Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > fake Windows Defender

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

fake Windows Defender

Reply to Message Icon

Name: santiago1
Date: January 21, 2008 at 15:55:16 Pacific
OS: windows xp home edition
CPU/Ram: AMD Athlon Xp 2000 1.67 G
Comment:

i have had a bunch of spyware recently and i been getting rid of it little by little but i cant get rid of this fake WD i have, help! its like an icon on the bottom right corner and it says my computer is being attack by spyware and its making my computer lag



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: January 21, 2008 at 19:02:30 Pacific
Reply:

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


0

Response Number 2
Name: plrpro
Date: January 21, 2008 at 19:25:07 Pacific
Reply:

Here is a spyware removal guide that might help out as well. Be sure and post your high jack log here.

http://www.windowvistarepair.com/ar...


0

Response Number 3
Name: santiago1
Date: January 22, 2008 at 21:01:22 Pacific
Reply:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:18 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wdu27.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\wdu27 .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc24.exe
O4 - HKLM\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda25.exe
O4 - HKLM\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm26.exe
O4 - HKLM\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu27.exe
O4 - HKCU\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc28.exe
O4 - HKCU\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda29.exe
O4 - HKCU\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm26.exe
O4 - HKCU\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu27.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4283 bytes


0

Response Number 4
Name: jabuck
Date: January 23, 2008 at 03:44:18 Pacific
Reply:

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

O4 - HKLM\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc24.exe


O4 - HKLM\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda25.exe


O4 - HKLM\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm26.exe


O4 - HKLM\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu27.exe


O4 - HKCU\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc28.exe


O4 - HKCU\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda29.exe

O4 - HKCU\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm26.exe

O4 - HKCU\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu27.exe

Exit Hijack This.

Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.

Navigate to and delete these files if found:


C:\WINDOWS\wdu27.exe
C:\WINDOWS\wdu28.exe
C:\WINDOWS\wdu29.exe
C:\WINDOWS\wdu24.exe
C:\WINDOWS\wdu25.exe

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.


0

Response Number 5
Name: santiago1
Date: January 23, 2008 at 20:13:00 Pacific
Reply:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:42 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc24.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc24 .exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc1A.exe
O4 - HKLM\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda1B.exe
O4 - HKLM\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm1C.exe
O4 - HKLM\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu1D.exe
O4 - HKCU\..\Run: [Windows Defender] C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc1E.exe
O4 - HKCU\..\Run: [Windows Defender Adds] C:\DOCUME~1\Owner\LOCALS~1\Temp\wda1F.exe
O4 - HKCU\..\Run: [Windows Defender Monitor] C:\WINDOWS\wdm20.exe
O4 - HKCU\..\Run: [Windows Defender Updater] C:\WINDOWS\wdu21.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4059 bytes


0

Related Posts

See More



Response Number 6
Name: santiago1
Date: January 23, 2008 at 20:22:31 Pacific
Reply:

i think my teatimer is blocking them or bloking my original WD


0

Response Number 7
Name: jabuck
Date: January 24, 2008 at 03:30:45 Pacific
Reply:

You must turn tea timer off, in response #4 click the Realtime Protection link for directions on how to turn it off.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


0

Response Number 8
Name: laurieg
Date: January 24, 2008 at 17:33:41 Pacific
Reply:

Can you help me? I have seen the threads where you've cleaned up the exact same syptoms I'm having. I just posted my most current SmitFraudFix report and HiJackThis report on a thread titled "Yellow triangle w Exlamation Mark.
Thank you so much!


0

Response Number 9
Name: santiago1
Date: January 24, 2008 at 20:45:15 Pacific
Reply:

ComboFix 08-01-23.1C - Owner 2008-01-24 20:12:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.691 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\DOCUME~1\Owner\LOCALS~1\Temp\wda1B.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\wdc1A.exe
C:\Documents and Settings\amparo.baby.!\Application Data\FunWebProducts
C:\Documents and Settings\amparo.baby.!\Application Data\FunWebProducts\Data\amparo.baby.!\avatar.dat
C:\Documents and Settings\amparo.baby.!\Application Data\FunWebProducts\Data\amparo.baby.!\zwinky.dat
C:\Documents and Settings\Owner\Application Data\antivirus.exe
C:\Documents and Settings\Owner\Application Data\trant.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda1D .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda1D.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda22 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda22.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda25 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda25.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda29 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wda29.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc21 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc21.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc24 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc24.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc28 .exe
C:\Documents and Settings\Owner\Local Settings\Temp\wdc28.exe
C:\Documents and Settings\Owner\My Documents\ICROSO~1
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\pos10.tmp
C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos1025.tmp
C:\pos1026.tmp
C:\pos1027.tmp
C:\pos1028.tmp
C:\pos1029.tmp
C:\pos102A.tmp
C:\pos102B.tmp
C:\pos102C.tmp
C:\pos102D.tmp
C:\pos102E.tmp
C:\pos102F.tmp
C:\pos103.tmp
C:\pos1030.tmp
C:\pos1031.tmp
C:\pos1032.tmp
C:\pos1033.tmp
C:\pos1034.tmp
C:\pos1035.tmp
C:\pos1036.tmp
C:\pos1037.tmp
C:\pos1038.tmp
C:\pos1039.tmp
C:\pos103A.tmp
C:\pos103B.tmp
C:\pos103D.tmp
C:\pos103E.tmp
C:\pos103F.tmp
C:\pos104.tmp
C:\pos1040.tmp
C:\pos1041.tmp
C:\pos1042.tmp
C:\pos1043.tmp
C:\pos1044.tmp
C:\pos1045.tmp
C:\pos1046.tmp
C:\pos1047.tmp
C:\pos1048.tmp
C:\pos1049.tmp
C:\pos104A.tmp
C:\pos104B.tmp
C:\pos104C.tmp
C:\pos104D.tmp
C:\pos104E.tmp
C:\pos104F.tmp
C:\pos105.tmp
C:\pos1050.tmp
C:\pos1051.tmp
C:\pos1052.tmp
C:\pos1053.tmp
C:\pos1054.tmp
C:\pos1055.tmp
C:\pos1056.tmp
C:\pos1057.tmp
C:\pos1058.tmp
C:\pos1059.tmp
C:\pos105A.tmp
C:\pos105B.tmp
C:\pos105C.tmp
C:\pos105D.tmp
C:\pos105E.tmp
C:\pos105F.tmp
C:\pos106.tmp
C:\pos1060.tmp
C:\pos1061.tmp
C:\pos1062.tmp
C:\pos1063.tmp
C:\pos1064.tmp
C:\pos1065.tmp
C:\pos1066.tmp
C:\pos1067.tmp
C:\pos1068.tmp
C:\pos1069.tmp
C:\pos106A.tmp
C:\pos106B.tmp
C:\pos106C.tmp
C:\pos106D.tmp
C:\pos106E.tmp
C:\pos106F.tmp
C:\pos107.tmp
C:\pos1070.tmp
C:\pos1071.tmp
C:\pos1072.tmp
C:\pos1073.tmp
C:\pos1074.tmp
C:\pos1075.tmp
C:\pos1076.tmp
C:\pos1077.tmp
C:\pos1078.tmp
C:\pos1079.tmp
C:\pos107A.tmp
C:\pos107B.tmp
C:\pos107C.tmp
C:\pos107D.tmp
C:\pos107E.tmp
C:\pos107F.tmp
C:\pos108.tmp
C:\pos1080.tmp
C:\pos1081.tmp
C:\pos1082.tmp
C:\pos1083.tmp
C:\pos1084.tmp
C:\pos1085.tmp
C:\pos1086.tmp
C:\pos1087.tmp
C:\pos1088.tmp
C:\pos1089.tmp
C:\pos108A.tmp
C:\pos108B.tmp
C:\pos108C.tmp
C:\pos108D.tmp
C:\pos108E.tmp
C:\pos108F.tmp
C:\pos109.tmp
C:\pos1090.tmp
C:\pos1091.tmp
C:\pos1092.tmp
C:\pos1093.tmp
C:\pos1094.tmp
C:\pos1095.tmp
C:\pos1096.tmp
C:\pos1097.tmp
C:\pos1098.tmp
C:\pos1099.tmp
C:\pos109A.tmp
C:\pos109B.tmp
C:\pos109C.tmp
C:\pos109D.tmp
C:\pos109E.tmp
C:\pos109F.tmp
C:\pos10A.tmp
C:\pos10A0.tmp
C:\pos10A1.tmp
C:\pos10A3.tmp
C:\pos10A4.tmp
C:\pos10A5.tmp
C:\pos10A6.tmp
C:\pos10A7.tmp
C:\pos10A8.tmp
C:\pos10A9.tmp
C:\pos10AA.tmp
C:\pos10AB.tmp
C:\pos10AC.tmp
C:\pos10AD.tmp
C:\pos10AE.tmp
C:\pos10AF.tmp
C:\pos10B.tmp
C:\pos10B0.tmp
C:\pos10B1.tmp
C:\pos10B2.tmp
C:\pos10B3.tmp
C:\pos10B4.tmp
C:\pos10B5.tmp
C:\pos10B6.tmp
C:\pos10B7.tmp
C:\pos10B8.tmp
C:\pos10B9.tmp
C:\pos10BA.tmp
C:\pos10BB.tmp
C:\pos10BC.tmp
C:\pos10BD.tmp
C:\pos10BE.tmp
C:\pos10BF.tmp
C:\pos10C.tmp
C:\pos10C1.tmp
C:\pos10C2.tmp
C:\pos10C3.tmp
C:\pos10C4.tmp
C:\pos10C8.tmp
C:\pos10C9.tmp
C:\pos10CA.tmp
C:\pos10CB.tmp
C:\pos10CC.tmp
C:\pos10CD.tmp
C:\pos10CE.tmp
C:\pos10CF.tmp
C:\pos10D.tmp
C:\pos10D0.tmp
C:\pos10D1.tmp
C:\pos10D2.tmp
C:\pos10D3.tmp
C:\pos10D4.tmp
C:\pos10D5.tmp
C:\pos10D6.tmp
C:\pos10D7.tmp
C:\pos10D8.tmp
C:\pos10D9.tmp
C:\pos10DA.tmp
C:\pos10DB.tmp
C:\pos10DC.tmp
C:\pos10DD.tmp
C:\pos10DE.tmp
C:\pos10DF.tmp
C:\pos10E.tmp
C:\pos10E0.tmp
C:\pos10E1.tmp
C:\pos10E2.tmp
C:\pos10E3.tmp
C:\pos10E4.tmp
C:\pos10E5.tmp
C:\pos10E6.tmp
C:\pos10E7.tmp
C:\pos10E9.tmp
C:\pos10EA.tmp
C:\pos10EB.tmp
C:\pos10EC.tmp
C:\pos10ED.tmp
C:\pos10EE.tmp
C:\pos10EF.tmp
C:\pos10F.tmp
C:\pos10F0.tmp
C:\pos10F1.tmp
C:\pos10F2.tmp
C:\pos10F3.tmp
C:\pos10F4.tmp
C:\pos10F5.tmp
C:\pos10F6.tmp
C:\pos10F7.tmp
C:\pos10F8.tmp
C:\pos10F9.tmp
C:\pos10FA.tmp
C:\pos10FB.tmp
C:\pos10FC.tmp
C:\pos10FD.tmp
C:\pos10FE.tmp
C:\pos10FF.tmp
C:\pos11.tmp
C:\pos110.tmp
C:\pos1100.tmp
C:\pos1101.tmp
C:\pos1102.tmp
C:\pos1103.tmp
C:\pos1104.tmp
C:\pos1105.tmp
C:\pos1106.tmp
C:\pos1107.tmp
C:\pos1108.tmp
C:\pos1109.tmp
C:\pos110A.tmp
C:\pos110B.tmp
C:\pos110C.tmp
C:\pos110D.tmp
C:\pos110E.tmp
C:\pos110F.tmp
C:\pos111.tmp
C:\pos1110.tmp
C:\pos1111.tmp
C:\pos1112.tmp
C:\pos1113.tmp
C:\pos1114.tmp
C:\pos1115.tmp
C:\pos1116.tmp
C:\pos1117.tmp
C:\pos1118.tmp
C:\pos1119.tmp
C:\pos111A.tmp
C:\pos111B.tmp
C:\pos111C.tmp
C:\pos111D.tmp
C:\pos111E.tmp
C:\pos111F.tmp
C:\pos112.tmp
C:\pos1120.tmp
C:\pos1121.tmp
C:\pos1122.tmp
C:\pos1123.tmp
C:\pos1124.tmp
C:\pos1125.tmp
C:\pos1126.tmp
C:\pos1127.tmp
C:\pos1128.tmp
C:\pos1129.tmp
C:\pos112A.tmp
C:\pos112B.tmp
C:\pos112C.tmp
C:\pos112D.tmp
C:\pos112E.tmp
C:\pos112F.tmp
C:\pos113.tmp
C:\pos1130.tmp
C:\pos1131.tmp
C:\pos1132.tmp
C:\pos1133.tmp
C:\pos1134.tmp
C:\pos1135.tmp
C:\pos1136.tmp
C:\pos1137.tmp
C:\pos1138.tmp
C:\pos1139.tmp
C:\pos113A.tmp
C:\pos113B.tmp
C:\pos113C.tmp
C:\pos113D.tmp
C:\pos113E.tmp
C:\pos113F.tmp
C:\pos114.tmp
C:\pos1140.tmp
C:\pos1141.tmp
C:\pos1142.tmp
C:\pos1143.tmp
C:\pos1144.tmp
C:\pos1145.tmp
C:\pos1146.tmp
C:\pos1147.tmp
C:\pos1148.tmp
C:\pos1149.tmp
C:\pos114A.tmp
C:\pos114B.tmp
C:\pos114C.tmp
C:\pos114D.tmp
C:\pos114E.tmp
C:\pos114F.tmp
C:\pos115.tmp
C:\pos1150.tmp
C:\pos1151.tmp
C:\pos1152.tmp
C:\pos1153.tmp
C:\pos1154.tmp
C:\pos1155.tmp
C:\pos1156.tmp
C:\pos1157.tmp
C:\pos1158.tmp
C:\pos1159.tmp
C:\pos115A.tmp
C:\pos115B.tmp
C:\pos115C.tmp
C:\pos115D.tmp
C:\pos115E.tmp
C:\pos115F.tmp
C:\pos116.tmp
C:\pos1160.tmp
C:\pos1161.tmp
C:\pos1162.tmp
C:\pos1163.tmp
C:\pos1164.tmp
C:\pos1165.tmp
C:\pos1166.tmp
C:\pos1167.tmp
C:\pos1168.tmp
C:\pos1169.tmp
C:\pos116A.tmp
C:\pos116B.tmp
C:\pos116C.tmp
C:\pos116D.tmp
C:\pos116E.tmp
C:\pos116F.tmp
C:\pos117.tmp
C:\pos1170.tmp
C:\pos1171.tmp
C:\pos1172.tmp
C:\pos1173.tmp
C:\pos1174.tmp
C:\pos1175.tmp
C:\pos1176.tmp
C:\pos1177.tmp
C:\pos1178.tmp
C:\pos1179.tmp
C:\pos117A.tmp
C:\pos117B.tmp
C:\pos117C.tmp
C:\pos117D.tmp
C:\pos117E.tmp
C:\pos117F.tmp
C:\pos118.tmp
C:\pos1180.tmp
C:\pos1181.tmp
C:\pos1182.tmp
C:\pos1183.tmp
C:\pos1184.tmp
C:\pos1185.tmp
C:\pos1186.tmp
C:\pos1187.tmp
C:\pos1188.tmp
C:\pos1189.tmp
C:\pos118A.tmp
C:\pos118B.tmp
C:\pos118C.tmp
C:\pos118D.tmp
C:\pos118E.tmp
C:\pos118F.tmp
C:\pos119.tmp
C:\pos1190.tmp
C:\pos1191.tmp
C:\pos1192.tmp
C:\pos1193.tmp
C:\pos1194.tmp
C:\pos1195.tmp
C:\pos1196.tmp
C:\pos1197.tmp
C:\pos1198.tmp
C:\pos1199.tmp
C:\pos119A.tmp
C:\pos119B.tmp
C:\pos119C.tmp
C:\pos119D.tmp
C:\pos119E.tmp
C:\pos119F.tmp
C:\pos11A.tmp
C:\pos11A0.tmp
C:\pos11A1.tmp
C:\pos11A2.tmp
C:\pos11A3.tmp
C:\pos11A4.tmp
C:\pos11A5.tmp
C:\pos11A6.tmp
C:\pos11A7.tmp
C:\pos11A8.tmp
C:\pos11A9.tmp
C:\pos11AA.tmp
C:\pos11AB.tmp
C:\pos11AC.tmp
C:\pos11AD.tmp
C:\pos11AE.tmp
C:\pos11AF.tmp
C:\pos11B.tmp
C:\pos11B0.tmp
C:\pos11B1.tmp
C:\pos11B2.tmp
C:\pos11B3.tmp
C:\pos11B4.tmp
C:\pos11B5.tmp
C:\pos11B6.tmp
C:\pos11B7.tmp
C:\pos11B8.tmp
C:\pos11B9.tmp
C:\pos11BA.tmp
C:\pos11BB.tmp
C:\pos11BC.tmp
C:\pos11BD.tmp
C:\pos11BE.tmp
C:\pos11BF.tmp
C:\pos11C.tmp
C:\pos11C0.tmp
C:\pos11C1.tmp
C:\pos11C2.tmp
C:\pos11C3.tmp
C:\pos11C4.tmp
C:\pos11C5.tmp
C:\pos11C6.tmp
C:\pos11C7.tmp
C:\pos11C8.tmp
C:\pos11C9.tmp
C:\pos11CA.tmp
C:\pos11CB.tmp
C:\pos11CC.tmp
C:\pos11CD.tmp
C:\pos11CE.tmp
C:\pos11CF.tmp
C:\pos11D.tmp
C:\pos11D0.tmp
C:\pos11D1.tmp
C:\pos11D2.tmp
C:\pos11D3.tmp
C:\pos11D4.tmp
C:\pos11D5.tmp
C:\pos11D6.tmp
C:\pos11D7.tmp
C:\pos11D8.tmp
C:\pos11D9.tmp
C:\pos11DA.tmp
C:\pos11DB.tmp
C:\pos11DC.tmp
C:\pos11DD.tmp
C:\pos11DE.tmp
C:\pos11DF.tmp
C:\pos11E.tmp
C:\pos11E0.tmp
C:\pos11E1.tmp
C:\pos11E2.tmp
C:\pos11E3.tmp
C:\pos11E4.tmp
C:\pos11E5.tmp
C:\pos11E6.tmp
C:\pos11E7.tmp
C:\pos11E8.tmp
C:\pos11E9.tmp
C:\pos11EA.tmp
C:\pos11EB.tmp
C:\pos11EC.tmp
C:\pos11ED.tmp
C:\pos11EE.tmp
C:\pos11EF.tmp
C:\pos11F.tmp
C:\pos11F0.tmp
C:\pos11F1.tmp
C:\pos11F2.tmp
C:\pos11F3.tmp
C:\pos11F4.tmp
C:\pos11F5.tmp
C:\pos11F6.tmp
C:\pos11F7.tmp
C:\pos11F8.tmp
C:\pos11F9.tmp
C:\pos11FA.tmp
C:\pos11FB.tmp
C:\pos11FC.tmp
C:\pos11FD.tmp
C:\pos11FE.tmp
C:\pos11FF.tmp
C:\pos12.tmp
C:\pos120.tmp
C:\pos1200.tmp
C:\pos1201.tmp
C:\pos1202.tmp
C:\pos1203.tmp
C:\pos1204.tmp
C:\pos1205.tmp
C:\pos1206.tmp
C:\pos1207.tmp
C:\pos1208.tmp
C:\pos1209.tmp
C:\pos120A.tmp
C:\pos120B.tmp
C:\pos120C.tmp
C:\pos120D.tmp
C:\pos120E.tmp
C:\pos120F.tmp
C:\pos121.tmp
C:\pos1210.tmp
C:\pos1211.tmp
C:\pos1212.tmp
C:\pos1213.tmp
C:\pos1214.tmp
C:\pos1215.tmp
C:\pos1216.tmp
C:\pos1217.tmp
C:\pos1218.tmp
C:\pos1219.tmp
C:\pos121A.tmp
C:\pos121B.tmp
C:\pos121C.tmp
C:\pos121D.tmp
C:\pos121E.tmp
C:\pos121F.tmp
C:\pos122.tmp
C:\pos123.tmp
C:\pos124.tmp
C:\pos125.tmp
C:\pos126.tmp
C:\pos127.tmp
C:\pos128.tmp
C:\pos129.tmp
C:\pos12A.tmp
C:\pos12B.tmp
C:\pos12C.tmp
C:\pos12D.tmp
C:\pos12E.tmp
C:\pos12F.tmp
C:\pos13.tmp
C:\pos130.tmp
C:\pos131.tmp
C:\pos132.tmp
C:\pos133.tmp
C:\pos134.tmp
C:\pos135.tmp
C:\pos136.tmp
C:\pos137.tmp
C:\pos138.tmp
C:\pos139.tmp
C:\pos13A.tmp
C:\pos13B.tmp
C:\pos13C.tmp
C:\pos13D.tmp
C:\pos13E.tmp
C:\pos13F.tmp
C:\pos14.tmp
C:\pos140.tmp
C:\pos141.tmp
C:\pos142.tmp
C:\pos143.tmp
C:\pos144.tmp
C:\pos145.tmp
C:\pos146.tmp
C:\pos147.tmp
C:\pos148.tmp
C:\pos149.tmp
C:\pos14A.tmp
C:\pos14B.tmp
C:\pos14C.tmp
C:\pos14D.tmp
C:\pos14E.tmp
C:\pos14F.tmp
C:\pos15.tmp
C:\pos150.tmp
C:\pos151.tmp
C:\pos152.tmp
C:\pos153.tmp
C:\pos154.tmp
C:\pos155.tmp
C:\pos156.tmp
C:\pos157.tmp
C:\pos158.tmp
C:\pos159.tmp
C:\pos15A.tmp
C:\pos15B.tmp
C:\pos15C.tmp
C:\pos15D.tmp
C:\pos15E.tmp
C:\pos15F.tmp
C:\pos16.tmp
C:\pos160.tmp
C:\pos161.tmp
C:\pos162.tmp
C:\pos163.tmp
C:\pos164.tmp
C:\pos165.tmp
C:\pos166.tmp
C:\pos167.tmp
C:\pos168.tmp
C:\pos169.tmp
C:\pos16A.tmp
C:\pos16B.tmp
C:\pos16C.tmp
C:\pos16D.tmp
C:\pos16E.tmp
C:\pos16F.tmp
C:\pos17.tmp
C:\pos170.tmp
C:\pos171.tmp
C:\pos172.tmp
C:\pos173.tmp
C:\pos174.tmp
C:\pos175.tmp
C:\pos176.tmp
C:\pos177.tmp
C:\pos178.tmp
C:\pos179.tmp
C:\pos17A.tmp
C:\pos17B.tmp
C:\pos17C.tmp
C:\pos17D.tmp
C:\pos17E.tmp
C:\pos17F.tmp
C:\pos18.tmp
C:\pos180.tmp
C:\pos181.tmp
C:\pos182.tmp
C:\pos183.tmp
C:\pos184.tmp
C:\pos185.tmp
C:\pos186.tmp
C:\pos187.tmp
C:\pos188.tmp
C:\pos189.tmp
C:\pos18A.tmp
C:\pos18B.tmp
C:\pos18C.tmp
C:\pos18D.tmp
C:\pos18E.tmp
C:\pos18F.tmp
C:\pos19.tmp
C:\pos190.tmp
C:\pos191.tmp
C:\pos192.tmp
C:\pos193.tmp
C:\pos194.tmp
C:\pos195.tmp
C:\pos196.tmp
C:\pos197.tmp
C:\pos198.tmp
C:\pos199.tmp
C:\pos19A.tmp
C:\pos19B.tmp
C:\pos19C.tmp
C:\pos19D.tmp
C:\pos19E.tmp
C:\pos19F.tmp
C:\pos1A.tmp
C:\pos1A0.tmp
C:\pos1A1.tmp
C:\pos1A2.tmp
C:\pos1A3.tmp
C:\pos1A4.tmp
C:\pos1A5.tmp
C:\pos1A6.tmp
C:\pos1A7.tmp
C:\pos1A8.tmp
C:\pos1A9.tmp
C:\pos1AA.tmp
C:\pos1AB.tmp
C:\pos1AC.tmp
C:\pos1AD.tmp
C:\pos1AE.tmp
C:\pos1AF.tmp
C:\pos1B.tmp
C:\pos1B0.tmp
C:\pos1B1.tmp
C:\pos1B2.tmp
C:\pos1B3.tmp
C:\pos1B4.tmp
C:\pos1B5.tmp
C:\pos1B6.tmp
C:\pos1B7.tmp
C:\pos1B8.tmp
C:\pos1B9.tmp
C:\pos1BA.tmp
C:\pos1BB.tmp
C:\pos1BC.tmp
C:\pos1BD.tmp
C:\pos1BE.tmp
C:\pos1BF.tmp
C:\pos1C.tmp
C:\pos1C0.tmp
C:\pos1C1.tmp
C:\pos1C2.tmp
C:\pos1C3.tmp
C:\pos1C4.tmp
C:\pos1C5.tmp
C:\pos1C6.tmp
C:\pos1C7.tmp
C:\pos1C8.tmp
C:\pos1C9.tmp
C:\pos1CA.tmp
C:\pos1CB.tmp
C:\pos1CC.tmp
C:\pos1CD.tmp
C:\pos1CE.tmp
C:\pos1CF.tmp
C:\pos1D.tmp
C:\pos1D0.tmp
C:\pos1D1.tmp
C:\pos1D2.tmp
C:\pos1D3.tmp
C:\pos1D4.tmp
C:\pos1D5.tmp
C:\pos1D6.tmp
C:\pos1D7.tmp
C:\pos1D8.tmp
C:\pos1D9.tmp
C:\pos1DA.tmp
C:\pos1DB.tmp
C:\pos1DC.tmp
C:\pos1DD.tmp
C:\pos1DE.tmp
C:\pos1DF.tmp
C:\pos1E.tmp
C:\pos1E0.tmp
C:\pos1E1.tmp
C:\pos1E2.tmp
C:\pos1E3.tmp
C:\pos1E4.tmp
C:\pos1E5.tmp
C:\pos1E6.tmp
C:\pos1E7.tmp
C:\pos1E8.tmp
C:\pos1E9.tmp
C:\pos1EA.tmp
C:\pos1EB.tmp
C:\pos1EC.tmp
C:\pos1ED.tmp
C:\pos1EE.tmp
C:\pos1EF.tmp
C:\pos1F.tmp
C:\pos1F0.tmp
C:\pos1F1.tmp
C:\pos1F2.tmp
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos1FC.tmp
C:\pos1FD.tmp
C:\pos1FE.tmp
C:\pos1FF.tmp
C:\pos20.tmp
C:\pos200.tmp
C:\pos201.tmp
C:\pos202.tmp
C:\pos203.tmp
C:\pos204.tmp
C:\pos205.tmp
C:\pos206.tmp
C:\pos207.tmp
C:\pos208.tmp
C:\pos209.tmp
C:\pos20A.tmp
C:\pos20B.tmp
C:\pos20C.tmp
C:\pos20D.tmp
C:\pos20E.tmp
C:\pos20F.tmp
C:\pos21.tmp
C:\pos210.tmp
C:\pos211.tmp
C:\pos212.tmp
C:\pos213.tmp
C:\pos214.tmp
C:\pos215.tmp
C:\pos216.tmp
C:\pos217.tmp
C:\pos218.tmp
C:\pos219.tmp
C:\pos21A.tmp
C:\pos21B.tmp
C:\pos21C.tmp
C:\pos21D.tmp
C:\pos21E.tmp
C:\pos21F.tmp
C:\pos22.tmp
C:\pos221.tmp
C:\pos224.tmp
C:\pos225.tmp
C:\pos226.tmp
C:\pos227.tmp
C:\pos228.tmp
C:\pos22A.tmp
C:\pos22B.tmp
C:\pos22C.tmp
C:\pos22D.tmp
C:\pos22E.tmp
C:\pos22F.tmp
C:\pos23.tmp
C:\pos230.tmp
C:\pos231.tmp
C:\pos232.tmp
C:\pos233.tmp
C:\pos234.tmp
C:\pos235.tmp
C:\pos236.tmp
C:\pos237.tmp
C:\pos238.tmp
C:\pos23B.tmp
C:\pos23C.tmp
C:\pos23D.tmp
C:\pos23F.tmp
C:\pos24.tmp
C:\pos240.tmp
C:\pos241.tmp
C:\pos242.tmp
C:\pos245.tmp
C:\pos246.tmp
C:\pos247.tmp
C:\pos248.tmp
C:\pos249.tmp
C:\pos24A.tmp
C:\pos24B.tmp
C:\pos24C.tmp
C:\pos24E.tmp
C:\pos24F.tmp
C:\pos25.tmp
C:\pos250.tmp
C:\pos251.tmp
C:\pos252.tmp
C:\pos253.tmp
C:\pos255.tmp
C:\pos256.tmp
C:\pos257.tmp
C:\pos258.tmp
C:\pos259.tmp
C:\pos25A.tmp
C:\pos25B.tmp
C:\pos25C.tmp
C:\pos25D.tmp
C:\pos25E.tmp
C:\pos25F.tmp
C:\pos26.tmp
C:\pos260.tmp
C:\pos261.tmp
C:\pos262.tmp
C:\pos263.tmp
C:\pos264.tmp
C:\pos265.tmp
C:\pos266.tmp
C:\pos267.tmp
C:\pos268.tmp
C:\pos269.tmp
C:\pos26A.tmp
C:\pos26B.tmp
C:\pos26C.tmp
C:\pos26D.tmp
C:\pos26E.tmp
C:\pos26F.tmp
C:\pos27.tmp
C:\pos270.tmp
C:\pos271.tmp
C:\pos272.tmp
C:\pos273.tmp
C:\pos274.tmp
C:\pos275.tmp
C:\pos276.tmp
C:\pos277.tmp
C:\pos278.tmp
C:\pos279.tmp
C:\pos27A.tmp
C:\pos27B.tmp
C:\pos27C.tmp
C:\pos27D.tmp
C:\pos27E.tmp
C:\pos27F.tmp
C:\pos280.tmp
C:\pos281.tmp
C:\pos282.tmp
C:\pos283.tmp
C:\pos284.tmp
C:\pos285.tmp
C:\pos286.tmp
C:\pos287.tmp
C:\pos288.tmp
C:\pos289.tmp
C:\pos28A.tmp
C:\pos28B.tmp
C:\pos28C.tmp
C:\pos28D.tmp
C:\pos28E.tmp
C:\pos28F.tmp
C:\pos29.tmp
C:\pos290.tmp
C:\pos291.tmp
C:\pos292.tmp
C:\pos293.tmp
C:\pos294.tmp
C:\pos295.tmp
C:\pos296.tmp
C:\pos297.tmp
C:\pos298.tmp
C:\pos299.tmp
C:\pos29A.tmp
C:\pos29B.tmp
C:\pos29C.tmp
C:\pos29D.tmp
C:\pos29E.tmp
C:\pos29F.tmp
C:\pos2A.tmp
C:\pos2A0.tmp
C:\pos2A1.tmp
C:\pos2A2.tmp
C:\pos2A3.tmp
C:\pos2A4.tmp
C:\pos2A5.tmp
C:\pos2A6.tmp
C:\pos2A7.tmp
C:\pos2A8.tmp
C:\pos2A9.tmp
C:\pos2AA.tmp
C:\pos2AB.tmp
C:\pos2AC.tmp
C:\pos2AD.tmp
C:\pos2AE.tmp
C:\pos2AF.tmp
C:\pos2B.tmp
C:\pos2B0.tmp
C:\pos2B1.tmp
C:\pos2B2.tmp
C:\pos2B3.tmp
C:\pos2B4.tmp
C:\pos2B5.tmp
C:\pos2B6.tmp
C:\pos2B7.tmp
C:\pos2B8.tmp
C:\pos2B9.tmp
C:\pos2BA.tmp
C:\pos2BB.tmp
C:\pos2BC.tmp
C:\pos2BD.tmp
C:\pos2BE.tmp
C:\pos2BF.tmp
C:\pos2C.tmp
C:\pos2C0.tmp
C:\pos2C1.tmp
C:\pos2C2.tmp
C:\pos2C3.tmp
C:\pos2C4.tmp
C:\pos2C5.tmp
C:\pos2C6.tmp
C:\pos2C7.tmp
C:\pos2C8.tmp
C:\pos2C9.tmp
C:\pos2CA.tmp
C:\pos2CB.tmp
C:\pos2CC.tmp
C:\pos2CD.tmp
C:\pos2CE.tmp
C:\pos2CF.tmp
C:\pos2D.tmp
C:\pos2D0.tmp
C:\pos2D1.tmp
C:\pos2D2.tmp
C:\pos2D3.tmp
C:\pos2D4.tmp
C:\pos2D5.tmp
C:\pos2D6.tmp
C:\pos2D7.tmp
C:\pos2D8.tmp
C:\pos2D9.tmp
C:\pos2DA.tmp
C:\pos2DB.tmp
C:\pos2DC.tmp
C:\pos2DD.tmp
C:\pos2DE.tmp
C:\pos2DF.tmp
C:\pos2E.tmp
C:\pos2E0.tmp
C:\pos2E1.tmp
C:\pos2E2.tmp
C:\pos2E3.tmp
C:\pos2E4.tmp
C:\pos2E5.tmp
C:\pos2E6.tmp
C:\pos2E7.tmp
C:\pos2E8.tmp
C:\pos2E9.tmp
C:\pos2EA.tmp
C:\pos2EB.tmp
C:\pos2EC.tmp
C:\pos2ED.tmp
C:\pos2EE.tmp
C:\pos2EF.tmp
C:\pos2F.tmp
C:\pos2F0.tmp
C:\pos2F1.tmp
C:\pos2F2.tmp
C:\pos2F3.tmp
C:\pos2F4.tmp
C:\pos2F5.tmp
C:\pos2F6.tmp
C:\pos2F7.tmp
C:\pos2F8.tmp
C:\pos2F9.tmp
C:\pos2FA.tmp
C:\pos2FB.tmp
C:\pos2FC.tmp
C:\pos2FD.tmp
C:\pos2FE.tmp
C:\pos2FF.tmp
C:\pos30.tmp
C:\pos300.tmp
C:\pos301.tmp
C:\pos302.tmp
C:\pos303.tmp
C:\pos304.tmp
C:\pos305.tmp
C:\pos306.tmp
C:\pos307.tmp
C:\pos308.tmp
C:\pos309.tmp
C:\pos30A.tmp
C:\pos30B.tmp
C:\pos30C.tmp
C:\pos30D.tmp
C:\pos30E.tmp
C:\pos30F.tmp
C:\pos31.tmp
C:\pos310.tmp
C:\pos311.tmp
C:\pos312.tmp
C:\pos313.tmp
C:\pos314.tmp
C:\pos315.tmp
C:\pos316.tmp
C:\pos317.tmp
C:\pos318.tmp
C:\pos319.tmp
C:\pos31A.tmp
C:\pos31B.tmp
C:\pos31C.tmp
C:\pos31D.tmp
C:\pos31E.tmp
C:\pos31F.tmp
C:\pos32.tmp
C:\pos320.tmp
C:\pos321.tmp
C:\pos322.tmp
C:\pos323.tmp
C:\pos324.tmp
C:\pos325.tmp
C:\pos326.tmp
C:\pos327.tmp
C:\pos328.tmp
C:\pos329.tmp
C:\pos32A.tmp
C:\pos32B.tmp
C:\pos32C.tmp
C:\pos32D.tmp
C:\pos32E.tmp
C:\pos32F.tmp
C:\pos33.tmp
C:\pos330.tmp
C:\pos331.tmp
C:\pos332.tmp
C:\pos333.tmp
C:\pos334.tmp
C:\pos335.tmp
C:\pos336.tmp
C:\pos337.tmp
C:\pos338.tmp
C:\pos339.tmp
C:\pos33A.tmp
C:\pos33B.tmp
C:\pos33C.tmp
C:\pos33D.tmp
C:\pos33E.tmp
C:\pos33F.tmp
C:\pos34.tmp
C:\pos340.tmp
C:\pos341.tmp
C:\pos342.tmp
C:\pos343.tmp
C:\pos344.tmp
C:\pos345.tmp
C:\pos346.tmp
C:\pos347.tmp
C:\pos348.tmp
C:\pos349.tmp
C:\pos34A.tmp
C:\pos34B.tmp
C:\pos34C.tmp
C:\pos34D.tmp
C:\pos34E.tmp
C:\pos34F.tmp
C:\pos35.tmp
C:\pos350.tmp
C:\pos351.tmp
C:\pos352.tmp
C:\pos353.tmp
C:\pos354.tmp
C:\pos355.tmp
C:\pos356.tmp
C:\pos357.tmp
C:\pos358.tmp
C:\pos359.tmp
C:\pos35A.tmp
C:\pos35B.tmp
C:\pos35C.tmp
C:\pos35D.tmp
C:\pos35E.tmp
C:\pos35F.tmp
C:\pos36.tmp
C:\pos360.tmp
C:\pos361.tmp
C:\pos362.tmp
C:\pos363.tmp
C:\pos364.tmp
C:\pos365.tmp
C:\pos366.tmp
C:\pos367.tmp
C:\pos368.tmp
C:\pos369.tmp
C:\pos36A.tmp
C:\pos36B.tmp
C:\pos36C.tmp
C:\pos36D.tmp
C:\pos36E.tmp
C:\pos36F.tmp
C:\pos37.tmp
C:\pos370.tmp
C:\pos371.tmp
C:\pos372.tmp
C:\pos373.tmp
C:\pos374.tmp
C:\pos375.tmp
C:\pos376.tmp
C:\pos377.tmp
C:\pos378.tmp
C:\pos379.tmp
C:\pos37A.tmp
C:\pos37B.tmp
C:\pos37C.tmp
C:\pos37D.tmp
C:\pos37E.tmp
C:\pos37F.tmp
C:\pos38.tmp
C:\pos380.tmp
C:\pos381.tmp
C:\pos382.tmp
C:\pos383.tmp
C:\pos384.tmp
C:\pos385.tmp
C:\pos386.tmp
C:\pos387.tmp
C:\pos388.tmp
C:\pos389.tmp
C:\pos38A.tmp
C:\pos38B.tmp
C:\pos38C.tmp
C:\pos38D.tmp
C:\pos38E.tmp
C:\pos38F.tmp
C:\pos39.tmp
C:\pos390.tmp
C:\pos391.tmp
C:\pos392.tmp
C:\pos393.tmp
C:\pos394.tmp
C:\pos395.tmp
C:\pos396.tmp
C:\pos397.tmp
C:\pos398.tmp
C:\pos399.tmp
C:\pos39A.tmp
C:\pos39B.tmp
C:\pos39C.tmp
C:\pos39D.tmp
C:\pos39E.tmp
C:\pos39F.tmp
C:\pos3A.tmp
C:\pos3A0.tmp
C:\pos3A1.tmp
C:\pos3A2.tmp
C:\pos3A3.tmp
C:\pos3A4.tmp
C:\pos3A5.tmp
C:\pos3A6.tmp
C:\pos3A7.tmp
C:\pos3A8.tmp
C:\pos3A9.tmp
C:\pos3AA.tmp
C:\pos3AB.tmp
C:\pos3AC.tmp
C:\pos3AD.tmp
C:\pos3AE.tmp
C:\pos3AF.tmp
C:\pos3B.tmp
C:\pos3B0.tmp
C:\pos3B1.tmp
C:\pos3B2.tmp
C:\pos3B3.tmp
C:\pos3B4.tmp
C:\pos3B5.tmp
C:\pos3B6.tmp
C:\pos3B7.tmp
C:\pos3B8.tmp
C:\pos3B9.tmp
C:\pos3BA.tmp
C:\pos3BB.tmp
C:\pos3BC.tmp
C:\pos3BD.tmp
C:\pos3BE.tmp
C:\pos3BF.tmp
C:\pos3C.tmp
C:\pos3C0.tmp
C:\pos3C1.tmp
C:\pos3C2.tmp
C:\pos3C3.tmp
C:\pos3C4.tmp
C:\pos3C5.tmp
C:\pos3C6.tmp
C:\pos3C7.tmp
C:\pos3C8.tmp
C:\pos3C9.tmp
C:\pos3CA.tmp
C:\pos3CB.tmp
C:\pos3CC.tmp
C:\pos3CD.tmp
C:\pos3CE.tmp
C:\pos3CF.tmp
C:\pos3D.tmp
C:\pos3D0.tmp
C:\pos3D1.tmp
C:\pos3D2.tmp
C:\pos3D3.tmp
C:\pos3D4.tmp
C:\pos3D5.tmp
C:\pos3D6.tmp
C:\pos3D7.tmp
C:\pos3D8.tmp
C:\pos3D9.tmp
C:\pos3DA.tmp
C:\pos3DB.tmp
C:\pos3DC.tmp
C:\pos3DD.tmp
C:\pos3DE.tmp
C:\pos3DF.tmp
C:\pos3E.tmp
C:\pos3E0.tmp
C:\pos3E1.tmp
C:\pos3E2.tmp
C:\pos3E3.tmp
C:\pos3E4.tmp
C:\pos3E5.tmp
C:\pos3E6.tmp
C:\pos3E7.tmp
C:\pos3E8.tmp
C:\pos3E9.tmp
C:\pos3EA.tmp
C:\pos3EB.tmp
C:\pos3EC.tmp
C:\pos3ED.tmp
C:\pos3EE.tmp
C:\pos3EF.tmp
C:\pos3F.tmp
C:\pos3F0.tmp
C:\pos3F1.tmp
C:\pos3F2.tmp
C:\pos3F3.tmp
C:\pos3F4.tmp
C:\pos3F5.tmp
C:\pos3F6.tmp
C:\pos3F7.tmp
C:\pos3F8.tmp
C:\pos3F9.tmp
C:\pos3FA.tmp
C:\pos3FB.tmp
C:\pos3FC.tmp
C:\pos3FD.tmp
C:\pos3FE.tmp
C:\pos3FF.tmp
C:\pos40.tmp
C:\pos400.tmp
C:\pos41.tmp
C:\pos42.tmp
C:\pos43.tmp
C:\pos44.tmp
C:\pos45.tmp
C:\pos46.tmp
C:\pos47.tmp
C:\pos48.tmp
C:\pos49.tmp
C:\pos4A.tmp
C:\pos4B.tmp
C:\pos4C.tmp
C:\pos4D.tmp
C:\pos4E.tmp
C:\pos4F.tmp
C:\pos50.tmp
C:\pos51.tmp
C:\pos52.tmp
C:\pos53.tmp
C:\pos54.tmp
C:\pos55.tmp
C:\pos56.tmp
C:\pos57.tmp
C:\pos58.tmp
C:\pos59.tmp
C:\pos5B.tmp
C:\pos5C.tmp
C:\pos5D.tmp
C:\pos5E.tmp
C:\pos5F.tmp
C:\pos60.tmp
C:\pos61.tmp
C:\pos62.tmp
C:\pos63.tmp
C:\pos64.tmp
C:\pos65.tmp
C:\pos66.tmp
C:\pos67.tmp
C:\pos68.tmp
C:\pos69.tmp
C:\pos6A.tmp
C:\pos6B.tmp
C:\pos6C.tmp
C:\pos6D.tmp
C:\pos6E.tmp
C:\pos6F.tmp
C:\pos70.tmp
C:\pos71.tmp
C:\pos72.tmp
C:\pos73.tmp
C:\pos74.tmp
C:\pos75.tmp
C:\pos76.tmp
C:\pos77.tmp
C:\pos78.tmp
C:\pos79.tmp
C:\pos7A.tmp
C:\pos7B.tmp
C:\pos7C.tmp
C:\pos7D.tmp
C:\pos7E.tmp
C:\pos7F.tmp
C:\pos80.tmp
C:\pos81.tmp
C:\pos82.tmp
C:\pos83.tmp
C:\pos84.tmp
C:\pos85.tmp
C:\pos86.tmp
C:\pos87.tmp
C:\pos88.tmp
C:\pos89.tmp
C:\pos8A.tmp
C:\pos8B.tmp
C:\pos8C.tmp
C:\pos8D.tmp
C:\pos8E.tmp
C:\pos8F.tmp
C:\pos90.tmp
C:\pos91.tmp
C:\pos92.tmp
C:\pos93.tmp
C:\pos94.tmp
C:\pos95.tmp
C:\pos96.tmp
C:\pos97.tmp
C:\pos98.tmp
C:\pos99.tmp
C:\pos9A.tmp
C:\pos9B.tmp
C:\pos9C.tmp
C:\pos9D.tmp
C:\pos9E.tmp
C:\pos9F.tmp
C:\posA0.tmp
C:\posA1.tmp
C:\posA2.tmp
C:\posA3.tmp
C:\posA4.tmp
C:\posA5.tmp
C:\posA6.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC0.tmp
C:\posC1.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\racle~1
C:\WINDOWS\SMINST\RECGUARD .exe
C:\WINDOWS\SMINST\RECGUARD.exe
C:\WINDOWS\system32\[u]0[/u]00080.exe
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\crosof~1\??crosoft\
C:\WINDOWS\system32\e9
C:\WINDOWS\system32\e9\farstadcom2.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\p2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX1A.tmp
C:\WINDOWS\system32\RCX1E.tmp
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.ini2
C:\WINDOWS\system32\t8
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutr.exe
C:\WINDOWS\system32\wcpsvsu32.exe
C:\WINDOWS\system32\z0
C:\WINDOWS\system32\z0\vetzcomz22.exe
C:\WINDOWS\ulksystem33.exe
C:\WINDOWS\wdm1C .exe
C:\WINDOWS\wdm1C.exe
C:\WINDOWS\wdm23 .exe
C:\WINDOWS\wdm23.exe
C:\WINDOWS\wdm24 .exe
C:\WINDOWS\wdm24.exe
C:\WINDOWS\wdm25 .exe
C:\WINDOWS\wdm25.exe
C:\WINDOWS\wdm26 .exe
C:\WINDOWS\wdm26.exe
C:\WINDOWS\wdm28 .exe
C:\WINDOWS\wdm28.exe
C:\WINDOWS\wdm29 .exe
C:\WINDOWS\wdm29.exe
C:\WINDOWS\wdm2A .exe
C:\WINDOWS\wdm2A.exe
C:\WINDOWS\wdmD .exe
C:\WINDOWS\wdmD.exe
C:\WINDOWS\wdu1D .exe
C:\WINDOWS\wdu1D.exe
C:\WINDOWS\wdu21 .exe
C:\WINDOWS\wdu21.exe
C:\WINDOWS\wdu24 .exe
C:\WINDOWS\wdu24.exe
C:\WINDOWS\wdu25 .exe
C:\WINDOWS\wdu25.exe
C:\WINDOWS\wdu26 .exe
C:\WINDOWS\wdu26.exe
C:\WINDOWS\wdu27 .exe
C:\WINDOWS\wdu27.exe
C:\WINDOWS\wdu29 .exe
C:\WINDOWS\wdu29.exe
C:\WINDOWS\wdu2A .exe
C:\WINDOWS\wdu2A.exe
C:\WINDOWS\wdu2B .exe
C:\WINDOWS\wdu2B.exe
C:\WINDOWS\wduE .exe
C:\WINDOWS\wduE.exe
D:\Autorun.inf

[code] 


C:\Documents and Settings\Owner\Local Settings\Temp\wda1D .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wda22 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wda25 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wda29 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wdc21 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wdc24 .exe ---> QooBox
C:\Documents and Settings\Owner\Local Settings\Temp\wdc28 .exe ---> QooBox
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---> QooBox
C:\Program Files\AIM6\aim6 .exe ---> QooBox
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> QooBox
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe ---> QooBox
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\Messenger\msmsgs .exe ---> QooBox
C:\Program Files\QuickTime\QTTask          .exe ---> QooBox
C:\Program Files\QuickTime\QTTask   .exe ---> QTTask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> QooBox
C:\Program Files\VERITAS Software\Update Manager\sgtray .exe ---> QooBox
C:\Program Files\Windows Defender\MSASCui .exe ---> QooBox
C:\WINDOWS\wdm1C .exe ---> QooBox
C:\WINDOWS\wdm23 .exe ---> QooBox
C:\WINDOWS\wdm24 .exe ---> QooBox
C:\WINDOWS\wdm25 .exe ---> QooBox
C:\WINDOWS\wdm26 .exe ---> QooBox
C:\WINDOWS\wdm28 .exe ---> QooBox
C:\WINDOWS\wdm29 .exe ---> QooBox
C:\WINDOWS\wdm2A .exe ---> QooBox
C:\WINDOWS\wdmD .exe ---> QooBox
C:\WINDOWS\wdu1D .exe ---> QooBox
C:\WINDOWS\wdu21 .exe ---> QooBox
C:\WINDOWS\wdu24 .exe ---> QooBox
C:\WINDOWS\wdu25 .exe ---> QooBox
C:\WINDOWS\wdu26 .exe ---> QooBox
C:\WINDOWS\wdu27 .exe ---> QooBox
C:\WINDOWS\wdu29 .exe ---> QooBox
C:\WINDOWS\wdu2A .exe ---> QooBox
C:\WINDOWS\wdu2B .exe ---> QooBox
C:\WINDOWS\wduE .exe ---> QooBox
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe ---> QooBox
C:\WINDOWS\SMINST\RECGUARD .exe ---> QooBox
[/code]
.
.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-24 20:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 22:56 . 2008-01-10 00:00 188,672 --a------ C:\WINDOWS\system32\drivers\truecrypt.sys
2008-01-22 22:55 . 2008-01-22 22:56 <DIR> d-------- C:\Program Files\TrueCrypt
2008-01-21 15:39 . 2008-01-22 00:56 13,824 --a------ C:\WINDOWS\wdu23 .exe
2008-01-21 15:39 . 2008-01-22 00:56 13,824 --a------ C:\WINDOWS\wdu1F .exe
2008-01-21 15:39 . 2008-01-22 00:56 13,824 --a------ C:\WINDOWS\wdm22 .exe
2008-01-21 15:39 . 2008-01-22 00:56 13,824 --a------ C:\WINDOWS\wdm1E .exe
2008-01-21 14:23 . 2008-01-21 14:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-21 13:33 . 2008-01-24 20:26 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-21 12:19 . 2006-08-21 01:14 128,896 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-21 12:19 . 2006-08-21 01:14 23,040 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-21 12:19 . 2006-08-21 04:21 16,896 --a--c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-21 11:55 . 2007-07-09 05:09 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-20 20:08 . 2008-01-24 20:26 <DIR> d-------- C:\Program Files\iTunes
2008-01-20 20:05 . 2008-01-20 20:05 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-18 09:40 . 2008-01-21 14:04 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-17 23:30 . 2008-01-17 23:30 <DIR> d-------- C:\VundoFix Backups
2008-01-17 23:19 . 2008-01-17 23:19 13,824 --a------ C:\WINDOWS\wdu69A3 .exe
2008-01-17 23:19 . 2008-01-17 23:19 13,824 --a------ C:\WINDOWS\wdm69A2 .exe
2008-01-17 23:19 . 2008-01-17 23:18 13,824 --a------ C:\WINDOWS\wdm14B0.exe
2008-01-17 23:18 . 2008-01-17 23:18 13,824 --a------ C:\WINDOWS\wdu68F1 .exe
2008-01-17 23:18 . 2008-01-17 23:18 13,824 --a------ C:\WINDOWS\wdm67DC .exe
2008-01-17 21:06 . 2008-01-17 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-17 20:51 . 2004-08-03 23:56 148,480 --a------ C:\WINDOWS\system32\wscui.cpl
2008-01-17 20:51 . 2004-08-03 23:56 129,536 --a------ C:\WINDOWS\system32\xmlprov.dll
2008-01-17 20:51 . 2004-08-03 23:56 108,032 --a------ C:\WINDOWS\system32\wshbth.dll
2008-01-17 20:51 . 2004-08-03 23:56 81,408 --a------ C:\WINDOWS\system32\wscsvc.dll
2008-01-17 20:51 . 2004-08-03 23:56 50,176 --a------ C:\WINDOWS\system32\xmlprovi.dll
2008-01-17 20:51 . 2004-08-03 23:56 13,824 --a------ C:\WINDOWS\system32\wscntfy.exe
2008-01-17 20:49 . 2004-08-03 23:56 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-01-17 20:48 . 2004-08-03 21:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-01-17 20:47 . 2004-08-03 23:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-01-17 20:03 . 2008-01-17 21:37 13,824 --a------ C:\WINDOWS\wdm20 .exe
2008-01-17 19:47 . 2008-01-17 19:47 13,824 --a------ C:\WINDOWS\wdu8 .exe
2008-01-17 19:47 . 2008-01-17 19:47 13,824 --a------ C:\WINDOWS\wdu4 .exe
2008-01-17 19:47 . 2008-01-17 19:47 13,824 --a------ C:\WINDOWS\wdm7 .exe
2008-01-17 19:47 . 2008-01-17 19:47 13,824 --a------ C:\WINDOWS\wdm3 .exe
2008-01-17 19:28 . 2004-08-03 23:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-17 19:28 . 2004-08-03 23:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-01-17 19:28 . 2004-08-03 23:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-17 18:08 . 2008-01-17 18:08 13,824 --a------ C:\WINDOWS\wdu2E1B .exe
2008-01-17 18:07 . 2008-01-17 18:07 13,824 --a------ C:\WINDOWS\wdm2C1C .exe
2008-01-17 08:08 . 2008-01-17 08:08 13,824 --a------ C:\WINDOWS\wdu28C2 .exe
2008-01-17 08:07 . 2008-01-17 08:07 13,824 --a------ C:\WINDOWS\wdu259E .exe
2008-01-17 08:07 . 2008-01-17 08:07 13,824 --a------ C:\WINDOWS\wdm28A9 .exe
2008-01-17 08:07 . 2008-01-17 08:07 13,824 --a------ C:\WINDOWS\wdm249C .exe
2008-01-17 00:10 . 2005-08-31 17:41 19,968 --a------ C:\WINDOWS\system32\linkinfo.dll
2008-01-17 00:07 . 2005-07-25 20:39 1,285,120 --a------ C:\WINDOWS\system32\ole32.dll
2008-01-17 00:07 . 2005-07-25 20:39 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2008-01-17 00:07 . 2005-07-25 20:39 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2008-01-17 00:07 . 2005-07-25 20:39 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2008-01-17 00:07 . 2005-07-25 20:39 397,824 --a------ C:\WINDOWS\system32\rpcss.dll
2008-01-17 00:07 . 2005-07-25 20:39 243,200 --a------ C:\WINDOWS\system32\es.dll
2008-01-17 00:07 . 2005-07-25 20:39 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2008-01-17 00:07 . 2005-07-25 20:39 74,752 --a------ C:\WINDOWS\system32\olecli32.dll
2008-01-17 00:07 . 2005-07-25 20:39 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2008-01-17 00:04 . 2005-10-20 14:20 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-01-17 00:04 . 2006-01-03 19:35 68,096 --a------ C:\WINDOWS\system32\webclnt.dll
2008-01-17 00:02 . 2005-08-22 10:29 197,632 --a------ C:\WINDOWS\system32\netman.dll
2008-01-17 00:02 . 2005-08-22 19:35 123,392 --a------ C:\WINDOWS\system32\umpnpmgr.dll
2008-01-16 23:57 . 2008-01-16 23:57 13,824 --a------ C:\WINDOWS\wdu61C3 .exe
2008-01-16 23:57 . 2008-01-16 23:57 13,824 --a------ C:\WINDOWS\wdu61BF .exe
2008-01-16 23:57 . 2008-01-16 23:57 13,824 --a------ C:\WINDOWS\wdm61C2 .exe
2008-01-16 23:57 . 2008-01-16 23:57 13,824 --a------ C:\WINDOWS\wdm61BE .exe
2008-01-16 23:49 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-16 23:49 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-16 23:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-16 23:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-16 23:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-16 23:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-16 18:59 . 2008-01-16 20:23 7,168 --a------ C:\WINDOWS\system32\windows_old
2008-01-16 18:01 . 2008-01-16 18:01 169 --a------ C:\WINDOWS\mktbrws.ses
2008-01-16 15:26 . 2008-01-16 15:26 13,824 --a------ C:\WINDOWS\wdu20E3 .exe
2008-01-16 15:25 . 2008-01-16 15:25 13,824 --a------ C:\WINDOWS\wdm20A8 .exe
2008-01-16 07:53 . 2008-01-16 07:53 13,824 --a------ C:\WINDOWS\wdu3598 .exe
2008-01-16 07:52 . 2008-01-16 07:52 13,824 --a------ C:\WINDOWS\wdm34D3 .exe
2008-01-16 07:36 . 2008-01-16 07:36 13,824 --a------ C:\WINDOWS\wdm5009 .exe
2008-01-16 00:11 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-15 22:59 . 2005-08-03 01:47 424,960 --a------ C:\WINDOWS\WRServices.dll
2008-01-15 14:00 . 2008-01-15 14:00 337,408 --a------ C:\WINDOWS\system32\RCX132F.tmp
2008-01-14 19:08 . 2008-01-15 23:54 1,057,156 --ahs---- C:\WINDOWS\system32\dktkbryx.ini
2008-01-14 18:52 . 2008-01-14 18:52 <DIR> d-------- C:\Program Files\Thomson
2008-01-13 20:03 . 2008-01-13 20:03 337,408 --a------ C:\WINDOWS\system32\RCX1B42.tmp
2008-01-12 19:58 . 2008-01-21 11:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 18:48 . 2008-01-12 18:48 18,432 --a------ C:\WINDOWS\9an22wcv.exe
2008-01-12 15:58 . 2008-01-22 00:06 <DIR> d--hs---- C:\WINDOWS\THVjeSBTZWdvdmlh
2008-01-12 15:58 . 2008-01-21 14:39 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-12 15:58 . 2008-01-12 18:32 378,368 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-12 15:58 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushqhaa.exe
2008-01-12 15:58 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\bkmoopob.exe
2008-01-12 15:58 . 2008-01-12 15:58 86,016 --a------ C:\WINDOWS\system32\drivers\MSPCLOCKK.sys
2008-01-11 00:01 . 2008-01-15 23:53 114,688 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-11 00:01 . 2008-01-15 23:53 81,920 --a------ C:\WINDOWS\system32\ps2 .exe
2008-01-11 00:01 . 2008-01-15 23:53 52,736 --a------ C:\WINDOWS\system\hpsysdrv .exe
2008-01-11 00:01 . 2008-01-16 00:30 182 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2008-01-10 22:55 . 2004-08-03 22:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-01-10 22:55 . 2004-08-03 22:07 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-10 22:55 . 2004-08-03 23:56 23,552 --a------ C:\WINDOWS\system32\wdmaud.drv
2008-01-10 22:50 . 2008-01-10 22:50 3,878 -rahs---- C:\WINDOWS\system32\drivers\HP_D7218M-ABA 554E_YC_Pavi_QMX311S_E31NAheBLU4_4_IKM266-8235_S_V_BAM37310_T030304_WXH1_L409_M1024_J40_7AMD_8Athlon XP 2000+_91.66_1_N10EC8139_P_Z11C1044E_K_A_U11063038_G10DE0322_OCyberDrv CW088D CD-R RW;JLMS XJ-HD166S_D.MRK
2008-01-10 20:22 . 2008-01-13 11:28 18,432 --a------ C:\WINDOWS\avp .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 04:32 --------- d-----w C:\Program Files\QuickTime
2008-01-21 22:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 04:09 --------- d-----w C:\Program Files\iPod
2008-01-16 08:08 --------- d-----w C:\Program Files\Java
2008-01-15 22:27 --------- d-----w C:\Program Files\World of Warcraft
2008-01-11 07:07 84,028 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-01-11 07:07 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-11 07:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 06:50 3,878 --sha-r C:\WINDOWS\system32\drivers\HP_D7218M-ABA 554E_YC_Pavi_QMX311S_E31NAheBLU4_4_IKM266-8235_S_V_BAM37310_T030304_WXH1_L409_M1024_J40_7AMD_8Athlon XP 2000+_91.66_1_N10EC8139_P_Z11C1044E_K_A_U11063038_G10DE0322_OCyberDrv CW088D CD-R RW;JLMS XJ-HD166S_D.MRK
2008-01-10 03:03 --------- d-----w C:\Program Files\Viewpoint
2007-12-18 04:56 14,848 ----a-w C:\sysqdyt.exe
2007-12-04 22:30 --------- d-----w C:\Program Files\LimeWire1
2007-07-14 09:35 10,240 --sha-w C:\Program Files\Thumbs.db
2007-03-25 00:05 8 --sh--r C:\WINDOWS\system32\194796A85A.sys
.
[code]


----a-w            13,824 2008-01-22 08:56:34  C:\Documents and Settings\Owner\Local Settings\Temp\wda21 .exe
----a-w            13,824 2008-01-22 08:56:33  C:\Documents and Settings\Owner\Local Settings\Temp\wdc1C .exe
----a-w            13,824 2008-01-22 08:56:34  C:\Documents and Settings\Owner\Local Settings\Temp\wdc20 .exe
----a-w            18,432 2008-01-13 19:28:00  C:\WINDOWS\avp .exe
----a-w            13,824 2008-01-22 08:56:34  C:\WINDOWS\wdm1E .exe
----a-w            13,824 2008-01-18 05:37:02  C:\WINDOWS\wdm20 .exe
----a-w            13,824 2008-01-16 23:25:55  C:\WINDOWS\wdm20A8 .exe
----a-w            13,824 2008-01-22 08:56:35  C:\WINDOWS\wdm22 .exe
----a-w            13,824 2008-01-17 16:07:32  C:\WINDOWS\wdm249C .exe
----a-w            13,824 2008-01-17 16:07:50  C:\WINDOWS\wdm28A9 .exe
----a-w            13,824 2008-01-18 02:07:52  C:\WINDOWS\wdm2C1C .exe
----a-w            13,824 2008-01-18 03:47:34  C:\WINDOWS\wdm3 .exe
----a-w            13,824 2008-01-16 15:52:52  C:\WINDOWS\wdm34D3 .exe
----a-w            13,824 2008-01-16 15:36:25  C:\WINDOWS\wdm5009 .exe
----a-w            13,824 2008-01-17 07:57:02  C:\WINDOWS\wdm61BE .exe
----a-w            13,824 2008-01-17 07:57:07  C:\WINDOWS\wdm61C2 .exe
----a-w            13,824 2008-01-18 07:18:54  C:\WINDOWS\wdm67DC .exe
----a-w            13,824 2008-01-18 07:19:04  C:\WINDOWS\wdm69A2 .exe
----a-w            13,824 2008-01-18 03:47:36  C:\WINDOWS\wdm7 .exe
----a-w            13,824 2008-01-22 08:56:34  C:\WINDOWS\wdu1F .exe
----a-w            13,824 2008-01-16 23:26:02  C:\WINDOWS\wdu20E3 .exe
----a-w            13,824 2008-01-22 08:56:35  C:\WINDOWS\wdu23 .exe
----a-w            13,824 2008-01-17 16:07:35  C:\WINDOWS\wdu259E .exe
----a-w            13,824 2008-01-17 16:08:00  C:\WINDOWS\wdu28C2 .exe
----a-w            13,824 2008-01-18 02:08:06  C:\WINDOWS\wdu2E1B .exe
----a-w            13,824 2008-01-16 15:53:04  C:\WINDOWS\wdu3598 .exe
----a-w            13,824 2008-01-18 03:47:34  C:\WINDOWS\wdu4 .exe
----a-w            13,824 2008-01-17 07:57:03  C:\WINDOWS\wdu61BF .exe
----a-w            13,824 2008-01-17 07:57:07  C:\WINDOWS\wdu61C3 .exe
----a-w            13,824 2008-01-18 07:18:54  C:\WINDOWS\wdu68F1 .exe
----a-w            13,824 2008-01-18 07:19:05  C:\WINDOWS\wdu69A3 .exe
----a-w            13,824 2008-01-18 03:47:37  C:\WINDOWS\wdu8 .exe
----a-w            52,736 2008-01-16 07:53:08  C:\WINDOWS\system\hpsysdrv .exe
----a-w           114,688 2008-01-16 07:53:09  C:\WINDOWS\system32\hkcmd .exe
----a-w            81,920 2008-01-16 07:53:31  C:\WINDOWS\system32\ps2 .exe
[/code]


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e4a6d0d-2c6c-4172-a378-a16cd84ce181}]
C:\WINDOWS\System32\agpkxqtb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Monitor"="C:\WINDOWS\wdm20.exe" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\80508746]
C:\WINDOWS\System32\nkjayfbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
C:\hp\bin\autotbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockTracker]
c:\hp\bin\BlockTracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 19:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\vtutr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 15:16 5058560 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\System32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\System32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
--a------ 2008-01-10 23:30 357888 C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"DomainService"=2 (0x2)
"aawservice"=2 (0x2)
"MSControlService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 14:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 04:36:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 04:41:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 20:33:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Defender Monitor = C:\WINDOWS\wdm20.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-24 20:41:38 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-01-25 04:41:34
.
2008-01-24 23:27:40 --- E O F ---


0

Response Number 10
Name: jabuck
Date: January 25, 2008 at 15:35:48 Pacific
Reply:

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Go to start> control panel> administrative tools> services> scroll down to "DomainService " and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.

Exit administrative tools.

Please download Atribune's VundoFix.exe from the followinf site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Run Vundo again.

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\wdu23 .exe
C:\WINDOWS\wdu1F .exe
C:\WINDOWS\wdm22 .exe
C:\WINDOWS\wdm1E .exe
C:\WINDOWS\wdu69A3 .exe
C:\WINDOWS\wdm69A2 .exe
C:\WINDOWS\wdm14B0.exe
C:\WINDOWS\wdu68F1 .exe
C:\WINDOWS\wdm67DC .exe
C:\WINDOWS\wdm20 .exe
C:\WINDOWS\wdu8 .exe
C:\WINDOWS\wdu4 .exe
C:\WINDOWS\wdm7 .exe
C:\WINDOWS\wdm3 .exe
C:\WINDOWS\wdu2E1B .exe
C:\WINDOWS\wdm2C1C .exe
C:\WINDOWS\wdu28C2 .exe
C:\WINDOWS\wdu259E .exe
C:\WINDOWS\wdm28A9 .exe
C:\WINDOWS\wdm249C .exe
C:\WINDOWS\wdu61C3 .exe
C:\WINDOWS\wdu61BF .exe
C:\WINDOWS\wdm61C2 .exe
C:\WINDOWS\wdm61BE .exe
C:\WINDOWS\wdu20E3 .exe
C:\WINDOWS\wdm20A8 .exe
C:\WINDOWS\wdu3598 .exe
C:\WINDOWS\wdm34D3 .exe
C:\WINDOWS\wdm5009 .exe
C:\WINDOWS\system32\RCX132F.tmp
C:\WINDOWS\system32\dktkbryx.ini
C:\WINDOWS\system32\RCX1B42.tmp
C:\WINDOWS\9an22wcv.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\rushqhaa.exe
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\avp .exe
C:\sysqdyt.exe
C:\WINDOWS\system32\194796A85A.sys
C:\WINDOWS\System32\vtutr.exe
C:\WINDOWS\System32\agpkxqtb.dll

RenV::
C:\WINDOWS\system\hpsysdrv .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\ps2 .exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig
C:\WINDOWS\SMINST\RECGUARD .exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
C:\Program Files\Windows Defender\MSASCui .exe

Folder::
C:\WINDOWS\THVjeSBTZWdvdmlh
C:\WINDOWS\system32\edcA01

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e4a6d0d-2c6c-4172-a378-a16cd84ce181}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\80508746]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post the new Compofix log please.


0

Response Number 11
Name: santiago1
Date: January 26, 2008 at 12:49:59 Pacific
Reply:

i didnt have DomainService under services from the administrative tools so i did everything you told me without doing that step

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ComboFix 08-01-23.1C - Owner 2008-01-26 12:30:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.686 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE
C:\sysqdyt.exe
C:\WINDOWS\9an22wcv.exe
C:\WINDOWS\avp .exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\194796A85A.sys
C:\WINDOWS\System32\agpkxqtb.dll
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\dktkbryx.ini
C:\WINDOWS\system32\RCX132F.tmp
C:\WINDOWS\system32\RCX1B42.tmp
C:\WINDOWS\system32\rushqhaa.exe
C:\WINDOWS\System32\vtutr.exe
C:\WINDOWS\wdm14B0.exe
C:\WINDOWS\wdm1E .exe
C:\WINDOWS\wdm20 .exe
C:\WINDOWS\wdm20A8 .exe
C:\WINDOWS\wdm22 .exe
C:\WINDOWS\wdm249C .exe
C:\WINDOWS\wdm28A9 .exe
C:\WINDOWS\wdm2C1C .exe
C:\WINDOWS\wdm3 .exe
C:\WINDOWS\wdm34D3 .exe
C:\WINDOWS\wdm5009 .exe
C:\WINDOWS\wdm61BE .exe
C:\WINDOWS\wdm61C2 .exe
C:\WINDOWS\wdm67DC .exe
C:\WINDOWS\wdm69A2 .exe
C:\WINDOWS\wdm7 .exe
C:\WINDOWS\wdu1F .exe
C:\WINDOWS\wdu20E3 .exe
C:\WINDOWS\wdu23 .exe
C:\WINDOWS\wdu259E .exe
C:\WINDOWS\wdu28C2 .exe
C:\WINDOWS\wdu2E1B .exe
C:\WINDOWS\wdu3598 .exe
C:\WINDOWS\wdu4 .exe
C:\WINDOWS\wdu61BF .exe
C:\WINDOWS\wdu61C3 .exe
C:\WINDOWS\wdu68F1 .exe
C:\WINDOWS\wdu69A3 .exe
C:\WINDOWS\wdu8 .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sysqdyt.exe
C:\WINDOWS\9an22wcv.exe
C:\WINDOWS\avp .exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\194796A85A.sys
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\dktkbryx.ini
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\RCX132F.tmp
C:\WINDOWS\system32\RCX1B42.tmp
C:\WINDOWS\system32\rushqhaa.exe
C:\WINDOWS\THVjeSBTZWdvdmlh
C:\WINDOWS\wdm14B0.exe
C:\WINDOWS\wdm1E .exe
C:\WINDOWS\wdm20 .exe
C:\WINDOWS\wdm20A8 .exe
C:\WINDOWS\wdm22 .exe
C:\WINDOWS\wdm249C .exe
C:\WINDOWS\wdm28A9 .exe
C:\WINDOWS\wdm2C1C .exe
C:\WINDOWS\wdm3 .exe
C:\WINDOWS\wdm34D3 .exe
C:\WINDOWS\wdm5009 .exe
C:\WINDOWS\wdm61BE .exe
C:\WINDOWS\wdm61C2 .exe
C:\WINDOWS\wdm67DC .exe
C:\WINDOWS\wdm69A2 .exe
C:\WINDOWS\wdm7 .exe
C:\WINDOWS\wdu1F .exe
C:\WINDOWS\wdu20E3 .exe
C:\WINDOWS\wdu23 .exe
C:\WINDOWS\wdu259E .exe
C:\WINDOWS\wdu28C2 .exe
C:\WINDOWS\wdu2E1B .exe
C:\WINDOWS\wdu3598 .exe
C:\WINDOWS\wdu4 .exe
C:\WINDOWS\wdu61BF .exe
C:\WINDOWS\wdu61C3 .exe
C:\WINDOWS\wdu68F1 .exe
C:\WINDOWS\wdu69A3 .exe
C:\WINDOWS\wdu8 .exe

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-25 18:13 . 2008-01-25 18:13 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 14:30 . 2008-01-26 11:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-25 14:30 . 2008-01-25 14:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-24 20:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 22:56 . 2008-01-10 00:00 188,672 --a------ C:\WINDOWS\system32\drivers\truecrypt.sys
2008-01-22 22:55 . 2008-01-22 22:56 <DIR> d-------- C:\Program Files\TrueCrypt
2008-01-21 14:23 . 2008-01-21 14:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-21 13:33 . 2008-01-24 20:26 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-21 12:19 . 2006-08-21 01:14 128,896 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-21 12:19 . 2006-08-21 01:14 23,040 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-21 12:19 . 2006-08-21 04:21 16,896 --a--c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-21 11:55 . 2007-07-09 05:09 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-20 20:08 . 2008-01-25 14:30 <DIR> d-------- C:\Program Files\iTunes
2008-01-20 20:05 . 2008-01-20 20:05 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-18 09:40 . 2008-01-21 14:04 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-17 23:30 . 2008-01-26 11:30 <DIR> d-------- C:\VundoFix Backups
2008-01-17 21:06 . 2008-01-17 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-17 20:51 . 2004-08-03 23:56 148,480 --a------ C:\WINDOWS\system32\wscui.cpl
2008-01-17 20:51 . 2004-08-03 23:56 129,536 --a------ C:\WINDOWS\system32\xmlprov.dll
2008-01-17 20:51 . 2004-08-03 23:56 108,032 --a------ C:\WINDOWS\system32\wshbth.dll
2008-01-17 20:51 . 2004-08-03 23:56 81,408 --a------ C:\WINDOWS\system32\wscsvc.dll
2008-01-17 20:51 . 2004-08-03 23:56 50,176 --a------ C:\WINDOWS\system32\xmlprovi.dll
2008-01-17 20:51 . 2004-08-03 23:56 13,824 --a------ C:\WINDOWS\system32\wscntfy.exe
2008-01-17 20:49 . 2004-08-03 23:56 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-01-17 20:48 . 2004-08-03 21:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-01-17 20:47 . 2004-08-03 23:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-01-17 19:28 . 2004-08-03 23:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-17 19:28 . 2004-08-03 23:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-01-17 19:28 . 2004-08-03 23:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-17 00:10 . 2005-08-31 17:41 19,968 --a------ C:\WINDOWS\system32\linkinfo.dll
2008-01-17 00:07 . 2005-07-25 20:39 1,285,120 --a------ C:\WINDOWS\system32\ole32.dll
2008-01-17 00:07 . 2005-07-25 20:39 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2008-01-17 00:07 . 2005-07-25 20:39 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2008-01-17 00:07 . 2005-07-25 20:39 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2008-01-17 00:07 . 2005-07-25 20:39 397,824 --a------ C:\WINDOWS\system32\rpcss.dll
2008-01-17 00:07 . 2005-07-25 20:39 243,200 --a------ C:\WINDOWS\system32\es.dll
2008-01-17 00:07 . 2005-07-25 20:39 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2008-01-17 00:07 . 2005-07-25 20:39 74,752 --a------ C:\WINDOWS\system32\olecli32.dll
2008-01-17 00:07 . 2005-07-25 20:39 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2008-01-17 00:04 . 2005-10-20 14:20 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-01-17 00:04 . 2006-01-03 19:35 68,096 --a------ C:\WINDOWS\system32\webclnt.dll
2008-01-17 00:02 . 2005-08-22 10:29 197,632 --a------ C:\WINDOWS\system32\netman.dll
2008-01-17 00:02 . 2005-08-22 19:35 123,392 --a------ C:\WINDOWS\system32\umpnpmgr.dll
2008-01-16 23:49 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-16 23:49 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-16 23:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-16 23:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-16 23:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-16 23:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-16 18:59 . 2008-01-16 20:23 7,168 --a------ C:\WINDOWS\system32\windows_old
2008-01-16 18:01 . 2008-01-16 18:01 169 --a------ C:\WINDOWS\mktbrws.ses
2008-01-16 00:11 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-15 22:59 . 2005-08-03 01:47 424,960 --a------ C:\WINDOWS\WRServices.dll
2008-01-14 18:52 . 2008-01-14 18:52 <DIR> d-------- C:\Program Files\Thomson
2008-01-12 19:58 . 2008-01-21 11:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 15:58 . 2008-01-12 15:58 86,016 --a------ C:\WINDOWS\system32\drivers\MSPCLOCKK.sys
2008-01-11 00:01 . 2008-01-15 23:53 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-11 00:01 . 2008-01-15 23:53 81,920 --a------ C:\WINDOWS\system32\ps2.exe
2008-01-11 00:01 . 2008-01-15 23:53 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
2008-01-11 00:01 . 2008-01-16 00:30 182 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2008-01-10 22:55 . 2004-08-03 22:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-01-10 22:55 . 2004-08-03 22:07 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-10 22:55 . 2004-08-03 23:56 23,552 --a------ C:\WINDOWS\system32\wdmaud.drv
2008-01-10 22:50 . 2008-01-10 22:50 3,878 -rahs---- C:\WINDOWS\system32\drivers\HP_D7218M-ABA 554E_YC_Pavi_QMX311S_E31NAheBLU4_4_IKM266-8235_S_V_BAM37310_T030304_WXH1_L409_M1024_J40_7AMD_8Athlon XP 2000+_91.66_1_N10EC8139_P_Z11C1044E_K_A_U11063038_G10DE0322_OCyberDrv CW088D CD-R RW;JLMS XJ-HD166S_D.MRK
2008-01-10 18:19 . 2008-01-10 18:19 19,456 --a------ C:\WINDOWS\system32\drivers\gmgtlmka.dat
2008-01-10 18:17 . 2002-08-29 04:00 84,480 --a------ C:\WINDOWS\system32\cryptne.dll
2008-01-10 18:15 . 2008-01-10 18:15 54,764 --a------ C:\WINDOWS\system32\dxdss.sys
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-09 19:02 . 2008-01-24 20:26 <DIR> d-------- C:\Program Files\AIM6
2007-12-31 14:04 . 2008-01-10 13:16 231,424 --a------ C:\WINDOWS\mapisrv32.dll
2007-12-31 14:04 . 2008-01-10 13:16 10,240 --a------ C:\WINDOWS\jtcres32.dll
2007-12-31 14:04 . 2008-01-10 19:17 3 --a------ C:\WINDOWS\gtiplus.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 02:02 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-01-25 06:41 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-25 04:32 --------- d-----w C:\Program Files\QuickTime
2008-01-21 22:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 04:09 --------- d-----w C:\Program Files\iPod
2008-01-16 08:08 --------- d-----w C:\Program Files\Java
2008-01-15 22:27 --------- d-----w C:\Program Files\World of Warcraft
2008-01-11 16:33 485,376 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
2008-01-11 07:07 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-11 07:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 06:50 3,878 --sha-r C:\WINDOWS\system32\drivers\HP_D7218M-ABA 554E_YC_Pavi_QMX311S_E31NAheBLU4_4_IKM266-8235_S_V_BAM37310_T030304_WXH1_L409_M1024_J40_7AMD_8Athlon XP 2000+_91.66_1_N10EC8139_P_Z11C1044E_K_A_U11063038_G10DE0322_OCyberDrv CW088D CD-R RW;JLMS XJ-HD166S_D.MRK
2008-01-10 03:03 --------- d-----w C:\Program Files\Viewpoint
2007-12-04 22:30 --------- d-----w C:\Program Files\LimeWire1
2007-07-14 09:35 10,240 --sha-w C:\Program Files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Monitor"="C:\WINDOWS\wdm20.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]

C:\Documents and Settings\amparo\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-01-10 10:08:24 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [1999-02-17 12:05:56 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
C:\hp\bin\autotbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockTracker]
c:\hp\bin\BlockTracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 19:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-06-17 16:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-01-15 23:53 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 2008-01-15 23:53 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\vtutr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 15:16 5058560 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\System32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2008-01-15 23:53 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\System32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
--a------ 2008-01-10 23:30 357888 C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"aawservice"=2 (0x2)
"MSControlService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 14:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-26 19:24:30 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-26 20:36:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 12:35:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Defender Monitor = C:\WINDOWS\wdm20.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-01-26 12:37:33
ComboFix-quarantined-files.txt 2008-01-26 20:36:42
.
2008-01-24 23:27:40 --- E O F ---


0

Response Number 12
Name: jabuck
Date: January 26, 2008 at 13:16:46 Pacific
Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "Registry::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\Qoobox

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.


0

Response Number 13
Name: desolation row
Date: January 26, 2008 at 15:44:11 Pacific
Reply:

If someone can help me it would be so appreciated. I have the same spyware/virus on me computer. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:15 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Vongo\VongoService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\User\Desktop\Brian\HiJackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: elfwgps - {2B17973C-27AE-45AD-BDFF-C143F7DCB542} - C:\WINDOWS\elfwgps.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activeg...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/...
O21 - SSODL: aswmklt - {A61047D0-32E3-470E-9166-D1F5EEDA731D} - C:\WINDOWS\aswmklt.dll
O21 - SSODL: bqxomdo - {CAE08121-6719-4DB5-B93E-A9BC48CC3E1C} - C:\WINDOWS\bqxomdo.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 13342 bytes


0

Response Number 14
Name: jabuck
Date: January 26, 2008 at 18:43:01 Pacific
Reply:

desolation row, please start your own thread, we would not be able to find you if we wanted to respond to your post. And this just clutters this posters thread making it more difficult to help.

Also you are not allowed to post logs on the forum with being requested to so, just state your problem or the moderator will delete the post.


0

Response Number 15
Name: santiago1
Date: January 28, 2008 at 21:25:07 Pacific
Reply:

i cant get a log on the scan of bitdefender


0

Response Number 16
Name: jabuck
Date: January 29, 2008 at 16:12:09 Pacific
Reply:

Try this online scanner.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.


0

Response Number 17
Name: santiago1
Date: January 30, 2008 at 13:25:32 Pacific
Reply:

i ran the scan but i couldnt even paste log it cuz the log is too large :-(


0

Response Number 18
Name: jabuck
Date: January 30, 2008 at 19:45:57 Pacific
Reply:

You can paste the log in two post, but I see a few more bad files that need to be removed so lets remove them first.

Make sure that Spybot's "Teatimer" is turned off.

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
C:\WINDOWS\elfwgps.dll
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\bqxomdo.dll
C:\WINDOWS\mktbrws.ses
C:\WINDOWS\mapisrv32.dll
C:\WINDOWS\jtcres32.dll
C:\WINDOWS\gtiplus.ini

Driver::
elfwgps
aswmklt
bqxomdo

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSControlService"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Combofix log.


0

Response Number 19
Name: santiago1
Date: February 2, 2008 at 15:51:11 Pacific
Reply:

even if i post the log with to message it stills crashes the log is like 25.9 mb


0

Response Number 20
Name: jabuck
Date: February 3, 2008 at 15:55:56 Pacific
Reply:

Download SDFix to your desktop from the following link:

SDFix.exe.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.


Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.


Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.


Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt.

Run AFT cleaner then try to post a new Combofix log.


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: fake Windows Defender
Windows Defender virus? www.computing.net/answers/security/windows-defender-virus/27925.html

Windows Defender vs Spybot S & D ? www.computing.net/answers/security/windows-defender-vs-spybot-s-amp-d-/21877.html

Windows Defender not defending www.computing.net/answers/security/windows-defender-not-defending/20422.html