\pos27D.tmp
C:\pos27E.tmp
C:\pos27F.tmp
C:\pos280.tmp
C:\pos281.tmp
C:\pos282.tmp
C:\pos283.tmp
C:\pos284.tmp
C:\pos285.tmp
C:\pos286.tmp
C:\pos287.tmp
C:\pos288.tmp
C:\pos289.tmp
C:\pos28A.tmp
C:\pos28B.tmp
C:\pos28C.tmp
C:\pos28D.tmp
C:\pos28E.tmp
C:\pos28F.tmp
C:\pos29.tmp
C:\pos290.tmp
C:\pos291.tmp
C:\pos292.tmp
C:\pos293.tmp
C:\pos294.tmp
C:\pos295.tmp
C:\pos296.tmp
C:\pos297.tmp
C:\pos298.tmp
C:\pos299.tmp
C:\pos29A.tmp
C:\pos29B.tmp
C:\pos29C.tmp
C:\pos29D.tmp
C:\pos29E.tmp
C:\pos29F.tmp
C:\pos2A.tmp
C:\pos2A0.tmp
C:\pos2A1.tmp
C:\pos2A2.tmp
C:\pos2A3.tmp
C:\pos2A4.tmp
C:\pos2A5.tmp
C:\pos2A6.tmp
C:\pos2A7.tmp
C:\pos2A8.tmp
C:\pos2A9.tmp
C:\pos2AA.tmp
C:\pos2AB.tmp
C:\pos2AC.tmp
C:\pos2AD.tmp
C:\pos2AE.tmp
C:\pos2AF.tmp
C:\pos2B.tmp
C:\pos2B0.tmp
C:\pos2B1.tmp
C:\pos2B2.tmp
C:\pos2B3.tmp
C:\pos2B4.tmp
C:\pos2B5.tmp
C:\pos2B6.tmp
C:\pos2B7.tmp
C:\pos2B8.tmp
C:\pos2B9.tmp
C:\pos2BA.tmp
C:\pos2BB.tmp
C:\pos2BC.tmp
C:\pos2BD.tmp
C:\pos2BE.tmp
C:\pos2BF.tmp
C:\pos2C.tmp
C:\pos2C0.tmp
C:\pos2C1.tmp
C:\pos2C2.tmp
C:\pos2C3.tmp
C:\pos2C4.tmp
C:\pos2C5.tmp
C:\pos2C6.tmp
C:\pos2C7.tmp
C:\pos2C8.tmp
C:\pos2C9.tmp
C:\pos2CA.tmp
C:\pos2CB.tmp
C:\pos2CC.tmp
C:\pos2CD.tmp
C:\pos2CE.tmp
C:\pos2CF.tmp
C:\pos2D.tmp
C:\pos2D0.tmp
C:\pos2D1.tmp
C:\pos2D2.tmp
C:\pos2D3.tmp
C:\pos2D4.tmp
C:\pos2D5.tmp
C:\pos2D6.tmp
C:\pos2D7.tmp
C:\pos2D8.tmp
C:\pos2D9.tmp
C:\pos2DA.tmp
C:\pos2DB.tmp
C:\pos2DC.tmp
C:\pos2DD.tmp
C:\pos2DE.tmp
C:\pos2DF.tmp
C:\pos2E.tmp
C:\pos2E0.tmp
C:\pos2E1.tmp
C:\pos2E2.tmp
C:\pos2E3.tmp
C:\pos2E4.tmp
C:\pos2E5.tmp
C:\pos2E6.tmp
C:\pos2E7.tmp
C:\pos2E8.tmp
C:\pos2E9.tmp
C:\pos2EA.tmp
C:\pos2EB.tmp
C:\pos2EC.tmp
C:\pos2ED.tmp
C:\pos2EE.tmp
C:\pos2EF.tmp
C:\pos2F.tmp
C:\pos2F0.tmp
C:\pos2F1.tmp
C:\pos2F2.tmp
C:\pos2F3.tmp
C:\pos2F4.tmp
C:\pos2F5.tmp
C:\pos2F6.tmp
C:\pos2F7.tmp
C:\pos2F8.tmp
C:\pos2F9.tmp
C:\pos2FA.tmp
C:\pos2FB.tmp
C:\pos2FC.tmp
C:\pos2FD.tmp
C:\pos2FE.tmp
C:\pos2FF.tmp
C:\pos30.tmp
C:\pos300.tmp
C:\pos301.tmp
C:\pos302.tmp
C:\pos303.tmp
C:\pos304.tmp
C:\pos305.tmp
C:\pos306.tmp
C:\pos307.tmp
C:\pos308.tmp
C:\pos309.tmp
C:\pos30A.tmp
C:\pos30B.tmp
C:\pos30C.tmp
C:\pos30D.tmp
C:\pos30E.tmp
C:\pos30F.tmp
C:\pos31.tmp
C:\pos310.tmp
C:\pos311.tmp
C:\pos312.tmp
C:\pos313.tmp
C:\pos314.tmp
C:\pos315.tmp
C:\pos316.tmp
C:\pos317.tmp
C:\pos318.tmp
C:\pos319.tmp
C:\pos31A.tmp
C:\pos31B.tmp
C:\pos31C.tmp
C:\pos31D.tmp
C:\pos31E.tmp
C:\pos31F.tmp
C:\pos32.tmp
C:\pos320.tmp
C:\pos321.tmp
C:\pos322.tmp
C:\pos323.tmp
C:\pos324.tmp
C:\pos325.tmp
C:\pos326.tmp
C:\pos327.tmp
C:\pos328.tmp
C:\pos329.tmp
C:\pos32A.tmp
C:\pos32B.tmp
C:\pos32C.tmp
C:\pos32D.tmp
C:\pos32E.tmp
C:\pos32F.tmp
C:\pos33.tmp
C:\pos330.tmp
C:\pos331.tmp
C:\pos332.tmp
C:\pos333.tmp
C:\pos334.tmp
C:\pos335.tmp
C:\pos336.tmp
C:\pos337.tmp
C:\pos338.tmp
C:\pos339.tmp
C:\pos33A.tmp
C:\pos33B.tmp
C:\pos33C.tmp
C:\pos33D.tmp
C:\pos33E.tmp
C:\pos33F.tmp
C:\pos34.tmp
C:\pos340.tmp
C:\pos341.tmp
C:\pos342.tmp
C:\pos343.tmp
C:\pos344.tmp
C:\pos345.tmp
C:\pos346.tmp
C:\pos347.tmp
C:\pos348.tmp
C:\pos349.tmp
C:\pos34A.tmp
C:\pos34B.tmp
C:\pos34C.tmp
C:\pos34D.tmp
C:\pos34E.tmp
C:\pos34F.tmp
C:\pos35.tmp
C:\pos350.tmp
C:\pos351.tmp
C:\pos352.tmp
C:\pos353.tmp
C:\pos354.tmp
C:\pos355.tmp
C:\pos356.tmp
C:\pos357.tmp
C:\pos358.tmp
C:\pos359.tmp
C:\pos35A.tmp
C:\pos35B.tmp
C:\pos35C.tmp
C:\pos35D.tmp
C:\pos35E.tmp
C:\pos35F.tmp
C:\pos36.tmp
C:\pos360.tmp
C:\pos361.tmp
C:\pos362.tmp
C:\pos363.tmp
C:\pos364.tmp
C:\pos365.tmp
C:\pos366.tmp
C:\pos367.tmp
C:\pos368.tmp
C:\pos369.tmp
C:\pos36A.tmp
C:\pos36B.tmp
C:\pos36C.tmp
C:\pos36D.tmp
C:\pos36E.tmp
C:\pos36F.tmp
C:\pos37.tmp
C:\pos370.tmp
C:\pos371.tmp
C:\pos372.tmp
C:\pos373.tmp
C:\pos374.tmp
C:\pos375.tmp
C:\pos376.tmp
C:\pos377.tmp
C:\pos378.tmp
C:\pos379.tmp
C:\pos37A.tmp
C:\pos37B.tmp
C:\pos37C.tmp
C:\pos37D.tmp
C:\pos37E.tmp
C:\pos37F.tmp
C:\pos38.tmp
C:\pos380.tmp
C:\pos381.tmp
C:\pos382.tmp
C:\pos383.tmp
C:\pos384.tmp
C:\pos385.tmp
C:\pos386.tmp
C:\pos387.tmp
C:\pos388.tmp
C:\pos389.tmp
C:\pos38A.tmp
C:\pos38B.tmp
C:\pos38C.tmp
C:\pos38D.tmp
C:\pos38E.tmp
C:\pos38F.tmp
C:\pos39.tmp
C:\pos390.tmp
C:\pos391.tmp
C:\pos392.tmp
C:\pos393.tmp
C:\pos394.tmp
C:\pos395.tmp
C:\pos396.tmp
C:\pos397.tmp
C:\pos398.tmp
C:\pos399.tmp
C:\pos39A.tmp
C:\pos39B.tmp
C:\pos39C.tmp
C:\pos39D.tmp
C:\pos39E.tmp
C:\pos39F.tmp
C:\pos3A.tmp
C:\pos3A0.tmp
C:\pos3A1.tmp
C:\pos3A2.tmp
C:\pos3A3.tmp
C:\pos3A4.tmp
C:\pos3A5.tmp
C:\pos3A6.tmp
C:\pos3A7.tmp
C:\pos3A8.tmp
C:\pos3A9.tmp
C:\pos3AA.tmp
C:\pos3AB.tmp
C:\pos3AC.tmp
C:\pos3AD.tmp
C:\pos3AE.tmp
C:\pos3AF.tmp
C:\pos3B.tmp
C:\pos3B0.tmp
C:\pos3B1.tmp
C:\pos3B2.tmp
C:\pos3B3.tmp
C:\pos3B4.tmp
C:\pos3B5.tmp
C:\pos3B6.tmp
C:\pos3B7.tmp
C:\pos3B8.tmp
C:\pos3B9.tmp
C:\pos3BA.tmp
C:\pos3BB.tmp
C:\pos3BC.tmp
C:\pos3BD.tmp
C:\pos3BE.tmp
C:\pos3BF.tmp
C:\pos3C.tmp
C:\pos3C0.tmp
C:\pos3C1.tmp
C:\pos3C2.tmp
C:\pos3C3.tmp
C:\pos3C4.tmp
C:\pos3C5.tmp
C:\pos3C6.tmp
C:\pos3C7.tmp
C:\pos3C8.tmp
C:\pos3C9.tmp
C:\pos3CA.tmp
C:\pos3CB.tmp
C:\pos3CC.tmp
C:\pos3CD.tmp
C:\pos3CE.tmp
C:\pos3CF.tmp
C:\pos3D.tmp
C:\pos3D0.tmp
C:\pos3D1.tmp
C:\pos3D2.tmp
C:\pos3D3.tmp
C:\pos3D4.tmp
C:\pos3D5.tmp
C:\pos3D6.tmp
C:\pos3D7.tmp
C:\pos3D8.tmp
C:\pos3D9.tmp
C:\pos3DA.tmp
C:\pos3DB.tmp
C:\pos3DC.tmp
C:\pos3DD.tmp
C:\pos3DE.tmp
C:\pos3DF.tmp
C:\pos3E.tmp
C:\pos3E0.tmp
C:\pos3E1.tmp
C:\pos3E2.tmp
C:\pos3E3.tmp
C:\pos3E4.tmp
C:\pos3E5.tmp
C:\pos3E6.tmp
C:\pos3E7.tmp
C:\pos3E8.tmp
C:\pos3E9.tmp
C:\pos3EA.tmp
C:\pos3EB.tmp
C:\pos3EC.tmp
C:\pos3ED.tmp
C:\pos3EE.tmp
C:\pos3EF.tmp
C:\pos3F.tmp
C:\pos3F0.tmp
C:\pos3F1.tmp
C:\pos3F2.tmp
C:\pos3F3.tmp
C:\pos3F4.tmp
C:\pos3F5.tmp
C:\pos3F6.tmp
C:\pos3F7.tmp
C:\pos3F8.tmp
C:\pos3F9.tmp
C:\pos3FA.tmp
C:\pos3FB.tmp
C:\pos3FC.tmp
C:\pos3FD.tmp
C:\pos3FE.tmp
C:\pos3FF.tmp
C:\pos40.tmp
C:\pos400.tmp
C:\pos41.tmp
C:\pos42.tmp
C:\pos43.tmp
C:\pos44.tmp
C:\pos45.tmp
C:\pos46.tmp
C:\pos47.tmp
C:\pos48.tmp
C:\pos49.tmp
C:\pos4A.tmp
C:\pos4B.tmp
C:\pos4C.tmp
C:\pos4D.tmp
C:\pos4E.tmp
C:\pos4F.tmp
C:\pos50.tmp
C:\pos51.tmp
C:\pos52.tmp
C:\pos53.tmp
C:\pos54.tmp
C:\pos55.tmp
C:\pos56.tmp
C:\pos57.tmp
C:\pos58.tmp
C:\pos59.tmp
C:\pos5B.tmp
C:\pos5C.tmp
C:\pos5D.tmp
C:\pos5E.tmp
C:\pos5F.tmp
C:\pos60.tmp
C:\pos61.tmp
C:\pos62.tmp
C:\pos63.tmp
C:\pos64.tmp
C:\pos65.tmp
C:\pos66.tmp
C:\pos67.tmp
C:\pos68.tmp
C:\pos69.tmp
C:\pos6A.tmp
C:\pos6B.tmp
C:\pos6C.tmp
C:\pos6D.tmp
C:\pos6E.tmp
C:\pos6F.tmp
C:\pos70.tmp
C:\pos71.tmp
C:\pos72.tmp
C:\pos73.tmp
C:\pos74.tmp
C:\pos75.tmp
C:\pos76.tmp
C:\pos77.tmp
C:\pos78.tmp
C:\pos79.tmp
C:\pos7A.tmp
C:\pos7B.tmp
C:\pos7C.tmp
C:\pos7D.tmp
C:\pos7E.tmp
C:\pos7F.tmp
C:\pos80.tmp
C:\pos81.tmp
C:\pos82.tmp
C:\pos83.tmp
C:\pos84.tmp
C:\pos85.tmp
C:\pos86.tmp
C:\pos87.tmp
C:\pos88.tmp
C:\pos89.tmp
C:\pos8A.tmp
C:\pos8B.tmp
C:\pos8C.tmp
C:\pos8D.tmp
C:\pos8E.tmp
C:\pos8F.tmp
C:\pos90.tmp
C:\pos91.tmp
C:\pos92.tmp
C:\pos93.tmp
C:\pos94.tmp
C:\pos95.tmp
C:\pos96.tmp
C:\pos97.tmp
C:\pos98.tmp
C:\pos99.tmp
C:\pos9A.tmp
C:\pos9B.tmp
C:\pos9C.tmp
C:\pos9D.tmp
C:\pos9E.tmp
C:\pos9F.tmp
C:\posA0.tmp
C:\posA1.tmp
C:\posA2.tmp
C:\posA3.tmp
C:\posA4.tmp
C:\posA5.tmp
C:\posA6.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC0.tmp
C:\posC1.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\racle~1
C:\WINDOWS\SMINST\RECGUARD .EXE
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system32\[u]0[/u]00080.exe
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\crosof~1\??crosoft\
C:\WINDOWS\system32\e9
C:\WINDOWS\system32\e9\farstadcom2.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\p2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX1A.tmp
C:\WINDOWS\system32\RCX1E.tmp
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.ini2
C:\WINDOWS\system32\t8
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutr.exe
C:\WINDOWS\system32\wcpsvsu32.exe
C:\WINDOWS\system32\z0
C:\WINDOWS\system32\z0\vetzcomz22.exe
C:\WINDOWS\ulksystem33.exe
C:\WINDOWS\wdm1C .exe
C:\WINDOWS\wdm1C.exe
C:\WINDOWS\wdm23 .exe
C:\WINDOWS\wdm23.exe
C:\WINDOWS\wdm24 .exe
C:\WINDOWS\wdm24.exe
C:\WINDOWS\wdm25 .exe
C:\WINDOWS\wdm25.exe
C:\WINDOWS\wdm26 .exe
C:\WINDOWS\wdm26.exe
C:\WINDOWS\wdm28 .exe
C:\WINDOWS\wdm28.exe
C:\WINDOWS\wdm29 .exe
C:\WINDOWS\wdm29.exe
C:\WINDOWS\wdm2A .exe
C:\WINDOWS\wdm2A.exe
C:\WINDOWS\wdmD .exe
C:\WINDOWS\wdmD.exe
C:\WINDOWS\wdu1D .exe
C:\WINDOWS\wdu1D.exe
C:\WINDOWS\wdu21 .exe
C:\WINDOWS\wdu21.exe
C:\WINDOWS\wdu24 .exe
C:\WINDOWS\wdu24.exe
C:\WINDOWS\wdu25 .exe
C:\WINDOWS\wdu25.exe
C:\WINDOWS\wdu26 .exe
C:\WINDOWS\wdu26.exe
C:\WINDOWS\wdu27 .exe
C:\WINDOWS\wdu27.exe
C:\WINDOWS\wdu29 .exe
C:\WINDOWS\wdu29.exe
C:\WINDOWS\wdu2A .exe
C:\WINDOWS\wdu2A.exe
C:\WINDOWS\wdu2B .exe
C:\WINDOWS\wdu2B.exe
C:\WINDOWS\wduE .exe
C:\WINDOWS\wduE.exe
D:\Autorun.inf

[code] 


C:\Documents and Settings\Owner\Local Settings\Temp\wda1D .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wda22 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wda25 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wda29 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wdc21 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wdc24 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wdc28 .exe ---> QooBox
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---> QooBox
C:\Program Files\AIM6\aim6 .exe ---> QooBox
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> QooBox
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe ---> QooBox
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\Messenger\msmsgs .exe ---> QooBox
C:\Program Files\QuickTime\QTTask          .exe ---> QooBox
C:\Program Files\QuickTime\QTTask   .exe ---> QTTask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> QooBox
C:\Program Files\VERITAS Software\Update Manager\sgtray .exe ---> QooBox
C:\Program Files\Windows Defender\MSASCui .exe ---> QooBox
C:\WINDOWS\wdm1C .exe ---> QooBox
C:\WINDOWS\wdm23 .exe ---> QooBox
C:\WINDOWS\wdm24 .exe ---> QooBox
C:\WINDOWS\wdm25 .exe ---> QooBox
C:\WINDOWS\wdm26 .exe ---> QooBox
C:\WINDOWS\wdm28 .exe ---> QooBox
C:\WINDOWS\wdm29 .exe ---> QooBox
C:\WINDOWS\wdm2A .exe ---> QooBox
C:\WINDOWS\wdmD .exe ---> QooBox
C:\WINDOWS\wdu1D .exe ---> QooBox
C:\WINDOWS\wdu21 .exe ---> QooBox
C:\WINDOWS\wdu24 .exe ---> QooBox
C:\WINDOWS\wdu25 .exe ---> QooBox
C:\WINDOWS\wdu26 .exe ---> QooBox
C:\WINDOWS\wdu27 .exe ---> QooBox
C:\WINDOWS\wdu29 .exe ---> QooBox
C:\WINDOWS\wdu2A .exe ---> QooBox
C:\WINDOWS\wdu2B .exe ---> QooBox
C:\WINDOWS\wduE .exe ---> QooBox
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe ---> QooBox
C:\WINDOWS\SMINST\RECGUARD .EXE ---> QooBox
[/code]
.
.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-24 20:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 22:56 . 2008-01-10 00:00 188,672 --a------ C:\WINDOWS\system32\drivers\truecrypt.sys
2008-01-22 22:55 . 2008-01-22 22:56 <DIR> d-------- C:\Program Files\TrueCrypt
2008-01-21 15:39 . 2008-01-22 00:56 13,824 --a------ C:\WINDOWS\wdu23 .exe
2008-01-21 15:39 . 2008-01-22 00:56 13,824 --a------ C:\WINDOWS\wdu1F .exe
2008-01-21 15:39 . 2008-01-22 00:56 13,824 --a------ C:\WINDOWS\wdm22 .exe
2008-01-21 15:39 . 2008-01-22 00:56 13,824 --a------ C:\WINDOWS\wdm1E .exe
2008-01-21 14:23 . 2008-01-21 14:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-21 13:33 . 2008-01-24 20:26 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-21 12:19 . 2006-08-21 01:14 128,896 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-21 12:19 . 2006-08-21 01:14 23,040 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-21 12:19 . 2006-08-21 04:21 16,896 --a--c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-21 11:55 . 2007-07-09 05:09 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-20 20:08 . 2008-01-24 20:26 <DIR> d-------- C:\Program Files\iTunes
2008-01-20 20:05 . 2008-01-20 20:05 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-18 09:40 . 2008-01-21 14:04 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-17 23:30 . 2008-01-17 23:30 <DIR> d-------- C:\VundoFix Backups
2008-01-17 23:19 . 2008-01-17 23:19 13,824 --a------ C:\WINDOWS\wdu69A3 .exe
2008-01-17 23:19 . 2008-01-17 23:19 13,824 --a------ C:\WINDOWS\wdm69A2 .exe
2008-01-17 23:19 . 2008-01-17 23:18 13,824 --a------ C:\WINDOWS\wdm14B0.exe
2008-01-17 23:18 . 2008-01-17 23:18 13,824 --a------ C:\WINDOWS\wdu68F1 .exe
2008-01-17 23:18 . 2008-01-17 23:18 13,824 --a------ C:\WINDOWS\wdm67DC .exe
2008-01-17 21:06 . 2008-01-17 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-17 20:51 . 2004-08-03 23:56 148,480 --a------ C:\WINDOWS\system32\wscui.cpl
2008-01-17 20:51 . 2004-08-03 23:56 129,536 --a------ C:\WINDOWS\system32\xmlprov.dll
2008-01-17 20:51 . 2004-08-03 23:56 108,032 --a------ C:\WINDOWS\system32\wshbth.dll
2008-01-17 20:51 . 2004-08-03 23:56 81,408 --a------ C:\WINDOWS\system32\wscsvc.dll
2008-01-17 20:51 . 2004-08-03 23:56 50,176 --a------ C:\WINDOWS\system32\xmlprovi.dll
2008-01-17 20:51 . 2004-08-03 23:56 13,824 --a------ C:\WINDOWS\system32\wscntfy.exe
2008-01-17 20:49 . 2004-08-03 23:56 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-01-17 20:48 . 2004-08-03 21:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-01-17 20:47 . 2004-08-03 23:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-01-17 20:03 . 2008-01-17 21:37 13,824 --a------ C:\WINDOWS\wdm20 .exe
2008-01-17 19:47 . 2008-01-17 19:47 13,824 --a------ C:\WINDOWS\wdu8 .exe
2008-01-17 19:47 . 2008-01-17 19:47 13,824 --a------ C:\WINDOWS\wdu4 .exe
2008-01-17 19:47 . 2008-01-17 19:47 13,824 --a------ C:\WINDOWS\wdm7 .exe
2008-01-17 19:47 . 2008-01-17 19:47 13,824 --a------ C:\WINDOWS\wdm3 .exe
2008-01-17 19:28 . 2004-08-03 23:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-17 19:28 . 2004-08-03 23:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-01-17 19:28 . 2004-08-03 23:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-17 18:08 . 2008-01-17 18:08 13,824 --a------ C:\WINDOWS\wdu2E1B .exe
2008-01-17 18:07 . 2008-01-17 18:07 13,824 --a------ C:\WINDOWS\wdm2C1C .exe
2008-01-17 08:08 . 2008-01-17 08:08 13,824 --a------ C:\WINDOWS\wdu28C2 .exe
2008-01-17 08:07 . 2008-01-17 08:07 13,824 --a------ C:\WINDOWS\wdu259E .exe
2008-01-17 08:07 . 2008-01-17 08:07 13,824 --a------ C:\WINDOWS\wdm28A9 .exe
2008-01-17 08:07 . 2008-01-17 08:07 13,824 --a------ C:\WINDOWS\wdm249C .exe
2008-01-17 00:10 . 2005-08-31 17:41 19,968 --a------ C:\WINDOWS\system32\linkinfo.dll
2008-01-17 00:07 . 2005-07-25 20:39 1,285,120 --a------ C:\WINDOWS\system32\ole32.dll
2008-01-17 00:07 . 2005-07-25 20:39 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2008-01-17 00:07 . 2005-07-25 20:39 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2008-01-17 00:07 . 2005-07-25 20:39 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2008-01-17 00:07 . 2005-07-25 20:39 397,824 --a------ C:\WINDOWS\system32\rpcss.dll
2008-01-17 00:07 . 2005-07-25 20:39 243,200 --a------ C:\WINDOWS\system32\es.dll
2008-01-17 00:07 . 2005-07-25 20:39 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2008-01-17 00:07 . 2005-07-25 20:39 74,752 --a------ C:\WINDOWS\system32\olecli32.dll
2008-01-17 00:07 . 2005-07-25 20:39 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2008-01-17 00:04 . 2005-10-20 14:20 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-01-17 00:04 . 2006-01-03 19:35 68,096 --a------ C:\WINDOWS\system32\webclnt.dll
2008-01-17 00:02 . 2005-08-22 10:29 197,632 --a------ C:\WINDOWS\system32\netman.dll
2008-01-17 00:02 . 2005-08-22 19:35 123,392 --a------ C:\WINDOWS\system32\umpnpmgr.dll
2008-01-16 23:57 . 2008-01-16 23:57 13,824 --a------ C:\WINDOWS\wdu61C3 .exe
2008-01-16 23:57 . 2008-01-16 23:57 13,824 --a------ C:\WINDOWS\wdu61BF .exe
2008-01-16 23:57 . 2008-01-16 23:57 13,824 --a------ C:\WINDOWS\wdm61C2 .exe
2008-01-16 23:57 . 2008-01-16 23:57 13,824 --a------ C:\WINDOWS\wdm61BE .exe
2008-01-16 23:49 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-16 23:49 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-16 23:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-16 23:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-16 23:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-16 23:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-16 18:59 . 2008-01-16 20:23 7,168 --a------ C:\WINDOWS\system32\windows_old
2008-01-16 18:01 . 2008-01-16 18:01 169 --a------ C:\WINDOWS\mktbrws.ses
2008-01-16 15:26 . 2008-01-16 15:26 13,824 --a------ C:\WINDOWS\wdu20E3 .exe
2008-01-16 15:25 . 2008-01-16 15:25 13,824 --a------ C:\WINDOWS\wdm20A8 .exe
2008-01-16 07:53 . 2008-01-16 07:53 13,824 --a------ C:\WINDOWS\wdu3598 .exe
2008-01-16 07:52 . 2008-01-16 07:52 13,824 --a------ C:\WINDOWS\wdm34D3 .exe
2008-01-16 07:36 . 2008-01-16 07:36 13,824 --a------ C:\WINDOWS\wdm5009 .exe
2008-01-16 00:11 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-15 22:59 . 2005-08-03 01:47 424,960 --a------ C:\WINDOWS\WRServices.dll
2008-01-15 14:00 . 2008-01-15 14:00 337,408 --a------ C:\WINDOWS\system32\RCX132F.tmp
2008-01-14 19:08 . 2008-01-15 23:54 1,057,156 --ahs---- C:\WINDOWS\system32\dktkbryx.ini
2008-01-14 18:52 . 2008-01-14 18:52 <DIR> d-------- C:\Program Files\Thomson
2008-01-13 20:03 . 2008-01-13 20:03 337,408 --a------ C:\WINDOWS\system32\RCX1B42.tmp
2008-01-12 19:58 . 2008-01-21 11:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 18:48 . 2008-01-12 18:48 18,432 --a------ C:\WINDOWS\9an22wcv.exe
2008-01-12 15:58 . 2008-01-22 00:06 <DIR> d--hs---- C:\WINDOWS\THVjeSBTZWdvdmlh
2008-01-12 15:58 . 2008-01-21 14:39 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-12 15:58 . 2008-01-12 18:32 378,368 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-12 15:58 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushqhaa.exe
2008-01-12 15:58 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\bkmoopob.exe
2008-01-12 15:58 . 2008-01-12 15:58 86,016 --a------ C:\WINDOWS\system32\drivers\MSPCLOCKK.sys
2008-01-11 00:01 . 2008-01-15 23:53 114,688 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-11 00:01 . 2008-01-15 23:53 81,920 --a------ C:\WINDOWS\system32\ps2 .exe
2008-01-11 00:01 . 2008-01-15 23:53 52,736 --a------ C:\WINDOWS\system\hpsysdrv .exe
2008-01-11 00:01 . 2008-01-16 00:30 182 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2008-01-10 22:55 . 2004-08-03 22:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-01-10 22:55 . 2004-08-03 22:07 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-10 22:55 . 2004-08-03 23:56 23,552 --a------ C:\WINDOWS\system32\wdmaud.drv
2008-01-10 22:50 . 2008-01-10 22:50 3,878 -rahs---- C:\WINDOWS\system32\drivers\HP_D7218M-ABA 554E_YC_Pavi_QMX311S_E31NAheBLU4_4_IKM266-8235_S_V_BAM37310_T030304_WXH1_L409_M1024_J40_7AMD_8Athlon XP 2000+_91.66_1_N10EC8139_P_Z11C1044E_K_A_U11063038_G10DE0322_OCyberDrv CW088D CD-R RW;JLMS XJ-HD166S_D.MRK
2008-01-10 20:22 . 2008-01-13 11:28 18,432 --a------ C:\WINDOWS\avp .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 04:32 --------- d-----w C:\Program Files\QuickTime
2008-01-21 22:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 04:09 --------- d-----w C:\Program Files\iPod
2008-01-16 08:08 --------- d-----w C:\Program Files\Java
2008-01-15 22:27 --------- d-----w C:\Program Files\World of Warcraft
2008-01-11 07:07 84,028 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-01-11 07:07 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-11 07:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 06:50 3,878 --sha-r C:\WINDOWS\system32\drivers\HP_D7218M-ABA 554E_YC_Pavi_QMX311S_E31NAheBLU4_4_IKM266-8235_S_V_BAM37310_T030304_WXH1_L409_M1024_J40_7AMD_8Athlon XP 2000+_91.66_1_N10EC8139_P_Z11C1044E_K_A_U11063038_G10DE0322_OCyberDrv CW088D CD-R RW;JLMS XJ-HD166S_D.MRK
2008-01-10 03:03 --------- d-----w C:\Program Files\Viewpoint
2007-12-18 04:56 14,848 ----a-w C:\sysqdyt.exe
2007-12-04 22:30 --------- d-----w C:\Program Files\LimeWire1
2007-07-14 09:35 10,240 --sha-w C:\Program Files\Thumbs.db
2007-03-25 00:05 8 --sh--r C:\WINDOWS\system32\194796A85A.sys
.
[code]


----a-w            13,824 2008-01-22 08:56:34  C:\Documents and Settings\Owner\Local Settings\Temp\wda21 .exe
----a-w            13,824 2008-01-22 08:56:33  C:\Documents and Settings\Owner\Local Settings\Temp\wdc1C .exe
----a-w            13,824 2008-01-22 08:56:34  C:\Documents and Settings\Owner\Local Settings\Temp\wdc20 .exe
----a-w            18,432 2008-01-13 19:28:00  C:\WINDOWS\avp .exe
----a-w            13,824 2008-01-22 08:56:34  C:\WINDOWS\wdm1E .exe
----a-w            13,824 2008-01-18 05:37:02  C:\WINDOWS\wdm20 .exe
----a-w            13,824 2008-01-16 23:25:55  C:\WINDOWS\wdm20A8 .exe
----a-w            13,824 2008-01-22 08:56:35  C:\WINDOWS\wdm22 .exe
----a-w            13,824 2008-01-17 16:07:32  C:\WINDOWS\wdm249C .exe
----a-w            13,824 2008-01-17 16:07:50  C:\WINDOWS\wdm28A9 .exe
----a-w            13,824 2008-01-18 02:07:52  C:\WINDOWS\wdm2C1C .exe
----a-w            13,824 2008-01-18 03:47:34  C:\WINDOWS\wdm3 .exe
----a-w            13,824 2008-01-16 15:52:52  C:\WINDOWS\wdm34D3 .exe
----a-w            13,824 2008-01-16 15:36:25  C:\WINDOWS\wdm5009 .exe
----a-w            13,824 2008-01-17 07:57:02  C:\WINDOWS\wdm61BE .exe
----a-w            13,824 2008-01-17 07:57:07  C:\WINDOWS\wdm61C2 .exe
----a-w            13,824 2008-01-18 07:18:54  C:\WINDOWS\wdm67DC .exe
----a-w            13,824 2008-01-18 07:19:04  C:\WINDOWS\wdm69A2 .exe
----a-w            13,824 2008-01-18 03:47:36  C:\WINDOWS\wdm7 .exe
----a-w            13,824 2008-01-22 08:56:34  C:\WINDOWS\wdu1F .exe
----a-w            13,824 2008-01-16 23:26:02  C:\WINDOWS\wdu20E3 .exe
----a-w            13,824 2008-01-22 08:56:35  C:\WINDOWS\wdu23 .exe
----a-w            13,824 2008-01-17 16:07:35  C:\WINDOWS\wdu259E .exe
----a-w            13,824 2008-01-17 16:08:00  C:\WINDOWS\wdu28C2 .exe
----a-w            13,824 2008-01-18 02:08:06  C:\WINDOWS\wdu2E1B .exe
----a-w            13,824 2008-01-16 15:53:04  C:\WINDOWS\wdu3598 .exe
----a-w            13,824 2008-01-18 03:47:34  C:\WINDOWS\wdu4 .exe
----a-w            13,824 2008-01-17 07:57:03  C:\WINDOWS\wdu61BF .exe
----a-w            13,824 2008-01-17 07:57:07  C:\WINDOWS\wdu61C3 .exe
----a-w            13,824 2008-01-18 07:18:54  C:\WINDOWS\wdu68F1 .exe
----a-w            13,824 2008-01-18 07:19:05  C:\WINDOWS\wdu69A3 .exe
----a-w            13,824 2008-01-18 03:47:37  C:\WINDOWS\wdu8 .exe
----a-w            52,736 2008-01-16 07:53:08  C:\WINDOWS\system\hpsysdrv .exe
----a-w           114,688 2008-01-16 07:53:09  C:\WINDOWS\system32\hkcmd .exe
----a-w            81,920 2008-01-16 07:53:31  C:\WINDOWS\system32\ps2 .exe
[/code]


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e4a6d0d-2c6c-4172-a378-a16cd84ce181}]
C:\WINDOWS\System32\agpkxqtb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Monitor"="C:\WINDOWS\wdm20.exe" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\80508746]
C:\WINDOWS\System32\nkjayfbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
C:\hp\bin\autotbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockTracker]
c:\hp\bin\BlockTracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 19:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\vtutr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 15:16 5058560 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\System32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\System32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
--a------ 2008-01-10 23:30 357888 C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"DomainService"=2 (0x2)
"aawservice"=2 (0x2)
"MSControlService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 14:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 04:36:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 04:41:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 20:33:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Defender Monitor = C:\WINDOWS\wdm20.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-24 20:41:38 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-01-25 04:41:34
.
2008-01-24 23:27:40 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 10
Name: jabuck
Date: January 25, 2008 at 15:35:48 Pacific
Reply: (edit)

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Go to start> control panel> administrative tools> services> scroll down to "DomainService " and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.

Exit administrative tools.

Please download Atribune's VundoFix.exe from the followinf site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Run Vundo again.

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\wdu23 .exe
C:\WINDOWS\wdu1F .exe
C:\WINDOWS\wdm22 .exe
C:\WINDOWS\wdm1E .exe
C:\WINDOWS\wdu69A3 .exe
C:\WINDOWS\wdm69A2 .exe
C:\WINDOWS\wdm14B0.exe
C:\WINDOWS\wdu68F1 .exe
C:\WINDOWS\wdm67DC .exe
C:\WINDOWS\wdm20 .exe
C:\WINDOWS\wdu8 .exe
C:\WINDOWS\wdu4 .exe
C:\WINDOWS\wdm7 .exe
C:\WINDOWS\wdm3 .exe
C:\WINDOWS\wdu2E1B .exe
C:\WINDOWS\wdm2C1C .exe
C:\WINDOWS\wdu28C2 .exe
C:\WINDOWS\wdu259E .exe
C:\WINDOWS\wdm28A9 .exe
C:\WINDOWS\wdm249C .exe
C:\WINDOWS\wdu61C3 .exe
C:\WINDOWS\wdu61BF .exe
C:\WINDOWS\wdm61C2 .exe
C:\WINDOWS\wdm61BE .exe
C:\WINDOWS\wdu20E3 .exe
C:\WINDOWS\wdm20A8 .exe
C:\WINDOWS\wdu3598 .exe
C:\WINDOWS\wdm34D3 .exe
C:\WINDOWS\wdm5009 .exe
C:\WINDOWS\system32\RCX132F.tmp
C:\WINDOWS\system32\dktkbryx.ini
C:\WINDOWS\system32\RCX1B42.tmp
C:\WINDOWS\9an22wcv.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\rushqhaa.exe
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\avp .exe
C:\sysqdyt.exe
C:\WINDOWS\system32\194796A85A.sys
C:\WINDOWS\System32\vtutr.exe
C:\WINDOWS\System32\agpkxqtb.dll

RenV::
C:\WINDOWS\system\hpsysdrv .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\ps2 .exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig
C:\WINDOWS\SMINST\RECGUARD .EXE
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
C:\Program Files\Windows Defender\MSASCui .exe

Folder::
C:\WINDOWS\THVjeSBTZWdvdmlh
C:\WINDOWS\system32\edcA01

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e4a6d0d-2c6c-4172-a378-a16cd84ce181}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\80508746]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post the new Compofix log please.


Report Offensive Follow Up For Removal

Response Number 11
Name: santiago1
Date: January 26, 2008 at 12:49:59 Pacific
Reply: (edit)

i didnt have DomainService under services from the administrative tools so i did everything you told me without doing that step

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ComboFix 08-01-23.1C - Owner 2008-01-26 12:30:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.686 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE
C:\sysqdyt.exe
C:\WINDOWS\9an22wcv.exe
C:\WINDOWS\avp .exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\194796A85A.sys
C:\WINDOWS\System32\agpkxqtb.dll
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\dktkbryx.ini
C:\WINDOWS\system32\RCX132F.tmp
C:\WINDOWS\system32\RCX1B42.tmp
C:\WINDOWS\system32\rushqhaa.exe
C:\WINDOWS\System32\vtutr.exe
C:\WINDOWS\wdm14B0.exe
C:\WINDOWS\wdm1E .exe
C:\WINDOWS\wdm20 .exe
C:\WINDOWS\wdm20A8 .exe
C:\WINDOWS\wdm22 .exe
C:\WINDOWS\wdm249C .exe
C:\WINDOWS\wdm28A9 .exe
C:\WINDOWS\wdm2C1C .exe
C:\WINDOWS\wdm3 .exe
C:\WINDOWS\wdm34D3 .exe
C:\WINDOWS\wdm5009 .exe
C:\WINDOWS\wdm61BE .exe
C:\WINDOWS\wdm61C2 .exe
C:\WINDOWS\wdm67DC .exe
C:\WINDOWS\wdm69A2 .exe
C:\WINDOWS\wdm7 .exe
C:\WINDOWS\wdu1F .exe
C:\WINDOWS\wdu20E3 .exe
C:\WINDOWS\wdu23 .exe
C:\WINDOWS\wdu259E .exe
C:\WINDOWS\wdu28C2 .exe
C:\WINDOWS\wdu2E1B .exe
C:\WINDOWS\wdu3598 .exe
C:\WINDOWS\wdu4 .exe
C:\WINDOWS\wdu61BF .exe
C:\WINDOWS\wdu61C3 .exe
C:\WINDOWS\wdu68F1 .exe
C:\WINDOWS\wdu69A3 .exe
C:\WINDOWS\wdu8 .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sysqdyt.exe
C:\WINDOWS\9an22wcv.exe
C:\WINDOWS\avp .exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\194796A85A.sys
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\dktkbryx.ini
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\RCX132F.tmp
C:\WINDOWS\system32\RCX1B42.tmp
C:\WINDOWS\system32\rushqhaa.exe
C:\WINDOWS\THVjeSBTZWdvdmlh
C:\WINDOWS\wdm14B0.exe
C:\WINDOWS\wdm1E .exe
C:\WINDOWS\wdm20 .exe
C:\WINDOWS\wdm20A8 .exe
C:\WINDOWS\wdm22 .exe
C:\WINDOWS\wdm249C .exe
C:\WINDOWS\wdm28A9 .exe
C:\WINDOWS\wdm2C1C .exe
C:\WINDOWS\wdm3 .exe
C:\WINDOWS\wdm34D3 .exe
C:\WINDOWS\wdm5009 .exe
C:\WINDOWS\wdm61BE .exe
C:\WINDOWS\wdm61C2 .exe
C:\WINDOWS\wdm67DC .exe
C:\WINDOWS\wdm69A2 .exe
C:\WINDOWS\wdm7 .exe
C:\WINDOWS\wdu1F .exe
C:\WINDOWS\wdu20E3 .exe
C:\WINDOWS\wdu23 .exe
C:\WINDOWS\wdu259E .exe
C:\WINDOWS\wdu28C2 .exe
C:\WINDOWS\wdu2E1B .exe
C:\WINDOWS\wdu3598 .exe
C:\WINDOWS\wdu4 .exe
C:\WINDOWS\wdu61BF .exe
C:\WINDOWS\wdu61C3 .exe
C:\WINDOWS\wdu68F1 .exe
C:\WINDOWS\wdu69A3 .exe
C:\WINDOWS\wdu8 .exe

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-25 18:13 . 2008-01-25 18:13 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 14:30 . 2008-01-26 11:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-25 14:30 . 2008-01-25 14:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-24 20:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 22:56 . 2008-01-10 00:00 188,672 --a------ C:\WINDOWS\system32\drivers\truecrypt.sys
2008-01-22 22:55 . 2008-01-22 22:56 <DIR> d-------- C:\Program Files\TrueCrypt
2008-01-21 14:23 . 2008-01-21 14:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-21 13:33 . 2008-01-24 20:26 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-21 12:19 . 2006-08-21 01:14 128,896 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-21 12:19 . 2006-08-21 01:14 23,040 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-21 12:19 . 2006-08-21 04:21 16,896 --a--c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-21 11:55 . 2007-07-09 05:09 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-20 20:08 . 2008-01-25 14:30 <DIR> d-------- C:\Program Files\iTunes
2008-01-20 20:05 . 2008-01-20 20:05 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-18 09:40 . 2008-01-21 14:04 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-17 23:30 . 2008-01-26 11:30 <DIR> d-------- C:\VundoFix Backups
2008-01-17 21:06 . 2008-01-17 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-17 20:51 . 2004-08-03 23:56 148,480 --a------ C:\WINDOWS\system32\wscui.cpl
2008-01-17 20:51 . 2004-08-03 23:56 129,536 --a------ C:\WINDOWS\system32\xmlprov.dll
2008-01-17 20:51 . 2004-08-03 23:56 108,032 --a------ C:\WINDOWS\system32\wshbth.dll
2008-01-17 20:51 . 2004-08-03 23:56 81,408 --a------ C:\WINDOWS\system32\wscsvc.dll
2008-01-17 20:51 . 2004-08-03 23:56 50,176 --a------ C:\WINDOWS\system32\xmlprovi.dll
2008-01-17 20:51 . 2004-08-03 23:56 13,824 --a------ C:\WINDOWS\system32\wscntfy.exe
2008-01-17 20:49 . 2004-08-03 23:56 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-01-17 20:48 . 2004-08-03 21:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-01-17 20:47 . 2004-08-03 23:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-01-17 19:28 . 2004-08-03 23:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-17 19:28 . 2004-08-03 23:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-01-17 19:28 . 2004-08-03 23:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-17 00:10 . 2005-08-31 17:41 19,968 --a------ C:\WINDOWS\system32\linkinfo.dll
2008-01-17 00:07 . 2005-07-25 20:39 1,285,120 --a------ C:\WINDOWS\system32\ole32.dll
2008-01-17 00:07 . 2005-07-25 20:39 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2008-01-17 00:07 . 2005-07-25 20:39 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2008-01-17 00:07 . 2005-07-25 20:39 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2008-01-17 00:07 . 2005-07-25 20:39 397,824 --a------ C:\WINDOWS\system32\rpcss.dll
2008-01-17 00:07 . 2005-07-25 20:39 243,200 --a------ C:\WINDOWS\system32\es.dll
2008-01-17 00:07 . 2005-07-25 20:39 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2008-01-17 00:07 . 2005-07-25 20:39 74,752 --a------ C:\WINDOWS\system32\olecli32.dll
2008-01-17 00:07 . 2005-07-25 20:39 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2008-01-17 00:04 . 2005-10-20 14:20 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-01-17 00:04 . 2006-01-03 19:35 68,096 --a------ C:\WINDOWS\system32\webclnt.dll
2008-01-17 00:02 . 2005-08-22 10:29 197,632 --a------ C:\WINDOWS\system32\netman.dll
2008-01-17 00:02 . 2005-08-22 19:35 123,392 --a------ C:\WINDOWS\system32\umpnpmgr.dll
2008-01-16 23:49 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-16 23:49 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-16 23:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-16 23:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-16 23:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-16 23:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-16 18:59 . 2008-01-16 20:23 7,168 --a------ C:\WINDOWS\system32\windows_old
2008-01-16 18:01 . 2008-01-16 18:01 169 --a------ C:\WINDOWS\mktbrws.ses
2008-01-16 00:11 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-15 22:59 . 2005-08-03 01:47 424,960 --a------ C:\WINDOWS\WRServices.dll
2008-01-14 18:52 . 2008-01-14 18:52 <DIR> d-------- C:\Program Files\Thomson
2008-01-12 19:58 . 2008-01-21 11:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 15:58 . 2008-01-12 15:58 86,016 --a------ C:\WINDOWS\system32\drivers\MSPCLOCKK.sys
2008-01-11 00:01 . 2008-01-15 23:53 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-11 00:01 . 2008-01-15 23:53 81,920 --a------ C:\WINDOWS\system32\ps2.exe
2008-01-11 00:01 . 2008-01-15 23:53 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
2008-01-11 00:01 . 2008-01-16 00:30 182 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2008-01-10 22:55 . 2004-08-03 22:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-01-10 22:55 . 2004-08-03 22:07 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-10 22:55 . 2004-08-03 23:56 23,552 --a------ C:\WINDOWS\system32\wdmaud.drv
2008-01-10 22:50 . 2008-01-10 22:50 3,878 -rahs---- C:\WINDOWS\system32\drivers\HP_D7218M-ABA 554E_YC_Pavi_QMX311S_E31NAheBLU4_4_IKM266-8235_S_V_BAM37310_T030304_WXH1_L409_M1024_J40_7AMD_8Athlon XP 2000+_91.66_1_N10EC8139_P_Z11C1044E_K_A_U11063038_G10DE0322_OCyberDrv CW088D CD-R RW;JLMS XJ-HD166S_D.MRK
2008-01-10 18:19 . 2008-01-10 18:19 19,456 --a------ C:\WINDOWS\system32\drivers\gmgtlmka.dat
2008-01-10 18:17 . 2002-08-29 04:00 84,480 --a------ C:\WINDOWS\system32\cryptne.dll
2008-01-10 18:15 . 2008-01-10 18:15 54,764 --a------ C:\WINDOWS\system32\dxdss.sys
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-09 19:02 . 2008-01-24 20:26 <DIR> d-------- C:\Program Files\AIM6
2007-12-31 14:04 . 2008-01-10 13:16 231,424 --a------ C:\WINDOWS\mapisrv32.dll
2007-12-31 14:04 . 2008-01-10 13:16 10,240 --a------ C:\WINDOWS\jtcres32.dll
2007-12-31 14:04 . 2008-01-10 19:17 3 --a------ C:\WINDOWS\gtiplus.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 02:02 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-01-25 06:41 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-25 04:32 --------- d-----w C:\Program Files\QuickTime
2008-01-21 22:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 04:09 --------- d-----w C:\Program Files\iPod
2008-01-16 08:08 --------- d-----w C:\Program Files\Java
2008-01-15 22:27 --------- d-----w C:\Program Files\World of Warcraft
2008-01-11 16:33 485,376 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
2008-01-11 07:07 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-11 07:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 06:50 3,878 --sha-r C:\WINDOWS\system32\drivers\HP_D7218M-ABA 554E_YC_Pavi_QMX311S_E31NAheBLU4_4_IKM266-8235_S_V_BAM37310_T030304_WXH1_L409_M1024_J40_7AMD_8Athlon XP 2000+_91.66_1_N10EC8139_P_Z11C1044E_K_A_U11063038_G10DE0322_OCyberDrv CW088D CD-R RW;JLMS XJ-HD166S_D.MRK
2008-01-10 03:03 --------- d-----w C:\Program Files\Viewpoint
2007-12-04 22:30 --------- d-----w C:\Program Files\LimeWire1
2007-07-14 09:35 10,240 --sha-w C:\Program Files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Monitor"="C:\WINDOWS\wdm20.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]

C:\Documents and Settings\amparo\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-01-10 10:08:24 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
C:\hp\bin\autotbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockTracker]
c:\hp\bin\BlockTracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 19:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-06-17 16:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-01-15 23:53 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 2008-01-15 23:53 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\vtutr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 15:16 5058560 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\System32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2008-01-15 23:53 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\System32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
--a------ 2008-01-10 23:30 357888 C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"aawservice"=2 (0x2)
"MSControlService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 14:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-26 19:24:30 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-26 20:36:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 12:35:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Defender Monitor = C:\WINDOWS\wdm20.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-01-26 12:37:33
ComboFix-quarantined-files.txt 2008-01-26 20:36:42
.
2008-01-24 23:27:40 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 12
Name: jabuck
Date: January 26, 2008 at 13:16:46 Pacific
Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "Registry::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\Qoobox

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.


Report Offensive Follow Up For Removal