Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Error messages on reboot


  • Please log in to reply

#1
wacky

wacky

    Member

  • Member
  • PipPip
  • 18 posts
Guys, getting quite a few error messages on bootup in Windows XP Pro. Also the bootup is quite a bit slower than before. Main messages are :

1. NT_Kernel_Error
2. bhookpl.dll not a valid windows image
3. drvviz.dll missing

Here is my HijackThis log. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:05:01, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\VMware\VMware Workstation\vmware.exe
C:\Program Files\VMware\VMware Workstation\bin\vmware-vmx.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\sstqq.exe
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvviz.dll,startup
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [940b73f4] rundll32.exe "C:\WINDOWS\system32\hcdfwsqt.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Bandook] C:\WINDOWS\system32\msdll.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://desktop.lse.ac.uk/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\uunjsdyp.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 6504 bytes
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
wacky

wacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks loophole.

Here's the log from Combofix :

ComboFix 08-01-31.1 - waqar 2008-01-30 22:04:01.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1538 [GMT 0:00]
Running from: C:\Documents and Settings\waqar\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\sstqq.dll
C:\Documents and Settings\waqar\My Documents\pos1000.tmp
C:\Documents and Settings\waqar\My Documents\pos1001.tmp
C:\Documents and Settings\waqar\My Documents\pos1002.tmp
C:\Documents and Settings\waqar\My Documents\pos1003.tmp
C:\Documents and Settings\waqar\My Documents\pos1004.tmp
C:\Documents and Settings\waqar\My Documents\pos1005.tmp
C:\Documents and Settings\waqar\My Documents\pos1006.tmp
C:\Documents and Settings\waqar\My Documents\pos1007.tmp
C:\Documents and Settings\waqar\My Documents\pos1008.tmp
C:\Documents and Settings\waqar\My Documents\pos1009.tmp
C:\Documents and Settings\waqar\My Documents\pos100A.tmp
C:\Documents and Settings\waqar\My Documents\pos100B.tmp
C:\Documents and Settings\waqar\My Documents\pos100C.tmp
C:\Documents and Settings\waqar\My Documents\pos100D.tmp
C:\Documents and Settings\waqar\My Documents\pos100E.tmp
C:\Documents and Settings\waqar\My Documents\pos100F.tmp
C:\Documents and Settings\waqar\My Documents\pos1010.tmp
C:\Documents and Settings\waqar\My Documents\pos1011.tmp
C:\Documents and Settings\waqar\My Documents\pos1012.tmp
C:\Documents and Settings\waqar\My Documents\pos1013.tmp
C:\Documents and Settings\waqar\My Documents\pos1014.tmp
C:\Documents and Settings\waqar\My Documents\pos1015.tmp
C:\Documents and Settings\waqar\My Documents\pos1016.tmp
C:\Documents and Settings\waqar\My Documents\pos1017.tmp
C:\Documents and Settings\waqar\My Documents\pos1018.tmp
C:\Documents and Settings\waqar\My Documents\pos1019.tmp
C:\Documents and Settings\waqar\My Documents\pos101A.tmp
C:\Documents and Settings\waqar\My Documents\pos101B.tmp
C:\Documents and Settings\waqar\My Documents\pos101C.tmp
C:\Documents and Settings\waqar\My Documents\pos101D.tmp
C:\Documents and Settings\waqar\My Documents\pos101E.tmp
C:\Documents and Settings\waqar\My Documents\pos101F.tmp
C:\Documents and Settings\waqar\My Documents\pos1020.tmp
C:\Documents and Settings\waqar\My Documents\pos1021.tmp
C:\Documents and Settings\waqar\My Documents\pos1022.tmp
C:\Documents and Settings\waqar\My Documents\pos1023.tmp
C:\Documents and Settings\waqar\My Documents\pos1024.tmp
C:\Documents and Settings\waqar\My Documents\pos1025.tmp
C:\Documents and Settings\waqar\My Documents\pos1026.tmp
C:\Documents and Settings\waqar\My Documents\pos1027.tmp
C:\Documents and Settings\waqar\My Documents\pos1028.tmp
C:\Documents and Settings\waqar\My Documents\pos1029.tmp
C:\Documents and Settings\waqar\My Documents\pos102A.tmp
C:\Documents and Settings\waqar\My Documents\pos102B.tmp
C:\Documents and Settings\waqar\My Documents\pos102C.tmp
C:\Documents and Settings\waqar\My Documents\pos102D.tmp
C:\Documents and Settings\waqar\My Documents\pos102E.tmp
C:\Documents and Settings\waqar\My Documents\pos102F.tmp
C:\Documents and Settings\waqar\My Documents\pos1030.tmp
C:\Documents and Settings\waqar\My Documents\pos1031.tmp
C:\Documents and Settings\waqar\My Documents\pos1032.tmp
C:\Documents and Settings\waqar\My Documents\pos1033.tmp
C:\Documents and Settings\waqar\My Documents\pos1034.tmp
C:\Documents and Settings\waqar\My Documents\pos1035.tmp
C:\Documents and Settings\waqar\My Documents\pos1036.tmp
C:\Documents and Settings\waqar\My Documents\pos1037.tmp
C:\Documents and Settings\waqar\My Documents\pos1038.tmp
C:\Documents and Settings\waqar\My Documents\pos1039.tmp
C:\Documents and Settings\waqar\My Documents\pos103A.tmp
C:\Documents and Settings\waqar\My Documents\pos103B.tmp
C:\Documents and Settings\waqar\My Documents\pos103C.tmp
C:\Documents and Settings\waqar\My Documents\pos103D.tmp
C:\Documents and Settings\waqar\My Documents\pos103E.tmp
C:\Documents and Settings\waqar\My Documents\pos103F.tmp
C:\Documents and Settings\waqar\My Documents\pos1040.tmp
C:\Documents and Settings\waqar\My Documents\pos1041.tmp
C:\Documents and Settings\waqar\My Documents\pos1042.tmp
C:\Documents and Settings\waqar\My Documents\pos1043.tmp
C:\Documents and Settings\waqar\My Documents\pos1044.tmp
C:\Documents and Settings\waqar\My Documents\pos1045.tmp
C:\Documents and Settings\waqar\My Documents\pos1046.tmp
C:\Documents and Settings\waqar\My Documents\pos1047.tmp
C:\Documents and Settings\waqar\My Documents\pos1048.tmp
C:\Documents and Settings\waqar\My Documents\pos1049.tmp
C:\Documents and Settings\waqar\My Documents\pos104A.tmp
C:\Documents and Settings\waqar\My Documents\pos104B.tmp
C:\Documents and Settings\waqar\My Documents\pos104C.tmp
C:\Documents and Settings\waqar\My Documents\pos104D.tmp
C:\Documents and Settings\waqar\My Documents\pos104E.tmp
C:\Documents and Settings\waqar\My Documents\pos104F.tmp
C:\Documents and Settings\waqar\My Documents\pos1050.tmp
C:\Documents and Settings\waqar\My Documents\pos1051.tmp
C:\Documents and Settings\waqar\My Documents\pos1052.tmp
C:\Documents and Settings\waqar\My Documents\pos1053.tmp
C:\Documents and Settings\waqar\My Documents\pos1054.tmp
C:\Documents and Settings\waqar\My Documents\pos1055.tmp
C:\Documents and Settings\waqar\My Documents\pos1056.tmp
C:\Documents and Settings\waqar\My Documents\pos1057.tmp
C:\Documents and Settings\waqar\My Documents\pos1058.tmp
C:\Documents and Settings\waqar\My Documents\pos1059.tmp
C:\Documents and Settings\waqar\My Documents\pos105A.tmp
C:\Documents and Settings\waqar\My Documents\pos105B.tmp
C:\Documents and Settings\waqar\My Documents\pos105C.tmp
C:\Documents and Settings\waqar\My Documents\pos105D.tmp
C:\Documents and Settings\waqar\My Documents\pos105E.tmp
C:\Documents and Settings\waqar\My Documents\pos105F.tmp
C:\Documents and Settings\waqar\My Documents\pos1060.tmp
C:\Documents and Settings\waqar\My Documents\pos1061.tmp
C:\Documents and Settings\waqar\My Documents\pos1062.tmp
C:\Documents and Settings\waqar\My Documents\pos1063.tmp
C:\Documents and Settings\waqar\My Documents\pos1064.tmp
C:\Documents and Settings\waqar\My Documents\pos1065.tmp
C:\Documents and Settings\waqar\My Documents\pos1066.tmp
C:\Documents and Settings\waqar\My Documents\pos1067.tmp
C:\Documents and Settings\waqar\My Documents\pos1068.tmp
C:\Documents and Settings\waqar\My Documents\pos1069.tmp
C:\Documents and Settings\waqar\My Documents\pos106A.tmp
C:\Documents and Settings\waqar\My Documents\pos106B.tmp
C:\Documents and Settings\waqar\My Documents\pos106C.tmp
C:\Documents and Settings\waqar\My Documents\pos106D.tmp
C:\Documents and Settings\waqar\My Documents\pos106E.tmp
C:\Documents and Settings\waqar\My Documents\pos106F.tmp
C:\Documents and Settings\waqar\My Documents\pos1070.tmp
C:\Documents and Settings\waqar\My Documents\pos1071.tmp
C:\Documents and Settings\waqar\My Documents\pos1072.tmp
C:\Documents and Settings\waqar\My Documents\pos1073.tmp
C:\Documents and Settings\waqar\My Documents\pos1074.tmp
C:\Documents and Settings\waqar\My Documents\pos1075.tmp
C:\Documents and Settings\waqar\My Documents\pos1076.tmp
C:\Documents and Settings\waqar\My Documents\pos1077.tmp
C:\Documents and Settings\waqar\My Documents\pos1078.tmp
C:\Documents and Settings\waqar\My Documents\pos1079.tmp
C:\Documents and Settings\waqar\My Documents\pos107A.tmp
C:\Documents and Settings\waqar\My Documents\pos107B.tmp
C:\Documents and Settings\waqar\My Documents\pos107C.tmp
C:\Documents and Settings\waqar\My Documents\pos107D.tmp
C:\Documents and Settings\waqar\My Documents\pos107E.tmp
C:\Documents and Settings\waqar\My Documents\pos107F.tmp
C:\Documents and Settings\waqar\My Documents\pos1080.tmp
C:\Documents and Settings\waqar\My Documents\pos1081.tmp
C:\Documents and Settings\waqar\My Documents\pos1082.tmp
C:\Documents and Settings\waqar\My Documents\pos1083.tmp
C:\Documents and Settings\waqar\My Documents\pos1084.tmp
C:\Documents and Settings\waqar\My Documents\pos1085.tmp
C:\Documents and Settings\waqar\My Documents\pos1086.tmp
C:\Documents and Settings\waqar\My Documents\pos1087.tmp
C:\Documents and Settings\waqar\My Documents\pos1088.tmp
C:\Documents and Settings\waqar\My Documents\pos1089.tmp
C:\Documents and Settings\waqar\My Documents\pos108A.tmp
C:\Documents and Settings\waqar\My Documents\pos108B.tmp
C:\Documents and Settings\waqar\My Documents\pos108C.tmp
C:\Documents and Settings\waqar\My Documents\pos108D.tmp
C:\Documents and Settings\waqar\My Documents\pos108E.tmp
C:\Documents and Settings\waqar\My Documents\pos108F.tmp
C:\Documents and Settings\waqar\My Documents\pos1090.tmp
C:\Documents and Settings\waqar\My Documents\pos1091.tmp
C:\Documents and Settings\waqar\My Documents\pos1092.tmp
C:\Documents and Settings\waqar\My Documents\pos1093.tmp
C:\Documents and Settings\waqar\My Documents\pos1094.tmp
C:\Documents and Settings\waqar\My Documents\pos1095.tmp
C:\Documents and Settings\waqar\My Documents\pos1096.tmp
C:\Documents and Settings\waqar\My Documents\pos1097.tmp
C:\Documents and Settings\waqar\My Documents\pos1098.tmp
C:\Documents and Settings\waqar\My Documents\pos1099.tmp
C:\Documents and Settings\waqar\My Documents\pos109A.tmp
C:\Documents and Settings\waqar\My Documents\pos109B.tmp
C:\Documents and Settings\waqar\My Documents\pos109C.tmp
C:\Documents and Settings\waqar\My Documents\pos109D.tmp
C:\Documents and Settings\waqar\My Documents\pos109E.tmp
C:\Documents and Settings\waqar\My Documents\pos109F.tmp
C:\Documents and Settings\waqar\My Documents\pos10A0.tmp
C:\Documents and Settings\waqar\My Documents\pos10A1.tmp
C:\Documents and Settings\waqar\My Documents\pos10A2.tmp
C:\Documents and Settings\waqar\My Documents\pos10A3.tmp
C:\Documents and Settings\waqar\My Documents\pos10A4.tmp
C:\Documents and Settings\waqar\My Documents\pos10A5.tmp
C:\Documents and Settings\waqar\My Documents\pos10A6.tmp
C:\Documents and Settings\waqar\My Documents\pos10A7.tmp
C:\Documents and Settings\waqar\My Documents\pos10A8.tmp
C:\Documents and Settings\waqar\My Documents\pos10A9.tmp
C:\Documents and Settings\waqar\My Documents\pos10AA.tmp
C:\Documents and Settings\waqar\My Documents\pos10AB.tmp
C:\Documents and Settings\waqar\My Documents\pos10AC.tmp
C:\Documents and Settings\waqar\My Documents\pos10AD.tmp
C:\Documents and Settings\waqar\My Documents\pos10AE.tmp
C:\Documents and Settings\waqar\My Documents\pos10AF.tmp
C:\Documents and Settings\waqar\My Documents\pos10B0.tmp
C:\Documents and Settings\waqar\My Documents\pos10B1.tmp
C:\Documents and Settings\waqar\My Documents\pos10B2.tmp
C:\Documents and Settings\waqar\My Documents\pos10B3.tmp
C:\Documents and Settings\waqar\My Documents\pos10B4.tmp
C:\Documents and Settings\waqar\My Documents\pos10B5.tmp
C:\Documents and Settings\waqar\My Documents\pos10B6.tmp
C:\Documents and Settings\waqar\My Documents\pos10B7.tmp
C:\Documents and Settings\waqar\My Documents\pos10B8.tmp
C:\Documents and Settings\waqar\My Documents\pos10B9.tmp
C:\Documents and Settings\waqar\My Documents\pos10BA.tmp
C:\Documents and Settings\waqar\My Documents\pos10BB.tmp
C:\Documents and Settings\waqar\My Documents\pos10BC.tmp
C:\Documents and Settings\waqar\My Documents\pos10BD.tmp
C:\Documents and Settings\waqar\My Documents\pos10BE.tmp
C:\Documents and Settings\waqar\My Documents\pos10BF.tmp
C:\Documents and Settings\waqar\My Documents\pos10C0.tmp
C:\Documents and Settings\waqar\My Documents\pos10C1.tmp
C:\Documents and Settings\waqar\My Documents\pos10C2.tmp
C:\Documents and Settings\waqar\My Documents\pos10C3.tmp
C:\Documents and Settings\waqar\My Documents\pos10C4.tmp
C:\Documents and Settings\waqar\My Documents\pos10C5.tmp
C:\Documents and Settings\waqar\My Documents\pos10C6.tmp
C:\Documents and Settings\waqar\My Documents\pos10C7.tmp
C:\Documents and Settings\waqar\My Documents\pos10C8.tmp
C:\Documents and Settings\waqar\My Documents\pos10C9.tmp
C:\Documents and Settings\waqar\My Documents\pos10CA.tmp
C:\Documents and Settings\waqar\My Documents\pos10CB.tmp
C:\Documents and Settings\waqar\My Documents\pos10CC.tmp
C:\Documents and Settings\waqar\My Documents\pos10CD.tmp
C:\Documents and Settings\waqar\My Documents\pos10CE.tmp
C:\Documents and Settings\waqar\My Documents\pos10CF.tmp
C:\Documents and Settings\waqar\My Documents\pos10D0.tmp
C:\Documents and Settings\waqar\My Documents\pos10D1.tmp
C:\Documents and Settings\waqar\My Documents\pos10D2.tmp
C:\Documents and Settings\waqar\My Documents\pos10D3.tmp
C:\Documents and Settings\waqar\My Documents\pos10D4.tmp
C:\Documents and Settings\waqar\My Documents\pos10D5.tmp
C:\Documents and Settings\waqar\My Documents\pos10D6.tmp
C:\Documents and Settings\waqar\My Documents\pos10D7.tmp
C:\Documents and Settings\waqar\My Documents\pos10D8.tmp
C:\Documents and Settings\waqar\My Documents\pos10D9.tmp
C:\Documents and Settings\waqar\My Documents\pos10DA.tmp
C:\Documents and Settings\waqar\My Documents\pos10DB.tmp
C:\Documents and Settings\waqar\My Documents\pos10DC.tmp
C:\Documents and Settings\waqar\My Documents\pos10DD.tmp
C:\Documents and Settings\waqar\My Documents\pos10DE.tmp
C:\Documents and Settings\waqar\My Documents\pos10DF.tmp
C:\Documents and Settings\waqar\My Documents\pos10E0.tmp
C:\Documents and Settings\waqar\My Documents\pos10E1.tmp
C:\Documents and Settings\waqar\My Documents\pos10E2.tmp
C:\Documents and Settings\waqar\My Documents\pos10E3.tmp
C:\Documents and Settings\waqar\My Documents\pos10E4.tmp
C:\Documents and Settings\waqar\My Documents\pos10E5.tmp
C:\Documents and Settings\waqar\My Documents\pos10E6.tmp
C:\Documents and Settings\waqar\My Documents\pos10E7.tmp
C:\Documents and Settings\waqar\My Documents\pos10E8.tmp
C:\Documents and Settings\waqar\My Documents\pos10E9.tmp
C:\Documents and Settings\waqar\My Documents\pos10EA.tmp
C:\Documents and Settings\waqar\My Documents\pos10EB.tmp
C:\Documents and Settings\waqar\My Documents\pos10EC.tmp
C:\Documents and Settings\waqar\My Documents\pos10ED.tmp
C:\Documents and Settings\waqar\My Documents\pos10EE.tmp
C:\Documents and Settings\waqar\My Documents\pos10EF.tmp
C:\Documents and Settings\waqar\My Documents\pos10F0.tmp
C:\Documents and Settings\waqar\My Documents\pos10F1.tmp
C:\Documents and Settings\waqar\My Documents\pos10F2.tmp
C:\Documents and Settings\waqar\My Documents\pos10F3.tmp
C:\Documents and Settings\waqar\My Documents\pos10F4.tmp
C:\Documents and Settings\waqar\My Documents\pos10F5.tmp
C:\Documents and Settings\waqar\My Documents\pos10F6.tmp
C:\Documents and Settings\waqar\My Documents\pos10F7.tmp
C:\Documents and Settings\waqar\My Documents\pos10F8.tmp
C:\Documents and Settings\waqar\My Documents\pos10F9.tmp
C:\Documents and Settings\waqar\My Documents\pos10FA.tmp
C:\Documents and Settings\waqar\My Documents\pos10FB.tmp
C:\Documents and Settings\waqar\My Documents\pos10FC.tmp
C:\Documents and Settings\waqar\My Documents\pos10FD.tmp
C:\Documents and Settings\waqar\My Documents\pos10FE.tmp
C:\Documents and Settings\waqar\My Documents\pos10FF.tmp
C:\Documents and Settings\waqar\My Documents\pos1100.tmp
C:\Documents and Settings\waqar\My Documents\pos1101.tmp
C:\Documents and Settings\waqar\My Documents\pos1102.tmp
C:\Documents and Settings\waqar\My Documents\pos1103.tmp
C:\Documents and Settings\waqar\My Documents\pos1104.tmp
C:\Documents and Settings\waqar\My Documents\pos1105.tmp
C:\Documents and Settings\waqar\My Documents\pos1106.tmp
C:\Documents and Settings\waqar\My Documents\pos1107.tmp
C:\Documents and Settings\waqar\My Documents\pos1108.tmp
C:\Documents and Settings\waqar\My Documents\pos1109.tmp
C:\Documents and Settings\waqar\My Documents\pos110A.tmp
C:\Documents and Settings\waqar\My Documents\pos110B.tmp
C:\Documents and Settings\waqar\My Documents\pos110C.tmp
C:\Documents and Settings\waqar\My Documents\pos110D.tmp
C:\Documents and Settings\waqar\My Documents\pos110E.tmp
C:\Documents and Settings\waqar\My Documents\pos110F.tmp
C:\Documents and Settings\waqar\My Documents\pos1110.tmp
C:\Documents and Settings\waqar\My Documents\pos1111.tmp
C:\Documents and Settings\waqar\My Documents\pos1112.tmp
C:\Documents and Settings\waqar\My Documents\pos1113.tmp
C:\Documents and Settings\waqar\My Documents\pos1114.tmp
C:\Documents and Settings\waqar\My Documents\pos1115.tmp
C:\Documents and Settings\waqar\My Documents\pos1116.tmp
C:\Documents and Settings\waqar\My Documents\pos1117.tmp
C:\Documents and Settings\waqar\My Documents\pos1118.tmp
C:\Documents and Settings\waqar\My Documents\pos1119.tmp
C:\Documents and Settings\waqar\My Documents\pos111A.tmp
C:\Documents and Settings\waqar\My Documents\pos111B.tmp
C:\Documents and Settings\waqar\My Documents\pos111C.tmp
C:\Documents and Settings\waqar\My Documents\pos111D.tmp
C:\Documents and Settings\waqar\My Documents\pos111E.tmp
C:\Documents and Settings\waqar\My Documents\pos111F.tmp
C:\Documents and Settings\waqar\My Documents\pos1120.tmp
C:\Documents and Settings\waqar\My Documents\pos1121.tmp
C:\Documents and Settings\waqar\My Documents\pos1122.tmp
C:\Documents and Settings\waqar\My Documents\pos1123.tmp
C:\Documents and Settings\waqar\My Documents\pos1124.tmp
C:\Documents and Settings\waqar\My Documents\pos1125.tmp
C:\Documents and Settings\waqar\My Documents\pos1126.tmp
C:\Documents and Settings\waqar\My Documents\pos1127.tmp
C:\Documents and Settings\waqar\My Documents\pos1128.tmp
C:\Documents and Settings\waqar\My Documents\pos1129.tmp
C:\Documents and Settings\waqar\My Documents\pos112A.tmp
C:\Documents and Settings\waqar\My Documents\pos112B.tmp
C:\Documents and Settings\waqar\My Documents\pos112C.tmp
C:\Documents and Settings\waqar\My Documents\pos112D.tmp
C:\Documents and Settings\waqar\My Documents\pos112E.tmp
C:\Documents and Settings\waqar\My Documents\pos112F.tmp
C:\Documents and Settings\waqar\My Documents\pos1130.tmp
C:\Documents and Settings\waqar\My Documents\pos1131.tmp
C:\Documents and Settings\waqar\My Documents\pos1132.tmp
C:\Documents and Settings\waqar\My Documents\pos1133.tmp
C:\Documents and Settings\waqar\My Documents\pos1134.tmp
C:\Documents and Settings\waqar\My Documents\pos1135.tmp
C:\Documents and Settings\waqar\My Documents\pos1136.tmp
C:\Documents and Settings\waqar\My Documents\pos1137.tmp
C:\Documents and Settings\waqar\My Documents\pos1138.tmp
C:\Documents and Settings\waqar\My Documents\pos1139.tmp
C:\Documents and Settings\waqar\My Documents\pos113A.tmp
C:\Documents and Settings\waqar\My Documents\pos113B.tmp
C:\Documents and Settings\waqar\My Documents\pos113C.tmp
C:\Documents and Settings\waqar\My Documents\pos113D.tmp
C:\Documents and Settings\waqar\My Documents\pos113E.tmp
C:\Documents and Settings\waqar\My Documents\pos113F.tmp
C:\Documents and Settings\waqar\My Documents\pos1140.tmp
C:\Documents and Settings\waqar\My Documents\pos1141.tmp
C:\Documents and Settings\waqar\My Documents\pos1142.tmp
C:\Documents and Settings\waqar\My Documents\pos1143.tmp
C:\Documents and Settings\waqar\My Documents\pos1144.tmp
C:\Documents and Settings\waqar\My Documents\pos1145.tmp
C:\Documents and Settings\waqar\My Documents\pos1146.tmp
C:\Documents and Settings\waqar\My Documents\pos1147.tmp
C:\Documents and Settings\waqar\My Documents\pos1148.tmp
C:\Documents and Settings\waqar\My Documents\pos1149.tmp
C:\Documents and Settings\waqar\My Documents\pos114A.tmp
C:\Documents and Settings\waqar\My Documents\pos114B.tmp
C:\Documents and Settings\waqar\My Documents\pos114C.tmp
C:\Documents and Settings\waqar\My Documents\pos114E.tmp
C:\Documents and Settings\waqar\My Documents\pos114F.tmp
C:\Documents and Settings\waqar\My Documents\pos1150.tmp
C:\Documents and Settings\waqar\My Documents\pos1151.tmp
C:\Documents and Settings\waqar\My Documents\pos1152.tmp
C:\Documents and Settings\waqar\My Documents\pos1153.tmp
C:\Documents and Settings\waqar\My Documents\pos1154.tmp
C:\Documents and Settings\waqar\My Documents\pos1155.tmp
C:\Documents and Settings\waqar\My Documents\pos1156.tmp
C:\Documents and Settings\waqar\My Documents\pos1157.tmp
C:\Documents and Settings\waqar\My Documents\pos1158.tmp
C:\Documents and Settings\waqar\My Documents\pos1159.tmp
C:\Documents and Settings\waqar\My Documents\pos115A.tmp
C:\Documents and Settings\waqar\My Documents\pos115B.tmp
C:\Documents and Settings\waqar\My Documents\pos115C.tmp
C:\Documents and Settings\waqar\My Documents\pos115D.tmp
C:\Documents and Settings\waqar\My Documents\pos115E.tmp
C:\Documents and Settings\waqar\My Documents\pos115F.tmp
C:\Documents and Settings\waqar\My Documents\pos1160.tmp
C:\Documents and Settings\waqar\My Documents\pos1161.tmp
C:\Documents and Settings\waqar\My Documents\pos1162.tmp
C:\Documents and Settings\waqar\My Documents\pos1163.tmp
C:\Documents and Settings\waqar\My Documents\pos1164.tmp
C:\Documents and Settings\waqar\My Documents\pos1165.tmp
C:\Documents and Settings\waqar\My Documents\pos1166.tmp
C:\Documents and Settings\waqar\My Documents\pos1167.tmp
C:\Documents and Settings\waqar\My Documents\pos1168.tmp
C:\Documents and Settings\waqar\My Documents\pos1169.tmp
C:\Documents and Settings\waqar\My Documents\pos116A.tmp
C:\Documents and Settings\waqar\My Documents\pos116B.tmp
C:\Documents and Settings\waqar\My Documents\pos116C.tmp
C:\Documents and Settings\waqar\My Documents\pos116D.tmp
C:\Documents and Settings\waqar\My Documents\pos116E.tmp
C:\Documents and Settings\waqar\My Documents\pos116F.tmp
C:\Documents and Settings\waqar\My Documents\pos1170.tmp
C:\Documents and Settings\waqar\My Documents\pos1171.tmp
C:\Documents and Settings\waqar\My Documents\pos1172.tmp
C:\Documents and Settings\waqar\My Documents\pos1173.tmp
C:\Documents and Settings\waqar\My Documents\pos1174.tmp
C:\Documents and Settings\waqar\My Documents\pos1175.tmp
C:\Documents and Settings\waqar\My Documents\pos1176.tmp
C:\Documents and Settings\waqar\My Documents\pos1177.tmp
C:\Documents and Settings\waqar\My Documents\pos1178.tmp
C:\Documents and Settings\waqar\My Documents\pos1179.tmp
C:\Documents and Settings\waqar\My Documents\pos117A.tmp
C:\Documents and Settings\waqar\My Documents\pos117B.tmp
C:\Documents and Settings\waqar\My Documents\pos117C.tmp
C:\Documents and Settings\waqar\My Documents\pos117D.tmp
C:\Documents and Settings\waqar\My Documents\pos117E.tmp
C:\Documents and Settings\waqar\My Documents\pos117F.tmp
C:\Documents and Settings\waqar\My Documents\pos1180.tmp
C:\Documents and Settings\waqar\My Documents\pos1181.tmp
C:\Documents and Settings\waqar\My Documents\pos1182.tmp
C:\Documents and Settings\waqar\My Documents\pos1183.tmp
C:\Documents and Settings\waqar\My Documents\pos1184.tmp
C:\Documents and Settings\waqar\My Documents\pos1185.tmp
C:\Documents and Settings\waqar\My Documents\pos1186.tmp
C:\Documents and Settings\waqar\My Documents\pos1187.tmp
C:\Documents and Settings\waqar\My Documents\pos1188.tmp
C:\Documents and Settings\waqar\My Documents\pos1189.tmp
C:\Documents and Settings\waqar\My Documents\pos118A.tmp
C:\Documents and Settings\waqar\My Documents\pos118B.tmp
C:\Documents and Settings\waqar\My Documents\pos118C.tmp
C:\Documents and Settings\waqar\My Documents\pos118D.tmp
C:\Documents and Settings\waqar\My Documents\pos118E.tmp
C:\Documents and Settings\waqar\My Documents\pos118F.tmp
C:\Documents and Settings\waqar\My Documents\pos1190.tmp
C:\Documents and Settings\waqar\My Documents\pos1191.tmp
C:\Documents and Settings\waqar\My Documents\pos1192.tmp
C:\Documents and Settings\waqar\My Documents\pos1193.tmp
C:\Documents and Settings\waqar\My Documents\pos1194.tmp
C:\Documents and Settings\waqar\My Documents\pos1195.tmp
C:\Documents and Settings\waqar\My Documents\pos1196.tmp
C:\Documents and Settings\waqar\My Documents\pos1197.tmp
C:\Documents and Settings\waqar\My Documents\pos1198.tmp
C:\Documents and Settings\waqar\My Documents\pos1199.tmp
C:\Documents and Settings\waqar\My Documents\pos119A.tmp
C:\Documents and Settings\waqar\My Documents\pos119B.tmp
C:\Documents and Settings\waqar\My Documents\pos119C.tmp
C:\Documents and Settings\waqar\My Documents\pos119D.tmp
C:\Documents and Settings\waqar\My Documents\pos119E.tmp
C:\Documents and Settings\waqar\My Documents\pos119F.tmp
C:\Documents and Settings\waqar\My Documents\pos11A0.tmp
C:\Documents and Settings\waqar\My Documents\pos11A1.tmp
C:\Documents and Settings\waqar\My Documents\pos11A2.tmp
C:\Documents and Settings\waqar\My Documents\pos11A3.tmp
C:\Documents and Settings\waqar\My Documents\pos11A4.tmp
C:\Documents and Settings\waqar\My Documents\pos11A5.tmp
C:\Documents and Settings\waqar\My Documents\pos11A6.tmp
C:\Documents and Settings\waqar\My Documents\pos11A7.tmp
C:\Documents and Settings\waqar\My Documents\pos11A8.tmp
C:\Documents and Settings\waqar\My Documents\pos11A9.tmp
C:\Documents and Settings\waqar\My Documents\pos11AA.tmp
C:\Documents and Settings\waqar\My Documents\pos11AB.tmp
C:\Documents and Settings\waqar\My Documents\pos11AC.tmp
C:\Documents and Settings\waqar\My Documents\posFB8.tmp
C:\Documents and Settings\waqar\My Documents\posFB9.tmp
C:\Documents and Settings\waqar\My Documents\posFBA.tmp
C:\Documents and Settings\waqar\My Documents\posFBB.tmp
C:\Documents and Settings\waqar\My Documents\posFBC.tmp
C:\Documents and Settings\waqar\My Documents\posFBD.tmp
C:\Documents and Settings\waqar\My Documents\posFBE.tmp
C:\Documents and Settings\waqar\My Documents\posFBF.tmp
C:\Documents and Settings\waqar\My Documents\posFC0.tmp
C:\Documents and Settings\waqar\My Documents\posFC1.tmp
C:\Documents and Settings\waqar\My Documents\posFC2.tmp
C:\Documents and Settings\waqar\My Documents\posFC3.tmp
C:\Documents and Settings\waqar\My Documents\posFC4.tmp
C:\Documents and Settings\waqar\My Documents\posFC5.tmp
C:\Documents and Settings\waqar\My Documents\posFC6.tmp
C:\Documents and Settings\waqar\My Documents\posFC7.tmp
C:\Documents and Settings\waqar\My Documents\posFC8.tmp
C:\Documents and Settings\waqar\My Documents\posFC9.tmp
C:\Documents and Settings\waqar\My Documents\posFCA.tmp
C:\Documents and Settings\waqar\My Documents\posFCB.tmp
C:\Documents and Settings\waqar\My Documents\posFCC.tmp
C:\Documents and Settings\waqar\My Documents\posFCD.tmp
C:\Documents and Settings\waqar\My Documents\posFCE.tmp
C:\Documents and Settings\waqar\My Documents\posFCF.tmp
C:\Documents and Settings\waqar\My Documents\posFD0.tmp
C:\Documents and Settings\waqar\My Documents\posFD1.tmp
C:\Documents and Settings\waqar\My Documents\posFD2.tmp
C:\Documents and Settings\waqar\My Documents\posFD3.tmp
C:\Documents and Settings\waqar\My Documents\posFD4.tmp
C:\Documents and Settings\waqar\My Documents\posFD5.tmp
C:\Documents and Settings\waqar\My Documents\posFD6.tmp
C:\Documents and Settings\waqar\My Documents\posFD7.tmp
C:\Documents and Settings\waqar\My Documents\posFD8.tmp
C:\Documents and Settings\waqar\My Documents\posFD9.tmp
C:\Documents and Settings\waqar\My Documents\posFDA.tmp
C:\Documents and Settings\waqar\My Documents\posFDB.tmp
C:\Documents and Settings\waqar\My Documents\posFDC.tmp
C:\Documents and Settings\waqar\My Documents\posFDD.tmp
C:\Documents and Settings\waqar\My Documents\posFDE.tmp
C:\Documents and Settings\waqar\My Documents\posFDF.tmp
C:\Documents and Settings\waqar\My Documents\posFE0.tmp
C:\Documents and Settings\waqar\My Documents\posFE1.tmp
C:\Documents and Settings\waqar\My Documents\posFE2.tmp
C:\Documents and Settings\waqar\My Documents\posFE3.tmp
C:\Documents and Settings\waqar\My Documents\posFE4.tmp
C:\Documents and Settings\waqar\My Documents\posFE5.tmp
C:\Documents and Settings\waqar\My Documents\posFE6.tmp
C:\Documents and Settings\waqar\My Documents\posFE7.tmp
C:\Documents and Settings\waqar\My Documents\posFE8.tmp
C:\Documents and Settings\waqar\My Documents\posFE9.tmp
C:\Documents and Settings\waqar\My Documents\posFEA.tmp
C:\Documents and Settings\waqar\My Documents\posFEB.tmp
C:\Documents and Settings\waqar\My Documents\posFEC.tmp
C:\Documents and Settings\waqar\My Documents\posFED.tmp
C:\Documents and Settings\waqar\My Documents\posFEE.tmp
C:\Documents and Settings\waqar\My Documents\posFEF.tmp
C:\Documents and Settings\waqar\My Documents\posFF0.tmp
C:\Documents and Settings\waqar\My Documents\posFF1.tmp
C:\Documents and Settings\waqar\My Documents\posFF2.tmp
C:\Documents and Settings\waqar\My Documents\posFF3.tmp
C:\Documents and Settings\waqar\My Documents\posFF4.tmp
C:\Documents and Settings\waqar\My Documents\posFF5.tmp
C:\Documents and Settings\waqar\My Documents\posFF6.tmp
C:\Documents and Settings\waqar\My Documents\posFF7.tmp
C:\Documents and Settings\waqar\My Documents\posFF8.tmp
C:\Documents and Settings\waqar\My Documents\posFF9.tmp
C:\Documents and Settings\waqar\My Documents\posFFA.tmp
C:\Documents and Settings\waqar\My Documents\posFFB.tmp
C:\Documents and Settings\waqar\My Documents\posFFC.tmp
C:\Documents and Settings\waqar\My Documents\posFFD.tmp
C:\Documents and Settings\waqar\My Documents\posFFE.tmp
C:\Documents and Settings\waqar\My Documents\posFFF.tmp
C:\posBBF.tmp
C:\posDB3.tmp
C:\posDB4.tmp
C:\posDB5.tmp
C:\posDB6.tmp
C:\posDB7.tmp
C:\posDB8.tmp
C:\posDB9.tmp
C:\posDBA.tmp
C:\posDBB.tmp
C:\posDBC.tmp
C:\posDBD.tmp
C:\posDBE.tmp
C:\posDBF.tmp
C:\posDC0.tmp
C:\posDC1.tmp
C:\posDC2.tmp
C:\posDC3.tmp
C:\posDC4.tmp
C:\posDC5.tmp
C:\posDC6.tmp
C:\posDC7.tmp
C:\posDC8.tmp
C:\posDC9.tmp
C:\posDCA.tmp
C:\posDCB.tmp
C:\posDCC.tmp
C:\posDCD.tmp
C:\posDCE.tmp
C:\posDCF.tmp
C:\posDD0.tmp
C:\posDD1.tmp
C:\posDD2.tmp
C:\posDD3.tmp
C:\posDD4.tmp
C:\posDD5.tmp
C:\posDD6.tmp
C:\posDD7.tmp
C:\posDD8.tmp
C:\posDD9.tmp
C:\posDDA.tmp
C:\posDDB.tmp
C:\posDDC.tmp
C:\posDDD.tmp
C:\posDDE.tmp
C:\posDDF.tmp
C:\posDE0.tmp
C:\posDE1.tmp
C:\posDE2.tmp
C:\posDE3.tmp
C:\posDE4.tmp
C:\posDE5.tmp
C:\posDE6.tmp
C:\posDE7.tmp
C:\posDE8.tmp
C:\posDE9.tmp
C:\posDEA.tmp
C:\posDEB.tmp
C:\posDEC.tmp
C:\posDED.tmp
C:\posDEE.tmp
C:\posDEF.tmp
C:\posDF0.tmp
C:\posDF1.tmp
C:\posDF2.tmp
C:\posDF3.tmp
C:\posDF4.tmp
C:\posDF5.tmp
C:\posDF6.tmp
C:\posDF7.tmp
C:\posDF8.tmp
C:\posDF9.tmp
C:\posDFA.tmp
C:\posDFB.tmp
C:\posDFC.tmp
C:\posDFD.tmp
C:\posDFE.tmp
C:\posDFF.tmp
C:\posE00.tmp
C:\posE01.tmp
C:\posE02.tmp
C:\posE03.tmp
C:\posE04.tmp
C:\posE05.tmp
C:\posE06.tmp
C:\posE07.tmp
C:\posE08.tmp
C:\posE09.tmp
C:\posE0A.tmp
C:\posE0B.tmp
C:\posE0C.tmp
C:\posE0D.tmp
C:\posE0E.tmp
C:\posE0F.tmp
C:\posE10.tmp
C:\posE11.tmp
C:\posE12.tmp
C:\posE13.tmp
C:\posE14.tmp
C:\posE15.tmp
C:\posE16.tmp
C:\posE17.tmp
C:\posE18.tmp
C:\posE19.tmp
C:\posE1A.tmp
C:\posE1B.tmp
C:\posE1C.tmp
C:\posE1D.tmp
C:\posE1E.tmp
C:\posE1F.tmp
C:\posE20.tmp
C:\posE21.tmp
C:\posE22.tmp
C:\posE23.tmp
C:\posE24.tmp
C:\posE25.tmp
C:\posE26.tmp
C:\posE27.tmp
C:\posE28.tmp
C:\posE29.tmp
C:\posE2A.tmp
C:\posE2B.tmp
C:\posE2C.tmp
C:\posE2D.tmp
C:\posE2E.tmp
C:\posE2F.tmp
C:\posE30.tmp
C:\posE31.tmp
C:\posE32.tmp
C:\posE33.tmp
C:\posE34.tmp
C:\posE35.tmp
C:\posE36.tmp
C:\posE37.tmp
C:\posE38.tmp
C:\posE39.tmp
C:\posE3A.tmp
C:\posE3B.tmp
C:\posE3C.tmp
C:\posE3D.tmp
C:\posE3E.tmp
C:\posE3F.tmp
C:\posE40.tmp
C:\posE41.tmp
C:\posE42.tmp
C:\posE43.tmp
C:\posE44.tmp
C:\posE45.tmp
C:\posE46.tmp
C:\posE47.tmp
C:\posE48.tmp
C:\posE49.tmp
C:\posE4A.tmp
C:\posE4B.tmp
C:\posE4C.tmp
C:\posE4D.tmp
C:\posE4E.tmp
C:\posE4F.tmp
C:\posE50.tmp
C:\posE51.tmp
C:\posE52.tmp
C:\posE53.tmp
C:\posE54.tmp
C:\posE55.tmp
C:\posE56.tmp
C:\posE57.tmp
C:\posE58.tmp
C:\posE59.tmp
C:\posE5A.tmp
C:\posE5B.tmp
C:\posE5C.tmp
C:\posE5D.tmp
C:\posE5E.tmp
C:\posE5F.tmp
C:\posE60.tmp
C:\posE61.tmp
C:\posE62.tmp
C:\posE63.tmp
C:\posE64.tmp
C:\posE65.tmp
C:\posE66.tmp
C:\posE67.tmp
C:\posE68.tmp
C:\posE69.tmp
C:\posE6A.tmp
C:\posE6B.tmp
C:\posE6C.tmp
C:\posE6D.tmp
C:\posE6E.tmp
C:\posE6F.tmp
C:\posE70.tmp
C:\posE71.tmp
C:\posE72.tmp
C:\posE73.tmp
C:\posE74.tmp
C:\posE75.tmp
C:\posE76.tmp
C:\posE77.tmp
C:\posE78.tmp
C:\posE79.tmp
C:\posE7A.tmp
C:\posE7B.tmp
C:\posE7C.tmp
C:\posE7D.tmp
C:\posE7E.tmp
C:\posE7F.tmp
C:\posE80.tmp
C:\posE81.tmp
C:\posE82.tmp
C:\posE83.tmp
C:\posE84.tmp
C:\posE85.tmp
C:\posE86.tmp
C:\posE87.tmp
C:\posE88.tmp
C:\posE89.tmp
C:\posE8A.tmp
C:\posE8B.tmp
C:\posE8C.tmp
C:\posE8D.tmp
C:\posE8E.tmp
C:\posE8F.tmp
C:\posE90.tmp
C:\posE91.tmp
C:\posE92.tmp
C:\posE93.tmp
C:\posE94.tmp
C:\posE95.tmp
C:\posE96.tmp
C:\posE97.tmp
C:\posE98.tmp
C:\posE99.tmp
C:\posE9A.tmp
C:\posE9B.tmp
C:\posE9C.tmp
C:\posE9D.tmp
C:\posE9E.tmp
C:\posE9F.tmp
C:\posEA0.tmp
C:\posEA1.tmp
C:\posEA2.tmp
C:\posEA3.tmp
C:\posEA4.tmp
C:\posEA5.tmp
C:\posEA6.tmp
C:\posEA7.tmp
C:\posEA8.tmp
C:\posEA9.tmp
C:\posEAA.tmp
C:\posEAB.tmp
C:\posEAC.tmp
C:\posEAD.tmp
C:\posEAE.tmp
C:\posEAF.tmp
C:\posEB0.tmp
C:\posEB1.tmp
C:\posEB2.tmp
C:\posEB3.tmp
C:\posEB4.tmp
C:\posEB5.tmp
C:\posEB6.tmp
C:\posEB7.tmp
C:\posEB8.tmp
C:\posEB9.tmp
C:\posEBA.tmp
C:\posEBB.tmp
C:\posEBC.tmp
C:\posEBD.tmp
C:\posEBE.tmp
C:\posEBF.tmp
C:\posEC0.tmp
C:\posEC1.tmp
C:\posEC2.tmp
C:\posEC3.tmp
C:\posEC4.tmp
C:\posEC5.tmp
C:\posEC6.tmp
C:\posEC7.tmp
C:\posEC8.tmp
C:\posEC9.tmp
C:\posECA.tmp
C:\posECB.tmp
C:\posECC.tmp
C:\posECD.tmp
C:\posECE.tmp
C:\posECF.tmp
C:\posED0.tmp
C:\posED1.tmp
C:\posED2.tmp
C:\posED3.tmp
C:\posED4.tmp
C:\posED5.tmp
C:\posED6.tmp
C:\posED7.tmp
C:\posED8.tmp
C:\posED9.tmp
C:\posEDA.tmp
C:\posEDB.tmp
C:\posEDC.tmp
C:\posEDD.tmp
C:\posEDE.tmp
C:\posEDF.tmp
C:\posEE0.tmp
C:\posEE1.tmp
C:\posEE2.tmp
C:\posEE3.tmp
C:\posEE4.tmp
C:\posEE5.tmp
C:\posEE6.tmp
C:\posEE7.tmp
C:\posEE8.tmp
C:\posEE9.tmp
C:\posEEA.tmp
C:\posEEB.tmp
C:\posEEC.tmp
C:\posEED.tmp
C:\posEEE.tmp
C:\posEEF.tmp
C:\posEF0.tmp
C:\posEF1.tmp
C:\posEF2.tmp
C:\posEF3.tmp
C:\posEF4.tmp
C:\posEF5.tmp
C:\posEF6.tmp
C:\posEF7.tmp
C:\posEF8.tmp
C:\posEF9.tmp
C:\posEFA.tmp
C:\posEFB.tmp
C:\posEFC.tmp
C:\posEFD.tmp
C:\posEFE.tmp
C:\posEFF.tmp
C:\posF00.tmp
C:\posF01.tmp
C:\posF02.tmp
C:\posF03.tmp
C:\posF04.tmp
C:\posF05.tmp
C:\posF06.tmp
C:\posF07.tmp
C:\posF08.tmp
C:\posF09.tmp
C:\posF0A.tmp
C:\posF0B.tmp
C:\posF0C.tmp
C:\posF0D.tmp
C:\posF0E.tmp
C:\posF0F.tmp
C:\posF10.tmp
C:\posF11.tmp
C:\posF12.tmp
C:\posF13.tmp
C:\posF14.tmp
C:\posF15.tmp
C:\posF16.tmp
C:\posF17.tmp
C:\posF18.tmp
C:\posF19.tmp
C:\posF1A.tmp
C:\posF1B.tmp
C:\posF1C.tmp
C:\posF1D.tmp
C:\posF1E.tmp
C:\posF1F.tmp
C:\posF20.tmp
C:\posF21.tmp
C:\posF22.tmp
C:\posF23.tmp
C:\posF24.tmp
C:\posF25.tmp
C:\posF26.tmp
C:\posF27.tmp
C:\posF28.tmp
C:\posF29.tmp
C:\posF2A.tmp
C:\posF2B.tmp
C:\posF2C.tmp
C:\posF2D.tmp
C:\posF2E.tmp
C:\posF2F.tmp
C:\posF30.tmp
C:\posF31.tmp
C:\posF32.tmp
C:\posF33.tmp
C:\posF34.tmp
C:\posF35.tmp
C:\posF36.tmp
C:\posF37.tmp
C:\posF38.tmp
C:\posF39.tmp
C:\posF3A.tmp
C:\posF3B.tmp
C:\posF3C.tmp
C:\posF3D.tmp
C:\posF3E.tmp
C:\posF3F.tmp
C:\posF40.tmp
C:\posF41.tmp
C:\posF42.tmp
C:\posF43.tmp
C:\posF44.tmp
C:\posF45.tmp
C:\posF46.tmp
C:\posF47.tmp
C:\posF48.tmp
C:\posF49.tmp
C:\posF4A.tmp
C:\posF4B.tmp
C:\posF4C.tmp
C:\posF4D.tmp
C:\posF4E.tmp
C:\posF4F.tmp
C:\posF50.tmp
C:\posF51.tmp
C:\posF52.tmp
C:\posF53.tmp
C:\posF54.tmp
C:\posF55.tmp
C:\posF56.tmp
C:\posF57.tmp
C:\posF58.tmp
C:\posF59.tmp
C:\posF5A.tmp
C:\posF5B.tmp
C:\posF5C.tmp
C:\posF5D.tmp
C:\posF5E.tmp
C:\posF5F.tmp
C:\posF60.tmp
C:\posF61.tmp
C:\posF62.tmp
C:\posF63.tmp
C:\posF64.tmp
C:\posF65.tmp
C:\posF66.tmp
C:\posF67.tmp
C:\posF68.tmp
C:\posF69.tmp
C:\posF6A.tmp
C:\posF6B.tmp
C:\posF6C.tmp
C:\posF6D.tmp
C:\posF6E.tmp
C:\posF6F.tmp
C:\posF70.tmp
C:\posF71.tmp
C:\posF72.tmp
C:\posF73.tmp
C:\posF74.tmp
C:\posF75.tmp
C:\posF76.tmp
C:\posF77.tmp
C:\posF78.tmp
C:\posF79.tmp
C:\posF7A.tmp
C:\posF7B.tmp
C:\posF7C.tmp
C:\posF7D.tmp
C:\posF7E.tmp
C:\posF7F.tmp
C:\posF80.tmp
C:\posF81.tmp
C:\posF82.tmp
C:\posF83.tmp
C:\posF84.tmp
C:\posF85.tmp
C:\posF86.tmp
C:\posF87.tmp
C:\posF88.tmp
C:\posF89.tmp
C:\posF8A.tmp
C:\posF8B.tmp
C:\posF8C.tmp
C:\posF8D.tmp
C:\posF8E.tmp
C:\posF8F.tmp
C:\posF90.tmp
C:\posF91.tmp
C:\posF92.tmp
C:\posF93.tmp
C:\posF94.tmp
C:\posF95.tmp
C:\posF96.tmp
C:\posF97.tmp
C:\posF98.tmp
C:\posF99.tmp
C:\posF9A.tmp
C:\posF9B.tmp
C:\posF9C.tmp
C:\posF9D.tmp
C:\posF9E.tmp
C:\posF9F.tmp
C:\posFA0.tmp
C:\posFA1.tmp
C:\posFA2.tmp
C:\posFA3.tmp
C:\posFA4.tmp
C:\posFA5.tmp
C:\WINDOWS\bhookpl.dll
C:\WINDOWS\system32\bhmaxokg.dll
C:\WINDOWS\system32\bhmaxokg.dll . . . . failed to delete
C:\WINDOWS\system32\bhmaxokg.dllbox
C:\WINDOWS\system32\bswvlptu.dll
C:\WINDOWS\system32\eheehrwp.ini
C:\WINDOWS\system32\hcdfwsqt.dll
C:\WINDOWS\system32\mbfklsyc.dll
C:\WINDOWS\system32\msdll.exe
C:\WINDOWS\system32\ptajxgtx.exe
C:\WINDOWS\system32\pwrheehe.dll
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\sstqq.exe
C:\WINDOWS\system32\tqswfdch.ini
C:\WINDOWS\system32\vehqookn.dll
C:\WINDOWS\system32\winghy32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 22:10 . 2008-01-31 22:10 14,033 --a------ C:\posED.tmp
2008-01-31 22:06 . 2008-01-31 22:08 14,033 --a------ C:\pos4BD.tmp
2008-01-31 22:05 . 2008-01-31 22:08 14,033 --a------ C:\pos3FD.tmp
2008-01-30 18:04 . 2008-01-30 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-30 16:43 . 2008-01-30 16:43 <DIR> d-------- C:\Program Files\WinSCP
2008-01-28 21:29 . 2008-01-29 14:37 154,112 --a------ C:\WINDOWS\system32\msdll .exe
2008-01-28 20:41 . 2008-01-28 20:41 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\Grisoft
2008-01-28 20:41 . 2008-01-28 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 20:41 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-27 22:52 . 2008-01-31 22:08 163,904 --------- C:\WINDOWS\system32\bhmaxokg.dll
2008-01-23 21:20 . 2007-10-08 09:26 150,064 --a------ C:\WINDOWS\system32\vmnat.exe
2008-01-23 21:20 . 2007-10-08 09:26 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-01-23 21:20 . 2007-10-08 09:26 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll
2008-01-23 21:20 . 2007-10-08 09:26 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys
2008-01-23 21:20 . 2007-10-08 09:27 25,008 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-01-23 21:20 . 2007-10-08 09:26 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys
2008-01-23 21:20 . 2007-10-08 09:26 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys
2008-01-23 21:19 . 2008-01-23 21:19 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-01-23 21:19 . 2007-10-08 09:27 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-01-23 21:19 . 2007-10-08 09:27 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys
2008-01-21 23:27 . 2007-10-08 09:26 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll
2008-01-20 18:31 . 2008-01-28 20:39 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-20 18:30 . 2008-01-20 18:30 <DIR> d--hs---- C:\FOUND.002
2008-01-20 18:22 . 2008-01-20 18:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-20 18:22 . 2008-01-20 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 17:40 . 2008-01-20 17:40 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\PrevxCSI
2008-01-20 17:40 . 2008-01-20 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-20 17:37 . 2008-01-28 20:39 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-20 17:37 . 2008-01-28 20:39 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-20 17:37 . 2008-01-28 20:39 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-16 19:46 . 2008-01-28 20:31 4,196 --a------ C:\WINDOWS\schost
2008-01-16 18:54 . 2008-01-28 19:02 48,128 --a------ C:\WINDOWS\schost.exe
2008-01-16 18:54 . 2008-01-28 19:02 48,128 --a------ C:\Documents and Settings\waqar\special.exe
2008-01-13 22:10 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-01-13 22:10 . 2007-08-31 11:58 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-01-13 22:10 . 2008-01-13 22:10 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-01-13 22:09 . 2008-01-13 22:09 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-13 22:09 . 2008-01-13 22:09 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-01-09 18:05 . 2008-01-09 18:05 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-03 22:13 . 2007-10-08 09:26 30,768 -ra------ C:\WINDOWS\system32\drivers\vmusb.sys
2007-12-30 17:08 . 2007-12-30 17:08 <DIR> d-------- C:\Program Files\Jin
2007-12-30 17:08 . 2007-12-30 17:08 <DIR> d-------- C:\Documents and Settings\waqar\.jin
2007-12-24 12:34 . 2007-12-24 12:34 <DIR> d-------- C:\Documents and Settings\yusuf\Application Data\Talkback
2007-12-16 21:51 . 2007-12-16 21:51 <DIR> d-------- C:\Program Files\Nvu
2007-12-16 21:51 . 2007-12-16 21:51 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\Nvu
2007-12-16 17:27 . 2007-12-16 17:27 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-16 17:27 . 2007-12-16 17:27 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-12-14 19:01 . 2007-12-14 19:01 <DIR> d-------- C:\Program Files\uTorrent
2007-12-14 19:01 . 2007-12-14 19:01 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\uTorrent
2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2007-12-08 10:44 . 2007-12-08 10:44 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\Talkback
2007-12-07 22:10 . 2007-12-07 22:10 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 1
2007-12-04 11:05 . 2007-12-04 11:05 <DIR> d-------- C:\Documents and Settings\Ayesha\Application Data\VMware
2007-12-03 18:52 . 2007-12-03 18:52 <DIR> d-------- C:\Documents and Settings\yusuf\Application Data\VMware
2007-12-02 23:07 . 2007-12-02 23:07 <DIR> d-------- C:\Program Files\7-Zip
2007-12-02 19:59 . 2007-12-02 19:59 <DIR> d-------- C:\Program Files\VMware
2007-12-02 19:59 . 2008-01-23 21:19 1,024 --a------ C:\.rnd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:16 3,058,688 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-20 17:52 90,786 ----a-w C:\WINDOWS\wubi-uninstall.exe
2007-10-11 06:13 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-11 06:13 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-10-08 08:07 219,696 ----a-w C:\WINDOWS\system32\vmnc.dll
2007-05-23 19:16 92,064 ----a-w C:\Documents and Settings\waqar\mqdmmdm.sys
2007-05-23 19:16 9,232 ----a-w C:\Documents and Settings\waqar\mqdmmdfl.sys
2007-05-23 19:16 79,328 ----a-w C:\Documents and Settings\waqar\mqdmserd.sys
2007-05-23 19:16 66,656 ----a-w C:\Documents and Settings\waqar\mqdmbus.sys
2007-05-23 19:16 6,208 ----a-w C:\Documents and Settings\waqar\mqdmcmnt.sys
2007-05-23 19:16 5,936 ----a-w C:\Documents and Settings\waqar\mqdmwhnt.sys
2007-05-23 19:16 4,048 ----a-w C:\Documents and Settings\waqar\mqdmcr.sys
2007-05-23 19:16 25,600 ----a-w C:\Documents and Settings\waqar\usbsermptxp.sys
2007-05-23 19:16 22,768 ----a-w C:\Documents and Settings\waqar\usbsermpt.sys
.
[code=auto:0]<pre&#
  • 0

#4
wacky

wacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
My last reply somehow missed the HijackThis log. Here it is :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:16:24, on 31/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\bhmaxokg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvviz.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://desktop.lse.ac.uk/msrdp.cab
O20 - Winlogon Notify: bhmaxokg - C:\WINDOWS\SYSTEM32\bhmaxokg.dll
O20 - Winlogon Notify: tuvvutu - tuvvutu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 6944 bytes
  • 0

#5
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi,

The combo log was cut off

Open notepad and copy/paste the text in RED below into it:

File::
C:\posED.tmp
C:\pos4BD.tmp
C:\pos3FD.tmp
C:\WINDOWS\schost.exe
C:\WINDOWS\SYSTEM32\bhmaxokg.dll
Folder::
C:\WINDOWS\schost


Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post it and a new Hijack log
  • 0

#6
wacky

wacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
loophole, as ever thanks for your help. Here is the new log from ComboFix after following your instructions above:

ComboFix 08-01-31.1 - waqar 2008-02-01 16:22:16.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT 0:00]
Running from: C:\Documents and Settings\waqar\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\waqar\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\pos3FD.tmp
C:\pos4BD.tmp
C:\posED.tmp
C:\WINDOWS\schost.exe
C:\WINDOWS\SYSTEM32\bhmaxokg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\schost.exe
C:\WINDOWS\schost\
C:\WINDOWS\system32\bhmaxokg.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 18:04 . 2008-01-30 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-30 16:43 . 2008-01-30 16:43 <DIR> d-------- C:\Program Files\WinSCP
2008-01-28 21:29 . 2008-01-29 14:37 154,112 --a------ C:\WINDOWS\system32\msdll .exe
2008-01-28 20:41 . 2008-01-28 20:41 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\Grisoft
2008-01-28 20:41 . 2008-01-28 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 20:41 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-23 21:20 . 2007-10-08 09:26 150,064 --a------ C:\WINDOWS\system32\vmnat.exe
2008-01-23 21:20 . 2007-10-08 09:26 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-01-23 21:20 . 2007-10-08 09:26 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll
2008-01-23 21:20 . 2007-10-08 09:26 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys
2008-01-23 21:20 . 2007-10-08 09:27 25,008 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-01-23 21:20 . 2007-10-08 09:26 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys
2008-01-23 21:20 . 2007-10-08 09:26 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys
2008-01-23 21:19 . 2008-01-23 21:19 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-01-23 21:19 . 2007-10-08 09:27 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-01-23 21:19 . 2007-10-08 09:27 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys
2008-01-21 23:27 . 2007-10-08 09:26 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll
2008-01-20 18:31 . 2008-01-28 20:39 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-20 18:30 . 2008-01-20 18:30 <DIR> d--hs---- C:\FOUND.002
2008-01-20 18:22 . 2008-01-20 18:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-20 18:22 . 2008-01-20 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 17:40 . 2008-01-20 17:40 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\PrevxCSI
2008-01-20 17:40 . 2008-01-20 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-20 17:37 . 2008-01-28 20:39 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-20 17:37 . 2008-01-28 20:39 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-20 17:37 . 2008-01-28 20:39 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-16 19:46 . 2008-01-28 20:31 4,196 --a------ C:\WINDOWS\schost
2008-01-16 18:54 . 2008-01-28 19:02 48,128 --a------ C:\Documents and Settings\waqar\special.exe
2008-01-13 22:10 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-01-13 22:10 . 2007-08-31 11:58 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-01-13 22:10 . 2008-01-13 22:10 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-01-13 22:09 . 2008-01-13 22:09 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-13 22:09 . 2008-01-13 22:09 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-01-09 18:05 . 2008-01-09 18:05 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-03 22:13 . 2007-10-08 09:26 30,768 -ra------ C:\WINDOWS\system32\drivers\vmusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 17:08 --------- d-----w C:\Program Files\Jin
2007-12-24 12:34 --------- d-----w C:\Documents and Settings\yusuf\Application Data\Talkback
2007-12-16 21:51 --------- d-----w C:\Program Files\Nvu
2007-12-16 21:51 --------- d-----w C:\Documents and Settings\waqar\Application Data\Nvu
2007-12-16 17:27 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-16 17:27 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-12-14 19:01 --------- d-----w C:\Program Files\uTorrent
2007-12-14 19:01 --------- d-----w C:\Documents and Settings\waqar\Application Data\uTorrent
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-08 10:44 --------- d-----w C:\Documents and Settings\waqar\Application Data\Talkback
2007-12-07 22:10 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2007-12-04 11:05 --------- d-----w C:\Documents and Settings\Ayesha\Application Data\VMware
2007-12-03 18:52 --------- d-----w C:\Documents and Settings\yusuf\Application Data\VMware
2007-12-02 23:07 --------- d-----w C:\Program Files\7-Zip
2007-12-02 19:59 --------- d-----w C:\Program Files\VMware
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-05-23 19:16 92,064 ----a-w C:\Documents and Settings\waqar\mqdmmdm.sys
2007-05-23 19:16 9,232 ----a-w C:\Documents and Settings\waqar\mqdmmdfl.sys
2007-05-23 19:16 79,328 ----a-w C:\Documents and Settings\waqar\mqdmserd.sys
2007-05-23 19:16 66,656 ----a-w C:\Documents and Settings\waqar\mqdmbus.sys
2007-05-23 19:16 6,208 ----a-w C:\Documents and Settings\waqar\mqdmcmnt.sys
2007-05-23 19:16 5,936 ----a-w C:\Documents and Settings\waqar\mqdmwhnt.sys
2007-05-23 19:16 4,048 ----a-w C:\Documents and Settings\waqar\mqdmcr.sys
2007-05-23 19:16 25,600 ----a-w C:\Documents and Settings\waqar\usbsermptxp.sys
2007-05-23 19:16 22,768 ----a-w C:\Documents and Settings\waqar\usbsermpt.sys
.
<pre>
----a-w		   154,112 2008-01-29 14:37:52  C:\WINDOWS\system32\msdll .exe
----a-w			94,208 2008-01-28 20:39:26  C:\WINDOWS\system32\igfxtray .exe
----a-w			77,824 2008-01-28 20:39:32  C:\WINDOWS\system32\hkcmd .exe
----a-w		   118,784 2008-01-28 20:39:32  C:\WINDOWS\system32\igfxpers .exe
----a-w			15,360 2008-01-28 20:39:58  C:\WINDOWS\system32\ctfmon .exe
----a-w		   180,269 2008-01-28 20:39:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   153,136 2008-01-28 20:39:36  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w		   152,872 2008-01-28 20:40:04  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w		 1,694,208 2008-01-28 20:40:04  C:\Program Files\Messenger\msmsgs .exe
----a-w			32,768 2008-01-28 20:39:36  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w		   366,400 2008-01-28 20:39:46  C:\Program Files\Picasa2\PicasaMediaDetector .exe
----a-w		   479,232 2008-01-28 20:39:50  C:\Program Files\Google\Gmail Notifier\gnotify .exe
----a-w		   132,496 2008-01-28 20:39:38  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		   576,320 2008-01-28 20:39:42  C:\Program Files\Microsoft IntelliType Pro\itype .exe
----a-w			57,344 2008-01-28 20:39:44  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w			39,792 2008-01-28 20:39:44  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		 5,674,352 2008-01-27 13:44:00  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w		   192,512 2008-01-28 20:39:48  C:\Program Files\TalkTalk\bin\sprtcmd .exe
----a-w		 3,256,320 2008-01-27 13:44:00  C:\Program Files\Veoh Networks\Veoh\VeohClient .exe
----a-w		 1,460,560 2008-01-27 13:44:02  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   267,064 2008-01-28 20:39:50  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			72,240 2008-01-28 20:39:56  C:\Program Files\VMware\VMware Workstation\vmware-tray .exe
----a-w			55,856 2008-01-28 20:39:58  C:\Program Files\VMware\VMware Workstation\hqtray .exe
----a-w		 1,037,736 2008-01-28 20:44:50  C:\Program Files\Microsoft IntelliPoint\ipoint .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [ ]
"MSDrive"="C:\WINDOWS\system32\drvviz.dll" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bhmaxokg]
bhmaxokg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvutu]
tuvvutu.dll

R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-08-07 12:33]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-10-08 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 14:31]
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9311B8A8-0FD7-F849-5B42-67BBB89472F7}]
C:\WINDOWS\schost.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-28 08:44:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 16:23:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-01 16:23:25
ComboFix-quarantined-files.txt 2008-02-01 16:23:26
ComboFix2.txt 2008-01-31 22:12:34
.
2008-01-20 17:13:29 --- E O F ---
  • 0

#7
wacky

wacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
loophole, here is the latest HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:28:54, on 01/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvviz.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'yusuf')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide (User 'yusuf')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [] (User 'yusuf')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'yusuf')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [Bandook] C:\WINDOWS\system32\msdll.exe (User 'yusuf')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://desktop.lse.ac.uk/msrdp.cab
O20 - Winlogon Notify: bhmaxokg - bhmaxokg.dll (file missing)
O20 - Winlogon Notify: tuvvutu - tuvvutu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7551 bytes
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi,

Lets see how this goes. A lot of legitimate files have been affected. They should be restored if all goes well here.

Delete the CFscript you currently have. we are going to make a new one

Open notepad and copy/paste the text in RED below into it:


RENV::
C:\WINDOWS\system32\msdll .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\Picasa2\PicasaMediaDetector .exe
C:\Program Files\Google\Gmail Notifier\gnotify .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Microsoft IntelliType Pro\itype .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\TalkTalk\bin\sprtcmd .exe
C:\Program Files\Veoh Networks\Veoh\VeohClient .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\VMware\VMware Workstation\vmware-tray .exe
C:\Program Files\VMware\VMware Workstation\hqtray .exe
C:\Program Files\Microsoft IntelliPoint\ipoint .exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bhmaxokg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvutu]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9311B8A8-0FD7-F849-5B42-67BBB89472F7}]


Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)


drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt with a new Hijack log
  • 0

#9
wacky

wacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
loophole thanks again. Here is the logfile from ComboFix :

ComboFix 08-01-31.1 - waqar 2008-02-01 17:33:31.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1603 [GMT 0:00]
Running from: C:\Documents and Settings\waqar\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\waqar\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 18:04 . 2008-01-30 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-30 16:43 . 2008-01-30 16:43 <DIR> d-------- C:\Program Files\WinSCP
2008-01-28 21:29 . 2008-01-29 14:37 154,112 --a------ C:\WINDOWS\system32\msdll .exe
2008-01-28 20:41 . 2008-01-28 20:41 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\Grisoft
2008-01-28 20:41 . 2008-01-28 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 20:41 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-23 21:20 . 2007-10-08 09:26 150,064 --a------ C:\WINDOWS\system32\vmnat.exe
2008-01-23 21:20 . 2007-10-08 09:26 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-01-23 21:20 . 2007-10-08 09:26 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll
2008-01-23 21:20 . 2007-10-08 09:26 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys
2008-01-23 21:20 . 2007-10-08 09:27 25,008 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-01-23 21:20 . 2007-10-08 09:26 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys
2008-01-23 21:20 . 2007-10-08 09:26 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys
2008-01-23 21:19 . 2008-01-23 21:19 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-01-23 21:19 . 2007-10-08 09:27 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-01-23 21:19 . 2007-10-08 09:27 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys
2008-01-21 23:27 . 2007-10-08 09:26 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll
2008-01-20 18:31 . 2008-01-28 20:39 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-20 18:30 . 2008-01-20 18:30 <DIR> d--hs---- C:\FOUND.002
2008-01-20 18:22 . 2008-01-20 18:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-20 18:22 . 2008-01-20 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 17:40 . 2008-01-20 17:40 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\PrevxCSI
2008-01-20 17:40 . 2008-01-20 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-20 17:37 . 2008-01-28 20:39 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-20 17:37 . 2008-01-28 20:39 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-20 17:37 . 2008-01-28 20:39 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-16 19:46 . 2008-01-28 20:31 4,196 --a------ C:\WINDOWS\schost
2008-01-16 18:54 . 2008-01-28 19:02 48,128 --a------ C:\Documents and Settings\waqar\special.exe
2008-01-13 22:10 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-01-13 22:10 . 2007-08-31 11:58 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-01-13 22:10 . 2008-01-13 22:10 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-01-13 22:09 . 2008-01-13 22:09 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-13 22:09 . 2008-01-13 22:09 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-01-09 18:05 . 2008-01-09 18:05 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-03 22:13 . 2007-10-08 09:26 30,768 -ra------ C:\WINDOWS\system32\drivers\vmusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 17:08 --------- d-----w C:\Program Files\Jin
2007-12-24 12:34 --------- d-----w C:\Documents and Settings\yusuf\Application Data\Talkback
2007-12-16 21:51 --------- d-----w C:\Program Files\Nvu
2007-12-16 21:51 --------- d-----w C:\Documents and Settings\waqar\Application Data\Nvu
2007-12-16 17:27 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-16 17:27 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-12-14 19:01 --------- d-----w C:\Program Files\uTorrent
2007-12-14 19:01 --------- d-----w C:\Documents and Settings\waqar\Application Data\uTorrent
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-08 10:44 --------- d-----w C:\Documents and Settings\waqar\Application Data\Talkback
2007-12-07 22:10 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2007-12-04 11:05 --------- d-----w C:\Documents and Settings\Ayesha\Application Data\VMware
2007-12-03 18:52 --------- d-----w C:\Documents and Settings\yusuf\Application Data\VMware
2007-12-02 23:07 --------- d-----w C:\Program Files\7-Zip
2007-12-02 19:59 --------- d-----w C:\Program Files\VMware
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-05-23 19:16 92,064 ----a-w C:\Documents and Settings\waqar\mqdmmdm.sys
2007-05-23 19:16 9,232 ----a-w C:\Documents and Settings\waqar\mqdmmdfl.sys
2007-05-23 19:16 79,328 ----a-w C:\Documents and Settings\waqar\mqdmserd.sys
2007-05-23 19:16 66,656 ----a-w C:\Documents and Settings\waqar\mqdmbus.sys
2007-05-23 19:16 6,208 ----a-w C:\Documents and Settings\waqar\mqdmcmnt.sys
2007-05-23 19:16 5,936 ----a-w C:\Documents and Settings\waqar\mqdmwhnt.sys
2007-05-23 19:16 4,048 ----a-w C:\Documents and Settings\waqar\mqdmcr.sys
2007-05-23 19:16 25,600 ----a-w C:\Documents and Settings\waqar\usbsermptxp.sys
2007-05-23 19:16 22,768 ----a-w C:\Documents and Settings\waqar\usbsermpt.sys
.
<pre>
----a-w		   154,112 2008-01-29 14:37:52  C:\WINDOWS\system32\msdll .exe
----a-w			94,208 2008-01-28 20:39:26  C:\WINDOWS\system32\igfxtray .exe
----a-w			77,824 2008-01-28 20:39:32  C:\WINDOWS\system32\hkcmd .exe
----a-w		   118,784 2008-01-28 20:39:32  C:\WINDOWS\system32\igfxpers .exe
----a-w			15,360 2008-01-28 20:39:58  C:\WINDOWS\system32\ctfmon .exe
----a-w		   180,269 2008-01-28 20:39:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   153,136 2008-01-28 20:39:36  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w		   152,872 2008-01-28 20:40:04  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w		 1,694,208 2008-01-28 20:40:04  C:\Program Files\Messenger\msmsgs .exe
----a-w			32,768 2008-01-28 20:39:36  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w		   366,400 2008-01-28 20:39:46  C:\Program Files\Picasa2\PicasaMediaDetector .exe
----a-w		   479,232 2008-01-28 20:39:50  C:\Program Files\Google\Gmail Notifier\gnotify .exe
----a-w		   132,496 2008-01-28 20:39:38  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		   576,320 2008-01-28 20:39:42  C:\Program Files\Microsoft IntelliType Pro\itype .exe
----a-w			57,344 2008-01-28 20:39:44  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w			39,792 2008-01-28 20:39:44  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		 5,674,352 2008-01-27 13:44:00  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w		   192,512 2008-01-28 20:39:48  C:\Program Files\TalkTalk\bin\sprtcmd .exe
----a-w		 3,256,320 2008-01-27 13:44:00  C:\Program Files\Veoh Networks\Veoh\VeohClient .exe
----a-w		 1,460,560 2008-01-27 13:44:02  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   267,064 2008-01-28 20:39:50  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			72,240 2008-01-28 20:39:56  C:\Program Files\VMware\VMware Workstation\vmware-tray .exe
----a-w			55,856 2008-01-28 20:39:58  C:\Program Files\VMware\VMware Workstation\hqtray .exe
----a-w		 1,037,736 2008-01-28 20:44:50  C:\Program Files\Microsoft IntelliPoint\ipoint .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-08-07 12:33]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-10-08 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 14:31]
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []

.
Contents of the 'Scheduled Tasks' folder
"2007-11-28 08:44:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 17:33:50
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-01 17:34:02
ComboFix-quarantined-files.txt 2008-02-01 17:34:02
ComboFix3.txt 2008-01-31 22:12:34
ComboFix2.txt 2008-02-01 16:23:28
.
2008-01-20 17:13:29 --- E O F ---
  • 0

#10
wacky

wacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here's the latest HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:38:49, on 01/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'yusuf')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide (User 'yusuf')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [] (User 'yusuf')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'yusuf')
O4 - HKUS\S-1-5-21-1606980848-1592454029-839522115-1004\..\Run: [Bandook] C:\WINDOWS\system32\msdll.exe (User 'yusuf')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://desktop.lse.ac.uk/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7305 bytes
  • 0

#11
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again

Grr...Didnt work, Lets try one other method, If it doesnt work we will have to do it manually

Download RENV to your desktop

Double click RenV.exe to run it.

A text will open with some info just close it . Next, drag and drop that new text file onto RenV.exe




Please rescan with combofix and post the log
  • 0

#12
wacky

wacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
loophole, thanks again for your efforts. I followed your instructions above and here's the log from ComboFix:

ComboFix 08-01-31.1 - waqar 2008-02-01 22:20:48.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1548 [GMT 0:00]
Running from: C:\Documents and Settings\waqar\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\msdll.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 22:19 . 2008-01-28 20:39 118,784 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-02-01 22:19 . 2008-01-28 20:39 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-02-01 22:19 . 2008-01-28 20:39 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-30 18:04 . 2008-01-30 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-30 16:43 . 2008-01-30 16:43 <DIR> d-------- C:\Program Files\WinSCP
2008-01-28 20:41 . 2008-01-28 20:41 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\Grisoft
2008-01-28 20:41 . 2008-01-28 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 20:41 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-23 21:20 . 2007-10-08 09:26 150,064 --a------ C:\WINDOWS\system32\vmnat.exe
2008-01-23 21:20 . 2007-10-08 09:26 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-01-23 21:20 . 2007-10-08 09:26 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll
2008-01-23 21:20 . 2007-10-08 09:26 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys
2008-01-23 21:20 . 2007-10-08 09:27 25,008 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-01-23 21:20 . 2007-10-08 09:26 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys
2008-01-23 21:20 . 2007-10-08 09:26 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys
2008-01-23 21:19 . 2008-01-23 21:19 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-01-23 21:19 . 2007-10-08 09:27 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-01-23 21:19 . 2007-10-08 09:27 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys
2008-01-21 23:27 . 2007-10-08 09:26 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll
2008-01-20 18:31 . 2008-01-28 20:39 15,360 --------- C:\WINDOWS\system32\ctfmon .exe
2008-01-20 18:30 . 2008-01-20 18:30 <DIR> d--hs---- C:\FOUND.002
2008-01-20 18:22 . 2008-01-20 18:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-20 18:22 . 2008-01-20 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 17:40 . 2008-01-20 17:40 <DIR> d-------- C:\Documents and Settings\waqar\Application Data\PrevxCSI
2008-01-20 17:40 . 2008-01-20 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-16 19:46 . 2008-01-28 20:31 4,196 --a------ C:\WINDOWS\schost
2008-01-16 18:54 . 2008-01-28 19:02 48,128 --a------ C:\Documents and Settings\waqar\special.exe
2008-01-13 22:10 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-01-13 22:10 . 2007-08-31 11:58 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-01-13 22:10 . 2008-01-13 22:10 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-01-13 22:09 . 2008-01-13 22:09 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-13 22:09 . 2008-01-13 22:09 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-01-09 18:05 . 2008-01-09 18:05 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-03 22:13 . 2007-10-08 09:26 30,768 -ra------ C:\WINDOWS\system32\drivers\vmusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 17:08 --------- d-----w C:\Program Files\Jin
2007-12-24 12:34 --------- d-----w C:\Documents and Settings\yusuf\Application Data\Talkback
2007-12-16 21:51 --------- d-----w C:\Program Files\Nvu
2007-12-16 21:51 --------- d-----w C:\Documents and Settings\waqar\Application Data\Nvu
2007-12-16 17:27 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-16 17:27 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-12-14 19:01 --------- d-----w C:\Program Files\uTorrent
2007-12-14 19:01 --------- d-----w C:\Documents and Settings\waqar\Application Data\uTorrent
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-08 10:44 --------- d-----w C:\Documents and Settings\waqar\Application Data\Talkback
2007-12-07 22:10 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2007-12-04 11:05 --------- d-----w C:\Documents and Settings\Ayesha\Application Data\VMware
2007-12-03 18:52 --------- d-----w C:\Documents and Settings\yusuf\Application Data\VMware
2007-12-02 23:07 --------- d-----w C:\Program Files\7-Zip
2007-12-02 19:59 --------- d-----w C:\Program Files\VMware
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-05-23 19:16 92,064 ----a-w C:\Documents and Settings\waqar\mqdmmdm.sys
2007-05-23 19:16 9,232 ----a-w C:\Documents and Settings\waqar\mqdmmdfl.sys
2007-05-23 19:16 79,328 ----a-w C:\Documents and Settings\waqar\mqdmserd.sys
2007-05-23 19:16 66,656 ----a-w C:\Documents and Settings\waqar\mqdmbus.sys
2007-05-23 19:16 6,208 ----a-w C:\Documents and Settings\waqar\mqdmcmnt.sys
2007-05-23 19:16 5,936 ----a-w C:\Documents and Settings\waqar\mqdmwhnt.sys
2007-05-23 19:16 4,048 ----a-w C:\Documents and Settings\waqar\mqdmcr.sys
2007-05-23 19:16 25,600 ----a-w C:\Documents and Settings\waqar\usbsermptxp.sys
2007-05-23 19:16 22,768 ----a-w C:\Documents and Settings\waqar\usbsermpt.sys
.
<pre>
------w			15,360 2008-01-28 20:39:58  C:\WINDOWS\system32\ctfmon .exe
------w		 5,674,352 2008-01-27 13:44:00  C:\Program Files\MSN Messenger\msnmsgr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-28 20:40 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-28 20:40 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-28 20:39 153136]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-01-28 20:39 366400]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2008-01-28 20:39 479232]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-08-07 12:33]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-10-08 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 14:31]
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []

.
Contents of the 'Scheduled Tasks' folder
"2007-11-28 08:44:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 22:21:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-01 22:21:22
ComboFix-quarantined-files.txt 2008-02-01 22:21:22
ComboFix4.txt 2008-01-31 22:12:34
ComboFix3.txt 2008-02-01 16:23:28
ComboFix2.txt 2008-02-01 17:34:04
.
2008-01-20 17:13:29 --- E O F ---
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP