Win32:Trojan-Gen started with Virus Response Lab 2009 [RESOLVED]

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

Win32:Trojan-Gen started with Virus Response Lab 2009 [RESOLVED]

Options

cjlee View Member Profile	Oct 30 2008, 09:21 AM Post #1
Member Posts: 16 OS: Win XP	It all started with my computer getting infected with the Virus Response Lab 2009 (very tough) malware. I downloaded Malwarebytes, but it was very tough battle getting rid of the pop ups. Somehow I managed to get rid of the popups, but I noticed a drastic slowdown of the computer, and IE won't work. Luckily, I had downloaded Crome, and that's what I'm using now. I also noticed youtube videos not playing normal, or any kind of AVI or MPEGs being able to play correctly. I run Avast daily, and I'm always getting the WIN32:Trojan-GEN virus popping up. Somehow it has now attacked my ability to update my Avast. I followed the instructions on: "must read this before..." thread, and I installed: ATF cleaner, SysRestorePoint, ERUNT, Hijackthis and I already had Malwarebytes and Avast. I was not able to update Windows, because Crome is not an authorized browser to use that page, and I can't use IE. Any help to clean up my computer is extremely appreciated. I'm not the most tech savvy, but I'll do my best to learn and supply anyone who can help me with the details of what they'll need to help. I will post the hijackthis log, and I'm running a WIN XP, version 2002, service pack 3 Thank you for your time, and gracious help. CJ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:42:17 PM, on 10/30/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\spupdsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\ehome\medctrro.exe C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PeerGuardian2\pg2.exe C:\PROGRA~1\PicoZip\PicoZipTray.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\joe schmo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Neuston Media Centre\app\Neuston-server.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Documents and Settings\joe schmo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\joe schmo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\joe schmo\My Documents\Downloads\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8383 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local> O1 - Hosts: 82.98.86.165 kurany.com O1 - Hosts: 82.98.86.169 uebzud.com.cn O1 - Hosts: 82.98.86.161 mmqwp.ca O1 - Hosts: 82.98.86.163 tahko.org O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - C:\Program Files\Applications\iebt.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: VirRLWarningBHO Class - {A81EBFD7-0FA3-41ec-B60D-6DAE78B4D31A} - C:\Program Files\VirRL2009\VirRLWarning.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: VResLabWarningBHO Class - {B494E7BB-1E33-4922-A947-F74EFF4E714F} - C:\Program Files\VResLab\VResLabWarning.dll (file missing) O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {BE1A344F-9FF5-4024-949B-52205E6DB2D0} - C:\Program Files\Applications\iebt.dll (file missing) O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [MacDrive7.0.4TimeOutPatch] C:\Program Files\Mediafour\MacDrive 7\TimeOutPatch.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe" O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\joe schmo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [(NVSvc) ] "C:\Program Files\Java\bin\dsound.exe" /set O4 - HKCU\..\Run: [VirRL2009] "C:\Program Files\VirRL2009\VirRL2009.exe" O4 - HKCU\..\Run: [VResLab] "C:\Program Files\VResLab\VResLab.exe" O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\algg.exe O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Neuston Media Centre.lnk = C:\Program Files\Neuston Media Centre\app\Neuston-server.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.onlyiesettings.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.onlyiesettings.com/redirect.php (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142563237093 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5520D8BA-4570-4B80-A44F-2B2D7737BE8E}: NameServer = 218.186.1.38,202.156.1.58 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 12562 bytes

Rorschach112 View Member Profile	Oct 30 2008, 09:30 AM Post #2
GeekU Teacher Posts: 21,867 From: Dublin OS: XP	Hello Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding. Please download SmitfraudFix (by S!Ri) to your Desktop. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, double-click on SmitfraudFix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning : running option #2 on a non infected computer will remove your Desktop background. Disable resident protections (Antivirus...); you'll re-enable them after the scan Download Lop S&D < here Double-click Lop S&D.exe Choose the language, then choose Option 1 (Search) Wait till the end of the scan Post the log which is created: (%SystemDrive%\lopR.txt)

cjlee View Member Profile	Oct 30 2008, 09:50 AM Post #3
Member Posts: 16 OS: Win XP	Hi, I started to download SmitfraudFix, but Avast picked up a virus from the download, file name: http://siri.urz.free.fr/Fix/SmitfraudFix.e...92;IEDFix.C.exe What do you recommend?

Rorschach112 View Member Profile	Oct 30 2008, 09:52 AM Post #4
GeekU Teacher Posts: 21,867 From: Dublin OS: XP	Ignore it and continue

cjlee View Member Profile	Oct 30 2008, 10:36 AM Post #5
Member Posts: 16 OS: Win XP	Here is the SmitfraudFix Report: SmitFraudFix v2.368 Scan done at 0:21:33.89, Fri 10/31/2008 Run from C:\Documents and Settings\joe schmo\My Documents\Downloads\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode �� SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll �� Killing process �� hosts 127.0.0.1 localhost 82.98.86.165 kurany.com 82.98.86.169 uebzud.com.cn 82.98.86.161 mmqwp.ca 82.98.86.163 tahko.org 127.0.0.1 LOANPAYKA.com �� VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri �� Winsock2 Fix S!Ri's WS2Fix: LSP not Found. �� Generic Renos Fix GenericRenosFix by S!Ri �� Deleting infected files �� IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri �� 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri �� AntiXPVSTFix AntiXPVSTFix Credits: Malware Analysis & Diagnostic Code: S!Ri �� RK �� DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{5520D8BA-4570-4B80-A44F-2B2D7737BE8E}: DhcpNameServer=202.156.1.48 218.186.1.88 202.156.1.38 HKLM\SYSTEM\CCS\Services\Tcpip\..\{5520D8BA-4570-4B80-A44F-2B2D7737BE8E}: NameServer=218.186.1.38,202.156.1.58 HKLM\SYSTEM\CCS\Services\Tcpip\..\{A33211DF-AC8E-467A-8A10-9C08C4791F11}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{5520D8BA-4570-4B80-A44F-2B2D7737BE8E}: DhcpNameServer=202.156.1.48 218.186.1.88 202.156.1.38 HKLM\SYSTEM\CS3\Services\Tcpip\..\{5520D8BA-4570-4B80-A44F-2B2D7737BE8E}: NameServer=218.186.1.38,202.156.1.58 HKLM\SYSTEM\CS3\Services\Tcpip\..\{A33211DF-AC8E-467A-8A10-9C08C4791F11}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.48 218.186.1.88 202.156.1.38 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.48 218.186.1.88 202.156.1.38 �� Deleting Temp Files �� Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" �� Registry Cleaning �� Registry Cleaning Registry Cleaning done. �� SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll �� End

cjlee View Member Profile	Oct 30 2008, 10:43 AM Post #6
Member Posts: 16 OS: Win XP	And here is the Lop S&D report: --------------------\\ Lop S&D 4.2.4-8 XP/Vista Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3 X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 2.80GHz ) BIOS : BIOS Date: 12/12/03 19:29:54 Ver: 08.00.09 USER : joe schmo ( Administrator ) BOOT : Normal boot Antivirus : avast! antivirus 4.8.1229 [VPS 081030-0] 4.8.1229 (Not Activated) A:\ (USB) C:\ (Local Disk) - NTFS - Total:76 Go (Free:45 Go) D:\ (CD or DVD) E:\ (Local Disk) - NTFS - Total:233 Go (Free:61 Go) F:\ (USB) "C:\Lop SD" ( MAJ : 27-10-2008\|09:15 ) Option : [1] ( Fri 10/31/2008\| 0:39 ) --------------------\\ Listing folders in APPLIC~1 [10/09/2008\|13:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} [10/05/2008\|11:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe [10/04/2007\|07:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple [02/07/2008\|09:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer [09/30/2006\|08:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative [03/28/2006\|09:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink [02/17/2008\|19:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google [07/21/2007\|18:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP [06/15/2008\|14:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft [10/19/2008\|13:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes [02/03/2008\|13:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft [06/03/2007\|10:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla [03/28/2006\|09:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\muvee Technologies [09/22/2008\|20:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound [10/04/2008\|12:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS [05/30/2008\|19:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype [03/18/2006\|16:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy [07/14/2008\|21:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec [10/27/2008\|08:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP [03/18/2006\|16:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage [11/30/2007\|16:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller [03/17/2006\|09:32] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft [06/29/2006\|21:15] C:\DOCUME~1\JOESCH~1\APPLIC~1\.ABC [10/13/2008\|15:42] C:\DOCUME~1\JOESCH~1\APPLIC~1\Adobe [02/07/2008\|09:28] C:\DOCUME~1\JOESCH~1\APPLIC~1\Apple Computer [07/08/2006\|15:22] C:\DOCUME~1\JOESCH~1\APPLIC~1\ArcSoft [10/17/2008\|00:01] C:\DOCUME~1\JOESCH~1\APPLIC~1\Azureus [10/13/2008\|15:42] C:\DOCUME~1\JOESCH~1\APPLIC~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 [08/28/2006\|16:29] C:\DOCUME~1\JOESCH~1\APPLIC~1\Common Files [03/27/2006\|16:25] C:\DOCUME~1\JOESCH~1\APPLIC~1\Creative [10/07/2006\|08:23] C:\DOCUME~1\JOESCH~1\APPLIC~1\DivX [07/16/2008\|08:05] C:\DOCUME~1\JOESCH~1\APPLIC~1\ErrorKiller [02/18/2008\|22:30] C:\DOCUME~1\JOESCH~1\APPLIC~1\Google [03/17/2006\|16:52] C:\DOCUME~1\JOESCH~1\APPLIC~1\Help [12/11/2007\|10:47] C:\DOCUME~1\JOESCH~1\APPLIC~1\HP [03/17/2006\|09:41] C:\DOCUME~1\JOESCH~1\APPLIC~1\Identities [10/05/2008\|11:52] C:\DOCUME~1\JOESCH~1\APPLIC~1\Image Zone Express [03/19/2006\|07:59] C:\DOCUME~1\JOESCH~1\APPLIC~1\InterTrust [03/19/2006\|08:26] C:\DOCUME~1\JOESCH~1\APPLIC~1\Lavasoft [12/06/2007\|16:51] C:\DOCUME~1\JOESCH~1\APPLIC~1\LG Electronics [03/27/2006\|09:08] C:\DOCUME~1\JOESCH~1\APPLIC~1\Macromedia [10/19/2008\|13:11] C:\DOCUME~1\JOESCH~1\APPLIC~1\Malwarebytes [01/06/2008\|20:10] C:\DOCUME~1\JOESCH~1\APPLIC~1\Microsoft [06/03/2007\|10:05] C:\DOCUME~1\JOESCH~1\APPLIC~1\Mozilla [09/22/2008\|20:38] C:\DOCUME~1\JOESCH~1\APPLIC~1\NCH Swift Sound [05/30/2008\|19:47] C:\DOCUME~1\JOESCH~1\APPLIC~1\Skype [05/25/2008\|00:02] C:\DOCUME~1\JOESCH~1\APPLIC~1\skypePM [03/18/2006\|08:39] C:\DOCUME~1\JOESCH~1\APPLIC~1\Sun [03/19/2006\|08:49] C:\DOCUME~1\JOESCH~1\APPLIC~1\Symantec [06/03/2007\|10:05] C:\DOCUME~1\JOESCH~1\APPLIC~1\Talkback [03/31/2006\|07:23] C:\DOCUME~1\JOESCH~1\APPLIC~1\VERITAS [03/11/2008\|11:33] C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe [03/11/2008\|11:33] C:\DOCUME~1\LOCALS~1\APPLIC~1\Macromedia [02/05/2008\|13:13] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft [03/22/2007\|08:59] C:\DOCUME~1\LOCALS~1\APPLIC~1\Symantec [03/17/2006\|09:32] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft [03/19/2006\|09:41] C:\DOCUME~1\NETWOR~1\APPLIC~1\Symantec --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [10/30/2008 18:25][--a------] C:\WINDOWS\tasks\GoogleUpdateTaskUser.job [10/30/2008 08:33][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job [10/30/2008 23:21][--a------] C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job [10/31/2008 00:34][--ah-----] C:\WINDOWS\tasks\SA.DAT [08/04/2004 20:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [03/17/2006\|16:03] C:\Program Files\123 Free Solitaire [10/31/2006\|09:11] C:\Program Files\Activision [10/05/2008\|11:18] C:\Program Files\Adobe [10/13/2006\|07:59] C:\Program Files\Ahead [08/26/2006\|09:57] C:\Program Files\AivX [07/14/2008\|22:02] C:\Program Files\Alwil Software [08/27/2008\|16:52] C:\Program Files\Apple Software Update [08/31/2006\|09:52] C:\Program Files\ArcSoft [07/31/2008\|13:59] C:\Program Files\Azureus [09/15/2008\|18:45] C:\Program Files\B4Playing [09/11/2008\|09:21] C:\Program Files\Bonjour [09/17/2008\|20:30] C:\Program Files\CASHFLOW [07/07/2007\|11:38] C:\Program Files\CDisplay [10/04/2008\|18:33] C:\Program Files\Common Files [04/02/2006\|09:38] C:\Program Files\ComPlus Applications [03/19/2006\|08:12] C:\Program Files\Creative [03/28/2006\|09:19] C:\Program Files\CyberLink [08/01/2008\|09:30] C:\Program Files\DivX [03/17/2006\|16:52] C:\Program Files\Double Solitaire [10/30/2008\|22:24] C:\Program Files\ERUNT [08/26/2006\|10:16] C:\Program Files\ffdshow [02/17/2008\|19:45] C:\Program Files\Google [08/30/2008\|18:20] C:\Program Files\Hewlett-Packard [07/21/2007\|18:58] C:\Program Files\HP [03/28/2006\|09:22] C:\Program Files\HP DVD [12/07/2007\|16:30] C:\Program Files\InstallShield Installation Information [10/29/2008\|23:51] C:\Program Files\Internet Explorer [10/09/2008\|13:55] C:\Program Files\iPod [07/28/2007\|09:01] C:\Program Files\Ipswitch [10/09/2008\|13:56] C:\Program Files\iTunes [10/19/2008\|12:28] C:\Program Files\Java [06/15/2008\|14:34] C:\Program Files\Lavasoft [12/06/2007\|16:47] C:\Program Files\LG Electronics [12/06/2007\|16:45] C:\Program Files\LG PC Suite [10/05/2007\|07:49] C:\Program Files\MagicISO [10/19/2008\|13:11] C:\Program Files\Malwarebytes' Anti-Malware [12/03/2007\|15:24] C:\Program Files\Mediafour [10/21/2008\|23:21] C:\Program Files\Messenger [03/17/2006\|10:11] C:\Program Files\Microsoft ActiveSync [05/10/2007\|03:04] C:\Program Files\Microsoft CAPICOM 2.1.0.2 [03/17/2006\|09:32] C:\Program Files\microsoft frontpage [03/17/2006\|10:06] C:\Program Files\Microsoft Office [11/30/2007\|17:07] C:\Program Files\Microsoft SQL Server Compact Edition [03/17/2006\|10:12] C:\Program Files\Microsoft.NET [09/17/2008\|16:58] C:\Program Files\Movie Maker [06/05/2007\|07:33] C:\Program Files\Mozilla Firefox [03/17/2006\|09:22] C:\Program Files\MSN [03/17/2006\|09:23] C:\Program Files\MSN Gaming Zone [11/18/2006\|03:04] C:\Program Files\MSXML 4.0 [03/28/2006\|09:02] C:\Program Files\muvee autoProducer DVD Edition - HPC [09/22/2008\|23:00] C:\Program Files\NCH Software [09/22/2008\|20:39] C:\Program Files\NCH Swift Sound [09/17/2008\|16:54] C:\Program Files\NetMeeting [02/05/2008\|22:40] C:\Program Files\Neuston Media Centre [07/15/2008\|17:43] C:\Program Files\Norton AntiVirus [10/04/2008\|12:30] C:\Program Files\NOS [03/17/2006\|10:19] C:\Program Files\OfficeUpdate11 [04/02/2006\|09:38] C:\Program Files\Online Services [09/17/2008\|16:54] C:\Program Files\Outlook Express [05/01/2006\|09:08] C:\Program Files\Overland [09/29/2008\|20:26] C:\Program Files\PCFriendly [10/31/2008\|00:39] C:\Program Files\PeerGuardian2 [03/17/2006\|10:57] C:\Program Files\PicoZip [10/19/2008\|12:08] C:\Program Files\PokerStars [03/28/2006\|09:20] C:\Program Files\PowerDVD [09/11/2008\|09:19] C:\Program Files\QuickTime [04/09/2006\|08:22] C:\Program Files\RecordNow [10/27/2008\|20:42] C:\Program Files\SDHelper (Spybot - Search & Destroy) [05/21/2007\|08:48] C:\Program Files\SIM editor [09/01/2008\|21:59] C:\Program Files\Simplify Media [05/30/2008\|19:47] C:\Program Files\Skype [03/28/2006\|09:20] C:\Program Files\Sonic [12/07/2007\|16:33] C:\Program Files\Sony Handheld [03/18/2006\|16:59] C:\Program Files\Spider Solitaire [10/27/2008\|20:42] C:\Program Files\Spybot - Search & Destroy [07/15/2008\|17:43] C:\Program Files\Symantec [10/27/2008\|20:42] C:\Program Files\TeaTimer (Spybot - Search & Destroy) [09/16/2007\|13:49] C:\Program Files\Total Training [08/31/2006\|08:59] C:\Program Files\Ulead Systems [03/17/2006\|09:41] C:\Program Files\Uninstall Information [02/28/2008\|03:02] C:\Program Files\Windows Live [11/30/2007\|19:11] C:\Program Files\Windows Live Favorites [11/30/2007\|19:12] C:\Program Files\Windows Live Toolbar [03/18/2006\|16:54] C:\Program Files\Windows Media Connect 2 [09/17/2008\|16:54] C:\Program Files\Windows Media Player [09/17/2008\|16:54] C:\Program Files\Windows NT [03/17/2006\|09:30] C:\Program Files\WindowsUpdate [11/10/2007\|15:54] C:\Program Files\WinRAR [03/17/2006\|09:32] C:\Program Files\xerox --------------------\\ Listing Folders in C:\Program Files\Common Files [10/05/2008\|11:19] C:\Program Files\Common Files\Adobe [10/04/2008\|18:33] C:\Program Files\Common Files\Adobe AIR [10/13/2006\|07:55] C:\Program Files\Common Files\Ahead [09/11/2008\|09:18] C:\Program Files\Common Files\Apple [03/17/2006\|10:05] C:\Program Files\Common Files\DESIGNER [03/30/2006\|09:09] C:\Program Files\Common Files\Hewlett-Packard [07/21/2007\|18:58] C:\Program Files\Common Files\HP [08/26/2006\|09:51] C:\Program Files\Common Files\InstallShield [03/17/2006\|22:32] C:\Program Files\Common Files\Java [10/17/2008\|16:32] C:\Program Files\Common Files\Microsoft Shared [03/17/2006\|09:29] C:\Program Files\Common Files\MSSoap [03/28/2006\|09:02] C:\Program Files\Common Files\muvee Technologies [03/17/2006\|17:06] C:\Program Files\Common Files\ODBC [03/17/2006\|09:29] C:\Program Files\Common Files\Services [03/17/2006\|17:05] C:\Program Files\Common Files\SpeechEngines [07/15/2008\|17:43] C:\Program Files\Common Files\Symantec Shared [09/17/2008\|16:54] C:\Program Files\Common Files\System [11/30/2007\|16:51] C:\Program Files\Common Files\WindowsLiveInstaller --------------------\\ Process ( 49 Processes ) ... OK ! --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders No Lop folder found ! --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-31 00:41:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections --------------------\\ KoobFace ! C:\WINDOWS\bemark2.dat C:\WINDOWS\fmark2.dat --------------------\\ Cracks & Keygens .. C:\DOCUME~1\JOESCH~1\My Documents\Drivers\crack C:\DOCUME~1\JOESCH~1\My Documents\Drivers\crack\common.ini [F:1555][D:217]-> C:\DOCUME~1\JOESCH~1\LOCALS~1\Temp [F:2][D:0]-> C:\DOCUME~1\JOESCH~1\Cookies [F:60][D:40]-> C:\DOCUME~1\JOESCH~1\LOCALS~1\TEMPOR~1\content.IE5 1 - "C:\Lop SD\LopR_1.txt" - Fri 10/31/2008\| 0:43 - Option : [1] --------------------\\ Scan completed at 0:43:12

Rorschach112 View Member Profile	Oct 30 2008, 10:46 AM Post #7
GeekU Teacher Posts: 21,867 From: Dublin OS: XP	Hello Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply.

cjlee

Oct 30 2008, 08:34 PM

Post #8

Member

Posts: 16
OS: Win XP

Here is the combo fix log:

ComboFix 08-10-30.09 - joe schmo 2008-10-31 7:39:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.116 [GMT 8:00]
Running from: C:\Documents and Settings\joe schmo\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\joe schmo\My Documents\My Documents.url
C:\Documents and Settings\joe schmo\My Documents\My Music\My Music.url
C:\Documents and Settings\joe schmo\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\joe schmo\My Documents\My Videos\My Video.url
C:\Program Files\internet explorer\keygen.exe
C:\WINDOWS\fmark2.dat
C:\WINDOWS\Install.txt
C:\WINDOWS\system32\Config.ini
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\tmp0_107356384211.bk
C:\WINDOWS\system32\tmp0_108206389690.bk
C:\WINDOWS\system32\tmp0_108851456911.bk
C:\WINDOWS\system32\tmp0_119014327981.bk
C:\WINDOWS\system32\tmp0_124999721892.bk
C:\WINDOWS\system32\tmp0_134102863561.bk
C:\WINDOWS\system32\tmp0_13570442863.bk
C:\WINDOWS\system32\tmp0_159677190672.bk
C:\WINDOWS\system32\tmp0_163646247382.bk
C:\WINDOWS\system32\tmp0_172402748866.bk
C:\WINDOWS\system32\tmp0_1947136791.bk
C:\WINDOWS\system32\tmp0_211036465820.bk
C:\WINDOWS\system32\tmp0_231596255247.bk
C:\WINDOWS\system32\tmp0_246817172492.bk
C:\WINDOWS\system32\tmp0_249645675276.bk
C:\WINDOWS\system32\tmp0_253313733940.bk
C:\WINDOWS\system32\tmp0_270556543508.bk
C:\WINDOWS\system32\tmp0_275884391634.bk
C:\WINDOWS\system32\tmp0_28050170384.bk
C:\WINDOWS\system32\tmp0_29137876697.bk
C:\WINDOWS\system32\tmp0_293420184879.bk
C:\WINDOWS\system32\tmp0_299667587787.bk
C:\WINDOWS\system32\tmp0_340374843.bk
C:\WINDOWS\system32\tmp0_350925400929.bk
C:\WINDOWS\system32\tmp0_35418829216.bk
C:\WINDOWS\system32\tmp0_398393753885.bk
C:\WINDOWS\system32\tmp0_40960887250.bk
C:\WINDOWS\system32\tmp0_41078082525.bk
C:\WINDOWS\system32\tmp0_414299374415.bk
C:\WINDOWS\system32\tmp0_416257104848.bk
C:\WINDOWS\system32\tmp0_418582368524.bk
C:\WINDOWS\system32\tmp0_424731109708.bk
C:\WINDOWS\system32\tmp0_474287623380.bk
C:\WINDOWS\system32\tmp0_505914761543.bk
C:\WINDOWS\system32\tmp0_51604744676.bk
C:\WINDOWS\system32\tmp0_516050451159.bk
C:\WINDOWS\system32\tmp0_527047367413.bk
C:\WINDOWS\system32\tmp0_535330649944.bk
C:\WINDOWS\system32\tmp0_535531539989.bk
C:\WINDOWS\system32\tmp0_5374724548.bk
C:\WINDOWS\system32\tmp0_555420740186.bk
C:\WINDOWS\system32\tmp0_563756101519.bk
C:\WINDOWS\system32\tmp0_56383630695.bk
C:\WINDOWS\system32\tmp0_566389613613.bk
C:\WINDOWS\system32\tmp0_56889178248.bk
C:\WINDOWS\system32\tmp0_577662887171.bk
C:\WINDOWS\system32\tmp0_58516841967.bk
C:\WINDOWS\system32\tmp0_607732725856.bk
C:\WINDOWS\system32\tmp0_609172382480.bk
C:\WINDOWS\system32\tmp0_619114777466.bk
C:\WINDOWS\system32\tmp0_6198282405.bk
C:\WINDOWS\system32\tmp0_620231422960.bk
C:\WINDOWS\system32\tmp0_639358638489.bk
C:\WINDOWS\system32\tmp0_654039354014.bk
C:\WINDOWS\system32\tmp0_655619589170.bk
C:\WINDOWS\system32\tmp0_657369861030.bk
C:\WINDOWS\system32\tmp0_659785313063.bk
C:\WINDOWS\system32\tmp0_66489466715.bk
C:\WINDOWS\system32\tmp0_669754622107.bk
C:\WINDOWS\system32\tmp0_686221189804.bk
C:\WINDOWS\system32\tmp0_691648205752.bk
C:\WINDOWS\system32\tmp0_70317782885.bk
C:\WINDOWS\system32\tmp0_703664544420.bk
C:\WINDOWS\system32\tmp0_719295349168.bk
C:\WINDOWS\system32\tmp0_725042173846.bk
C:\WINDOWS\system32\tmp0_735474726809.bk
C:\WINDOWS\system32\tmp0_75381441925.bk
C:\WINDOWS\system32\tmp0_7549597522.bk
C:\WINDOWS\system32\tmp0_755435258723.bk
C:\WINDOWS\system32\tmp0_760061414785.bk
C:\WINDOWS\system32\tmp0_7843468672.bk
C:\WINDOWS\system32\tmp0_80301400964.bk
C:\WINDOWS\system32\tmp0_80946326976.bk
C:\WINDOWS\system32\tmp0_838713737208.bk
C:\WINDOWS\system32\tmp0_854897378963.bk
C:\WINDOWS\system32\tmp0_859261353239.bk
C:\WINDOWS\system32\tmp0_865351302744.bk
C:\WINDOWS\system32\tmp0_870883396210.bk
C:\WINDOWS\system32\tmp0_887509129584.bk
C:\WINDOWS\system32\tmp0_888872124450.bk
C:\WINDOWS\system32\tmp0_9433404571.bk
C:\WINDOWS\system32\tmp1_105287393731.bk
C:\WINDOWS\system32\tmp1_132773120552.bk
C:\WINDOWS\system32\tmp1_14204784507.bk
C:\WINDOWS\system32\tmp1_14675136134.bk
C:\WINDOWS\system32\tmp1_15033870404.bk
C:\WINDOWS\system32\tmp1_158488211021.bk
C:\WINDOWS\system32\tmp1_158900437962.bk
C:\WINDOWS\system32\tmp1_170851697288.bk
C:\WINDOWS\system32\tmp1_1753292344.bk
C:\WINDOWS\system32\tmp1_177202643458.bk
C:\WINDOWS\system32\tmp1_184979737608.bk
C:\WINDOWS\system32\tmp1_207751786273.bk
C:\WINDOWS\system32\tmp1_210231853304.bk
C:\WINDOWS\system32\tmp1_214771723174.bk
C:\WINDOWS\system32\tmp1_216384295668.bk
C:\WINDOWS\system32\tmp1_232073877280.bk
C:\WINDOWS\system32\tmp1_233273183582.bk
C:\WINDOWS\system32\tmp1_23934941189.bk
C:\WINDOWS\system32\tmp1_240478626944.bk
C:\WINDOWS\system32\tmp1_24158913422.bk
C:\WINDOWS\system32\tmp1_246322806075.bk
C:\WINDOWS\system32\tmp1_246922220072.bk
C:\WINDOWS\system32\tmp1_248737474677.bk
C:\WINDOWS\system32\tmp1_27582446132.bk
C:\WINDOWS\system32\tmp1_299285499111.bk
C:\WINDOWS\system32\tmp1_304875192220.bk
C:\WINDOWS\system32\tmp1_3147363342.bk
C:\WINDOWS\system32\tmp1_333647589061.bk
C:\WINDOWS\system32\tmp1_335193754449.bk
C:\WINDOWS\system32\tmp1_337150465929.bk
C:\WINDOWS\system32\tmp1_354269591883.bk
C:\WINDOWS\system32\tmp1_366028286172.bk
C:\WINDOWS\system32\tmp1_366319694396.bk
C:\WINDOWS\system32\tmp1_37196214999.bk
C:\WINDOWS\system32\tmp1_395825555954.bk
C:\WINDOWS\system32\tmp1_419787713389.bk
C:\WINDOWS\system32\tmp1_426231377270.bk
C:\WINDOWS\system32\tmp1_432068580909.bk
C:\WINDOWS\system32\tmp1_452324242393.bk
C:\WINDOWS\system32\tmp1_47880888458.bk
C:\WINDOWS\system32\tmp1_492065759704.bk
C:\WINDOWS\system32\tmp1_50509919630.bk
C:\WINDOWS\system32\tmp1_528589533827.bk
C:\WINDOWS\system32\tmp1_546712551809.bk
C:\WINDOWS\system32\tmp1_551373770396.bk
C:\WINDOWS\system32\tmp1_55978602257.bk
C:\WINDOWS\system32\tmp1_562601419618.bk
C:\WINDOWS\system32\tmp1_584535337354.bk
C:\WINDOWS\system32\tmp1_585099382893.bk
C:\WINDOWS\system32\tmp1_602405539714.bk
C:\WINDOWS\system32\tmp1_622051535864.bk
C:\WINDOWS\system32\tmp1_623442880476.bk
C:\WINDOWS\system32\tmp1_651877193011.bk
C:\WINDOWS\system32\tmp1_67537858963.bk
C:\WINDOWS\system32\tmp1_678606820053.bk
C:\WINDOWS\system32\tmp1_735608361789.bk
C:\WINDOWS\system32\tmp1_766061274073.bk
C:\WINDOWS\system32\tmp1_768866570521.bk
C:\WINDOWS\system32\tmp1_80186612081.bk
C:\WINDOWS\system32\tmp1_819195538309.bk
C:\WINDOWS\system32\tmp1_820689474701.bk
C:\WINDOWS\system32\tmp1_845155414120.bk
C:\WINDOWS\system32\tmp1_861620665981.bk
C:\WINDOWS\system32\tmp1_866589781510.bk
C:\WINDOWS\system32\tmp1_873590251084.bk
C:\WINDOWS\system32\tmp1_878658380599.bk
C:\WINDOWS\system32\tmp1_885298438928.bk
C:\WINDOWS\system32\tmp2_105958364833.bk
C:\WINDOWS\system32\tmp2_208740480328.bk
C:\WINDOWS\system32\tmp2_20879437087.bk
C:\WINDOWS\system32\tmp2_500024719557.bk
C:\WINDOWS\system32\tmp2_634633374130.bk
C:\WINDOWS\system32\tmp2_659555875733.bk
C:\WINDOWS\system32\tmp2_695624820159.bk
C:\WINDOWS\system32\tmp2_77182048552.bk
C:\WINDOWS\system32\tmp2_790097431741.bk
C:\WINDOWS\system32\tmp2_899082627824.bk
C:\WINDOWS\system32\tmp3_111503394423.bk
C:\WINDOWS\system32\tmp3_113319356673.bk
C:\WINDOWS\system32\tmp3_117000275674.bk
C:\WINDOWS\system32\tmp3_125229589745.bk
C:\WINDOWS\system32\tmp3_125290798456.bk
C:\WINDOWS\system32\tmp3_126121714629.bk
C:\WINDOWS\system32\tmp3_134532810431.bk
C:\WINDOWS\system32\tmp3_139242874180.bk
C:\WINDOWS\system32\tmp3_155731847306.bk
C:\WINDOWS\system32\tmp3_166751289691.bk
C:\WINDOWS\system32\tmp3_171395644394.bk
C:\WINDOWS\system32\tmp3_214798388034.bk
C:\WINDOWS\system32\tmp3_21774424111.bk
C:\WINDOWS\system32\tmp3_224296751900.bk
C:\WINDOWS\system32\tmp3_254581857990.bk
C:\WINDOWS\system32\tmp3_256830877300.bk
C:\WINDOWS\system32\tmp3_258703296286.bk
C:\WINDOWS\system32\tmp3_294684285162.bk
C:\WINDOWS\system32\tmp3_335312617482.bk
C:\WINDOWS\system32\tmp3_356376642569.bk
C:\WINDOWS\system32\tmp3_360799632765.bk
C:\WINDOWS\system32\tmp3_3635922762.bk
C:\WINDOWS\system32\tmp3_367783608587.bk
C:\WINDOWS\system32\tmp3_370387268423.bk
C:\WINDOWS\system32\tmp3_373669320881.bk
C:\WINDOWS\system32\tmp3_388518465215.bk
C:\WINDOWS\system32\tmp3_415650706583.bk
C:\WINDOWS\system32\tmp3_420149173929.bk
C:\WINDOWS\system32\tmp3_432509883253.bk
C:\WINDOWS\system32\tmp3_438715579003.bk
C:\WINDOWS\system32\tmp3_452531643694.bk
C:\WINDOWS\system32\tmp3_457422850882.bk
C:\WINDOWS\system32\tmp3_475801792684.bk
C:\WINDOWS\system32\tmp3_481431779202.bk
C:\WINDOWS\system32\tmp3_500993711027.bk
C:\WINDOWS\system32\tmp3_509271533347.bk
C:\WINDOWS\system32\tmp3_516711532469.bk
C:\WINDOWS\system32\tmp3_521123642511.bk
C:\WINDOWS\system32\tmp3_5285794484.bk
C:\WINDOWS\system32\tmp3_54140315857.bk
C:\WINDOWS\system32\tmp3_548251563073.bk
C:\WINDOWS\system32\tmp3_549429770396.bk
C:\WINDOWS\system32\tmp3_558547122214.bk
C:\WINDOWS\system32\tmp3_567684208221.bk
C:\WINDOWS\system32\tmp3_569909834828.bk
C:\WINDOWS\system32\tmp3_58225747729.bk
C:\WINDOWS\system32\tmp3_594631473883.bk
C:\WINDOWS\system32\tmp3_598671757680.bk
C:\WINDOWS\system32\tmp3_612050370842.bk
C:\WINDOWS\system32\tmp3_617373228694.bk
C:\WINDOWS\system32\tmp3_6216392559.bk
C:\WINDOWS\system32\tmp3_632696589420.bk
C:\WINDOWS\system32\tmp3_636218746263.bk
C:\WINDOWS\system32\tmp3_637335721425.bk
C:\WINDOWS\system32\tmp3_6420799840.bk
C:\WINDOWS\system32\tmp3_65584175244.bk
C:\WINDOWS\system32\tmp3_664933501901.bk
C:\WINDOWS\system32\tmp3_666451626749.bk
C:\WINDOWS\system32\tmp3_675772732077.bk
C:\WINDOWS\system32\tmp3_704139458227.bk
C:\WINDOWS\system32\tmp3_70956540340.bk
C:\WINDOWS\system32\tmp3_717272123248.bk
C:\WINDOWS\system32\tmp3_721039320551.bk
C:\WINDOWS\system32\tmp3_732353351916.bk
C:\WINDOWS\system32\tmp3_740123806787.bk
C:\WINDOWS\system32\tmp3_768118230376.bk
C:\WINDOWS\system32\tmp3_771482441120.bk
C:\WINDOWS\system32\tmp3_780780726966.bk
C:\WINDOWS\system32\tmp3_821098163272.bk
C:\WINDOWS\system32\tmp3_849064389651.bk
C:\WINDOWS\system32\tmp3_85191684883.bk
C:\WINDOWS\system32\tmp3_879677189525.bk
C:\WINDOWS\system32\tmp3_880510542087.bk
C:\WINDOWS\system32\tmp3_885222866984.bk
C:\WINDOWS\system32\tmp3_88829431330.bk
C:\WINDOWS\system32\tmp3_893310870027.bk
C:\WINDOWS\system32\tmp4_11569837524.bk
C:\WINDOWS\system32\tmp4_1219983453.bk
C:\WINDOWS\system32\tmp4_12715668292.bk
C:\WINDOWS\system32\tmp4_140056728775.bk
C:\WINDOWS\system32\tmp4_142369563882.bk
C:\WINDOWS\system32\tmp4_1815447558.bk
C:\WINDOWS\system32\tmp4_212272154325.bk
C:\WINDOWS\system32\tmp4_215405298100.bk
C:\WINDOWS\system32\tmp4_219004364279.bk
C:\WINDOWS\system32\tmp4_227195858643.bk
C:\WINDOWS\system32\tmp4_230442199712.bk
C:\WINDOWS\system32\tmp4_2324222915.bk
C:\WINDOWS\system32\tmp4_234711445673.bk
C:\WINDOWS\system32\tmp4_261377553156.bk
C:\WINDOWS\system32\tmp4_2868810332.bk
C:\WINDOWS\system32\tmp4_291023608549.bk
C:\WINDOWS\system32\tmp4_298986724845.bk
C:\WINDOWS\system32\tmp4_326080614407.bk
C:\WINDOWS\system32\tmp4_351728521264.bk
C:\WINDOWS\system32\tmp4_365603449788.bk
C:\WINDOWS\system32\tmp4_37958830762.bk
C:\WINDOWS\system32\tmp4_388360568630.bk
C:\WINDOWS\system32\tmp4_393293692387.bk
C:\WINDOWS\system32\tmp4_402712791403.bk
C:\WINDOWS\system32\tmp4_411567125262.bk
C:\WINDOWS\system32\tmp4_412410191731.bk
C:\WINDOWS\system32\tmp4_435204206471.bk
C:\WINDOWS\system32\tmp4_446383397437.bk
C:\WINDOWS\system32\tmp4_450831103110.bk
C:\WINDOWS\system32\tmp4_455775391945.bk
C:\WINDOWS\system32\tmp4_45938498478.bk
C:\WINDOWS\system32\tmp4_45982523625.bk
C:\WINDOWS\system32\tmp4_470742330014.bk
C:\WINDOWS\system32\tmp4_477672648736.bk
C:\WINDOWS\system32\tmp4_49102407287.bk
C:\WINDOWS\system32\tmp4_497231192690.bk
C:\WINDOWS\system32\tmp4_497304281151.bk
C:\WINDOWS\system32\tmp4_519764212002.bk
C:\WINDOWS\system32\tmp4_52134876329.bk
C:\WINDOWS\system32\tmp4_538845686342.bk
C:\WINDOWS\system32\tmp4_540433376304.bk
C:\WINDOWS\system32\tmp4_555450590944.bk
C:\WINDOWS\system32\tmp4_584502785308.bk
C:\WINDOWS\system32\tmp4_587284586513.bk
C:\WINDOWS\system32\tmp4_612182396635.bk
C:\WINDOWS\system32\tmp4_618287874426.bk
C:\WINDOWS\system32\tmp4_635798774962.bk
C:\WINDOWS\system32\tmp4_644284889599.bk
C:\WINDOWS\system32\tmp4_64710881303.bk
C:\WINDOWS\system32\tmp4_660147682434.bk
C:\WINDOWS\system32\tmp4_671678757041.bk
C:\WINDOWS\system32\tmp4_672038485195.bk
C:\WINDOWS\system32\tmp4_688905796872.bk
C:\WINDOWS\system32\tmp4_701132660851.bk
C:\WINDOWS\system32\tmp4_713313220739.bk
C:\WINDOWS\system32\tmp4_720332819.bk
C:\WINDOWS\system32\tmp4_726596281581.bk
C:\WINDOWS\system32\tmp4_762752676803.bk
C:\WINDOWS\system32\tmp4_77810493544.bk
C:\WINDOWS\system32\tmp4_78795728134.bk
C:\WINDOWS\system32\tmp4_802322447673.bk
C:\WINDOWS\system32\tmp4_806409612873.bk
C:\WINDOWS\system32\tmp4_814973674916.bk
C:\WINDOWS\system32\tmp4_8167434