Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Downloader.xs, not desktop and no toolbar [RESOLVED]


  • This topic is locked This topic is locked

#16
medt

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Okay I am getting ready to do what you said. I just got back home late and could not get to it this morning. Will post back when I am done.
  • 0

Advertisements


#17
medt

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Ok here is the log. I did a download of Windows XP Professional as that is what I have on the system Service Pack 2. Just let me know what to do next. THANKS again.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#18
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Ntf4.tmp
C:\Ntf3.tmp
C:\WINDOWS\123messenger.per
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\apphelp32.dll
Folder::
C:\Program Files\Viewpoint
Driver::
Viewpoint Manager Service


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#19
medt

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Here it is. THANKS

ComboFix 08-04-08.10 - Owner 2008-04-10 21:13:17.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Ntf3.tmp
C:\Ntf4.tmp
C:\WINDOWS\123messenger.per
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\shdocpe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Ntf3.tmp
C:\Ntf4.tmp
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\Program Files\Viewpoint\Viewpoint Manager\CPtask.xml
C:\Program Files\Viewpoint\Viewpoint Manager\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPexe.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
C:\WINDOWS\123messenger.per
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\shdocpe.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-10 21:23 . 2008-04-10 21:23 67 --a------ C:\Ntf4.tmp
2008-04-10 21:23 . 2008-04-10 21:23 67 --a------ C:\Ntf3.tmp
2008-04-09 11:58 . 2008-04-09 11:58 <DIR> d-------- C:\Deckard
2008-04-09 09:48 . 2001-08-23 01:00 68,608 --a--c--- C:\WINDOWS\system32\dllcache\plugin.ocx
2008-04-08 16:54 . 2008-04-08 16:54 67 --a------ C:\Ntf2.tmp
2008-04-08 16:54 . 2008-04-08 16:54 67 --a------ C:\Ntf1.tmp
2008-04-08 16:50 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-04-08 16:50 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-08 15:25 . 2008-04-08 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-08 13:05 . 2008-04-10 04:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-08 13:04 . 2008-04-08 13:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-08 13:04 . 2008-04-08 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-08 09:50 . 2008-04-08 09:50 <DIR> d-------- C:\Program Files\CCleaner
2008-04-08 08:10 . 2008-04-08 08:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-07 11:10 . 2008-04-07 11:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-07 00:46 . 2008-04-07 00:46 3,428 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-04-06 18:38 . 2008-04-08 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-06 17:17 . 2007-03-29 08:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-06 17:17 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-04-06 10:24 . 2008-04-06 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-05 22:46 . 2008-04-06 10:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-05 22:46 . 2008-04-05 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-05 15:05 . 2001-08-23 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-04 21:59 . 2008-04-04 21:59 3,262 --a------ C:\WINDOWS\favicon.ico
2008-04-04 16:32 . 2008-04-04 16:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 16:32 . 2008-04-04 16:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 16:09 . 2007-03-08 00:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-03-28 16:09 . 2007-03-08 00:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-03-28 16:08 . 2008-03-28 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-03-28 16:05 . 2007-05-02 06:03 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-03-28 16:04 . 2007-03-15 15:32 118,272 --a------ C:\WINDOWS\system32\hpz3l5ha.dll
2008-03-28 16:03 . 2007-03-08 00:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-03-28 15:56 . 2007-05-02 04:56 954,368 -ra------ C:\WINDOWS\system32\hpotiop5.dll
2008-03-28 15:56 . 2007-05-02 05:01 675,840 -ra------ C:\WINDOWS\system32\hpowiax5.dll
2008-03-28 15:56 . 2007-03-08 00:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-03-28 15:56 . 2007-03-08 00:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-03-28 15:56 . 2007-05-02 05:00 303,104 -ra------ C:\WINDOWS\system32\hpovst12.dll
2008-03-28 15:46 . 2004-08-04 02:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-28 15:46 . 2004-08-04 02:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-20 13:35 . 2008-03-20 13:37 <DIR> d-------- C:\Program Files\Emdat
2008-03-19 18:55 . 2008-03-19 18:55 <DIR> d-------- C:\Program Files\eScription
2008-03-19 18:53 . 2008-03-19 18:53 <DIR> d-------- C:\EditScriptMSILogs
2008-03-19 18:51 . 2008-03-19 18:51 <DIR> d-------- C:\Documents and Settings\Owner\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 03:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-03 13:53 --------- d-----w C:\Program Files\QLEDR05
2008-04-02 00:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-03-31 09:16 --------- d-----w C:\Program Files\AIM6
2008-03-31 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-31 09:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-31 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-20 21:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\Internet Explorer
2008-03-20 21:34 --------- d-----w C:\Program Files\GoldPocket
2008-03-07 02:14 --------- d-----w C:\Program Files\Java
2008-02-29 18:20 92,464 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-24 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
2008-02-24 15:53 --------- d-----w C:\Program Files\Common Files\Motive
2008-02-24 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-02-23 13:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\yoclient
2008-02-15 21:19 --------- d-----w C:\Program Files\Common Files\Adobe
2006-06-12 14:44 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2003-08-31 19:33 32 --sha-w C:\WINDOWS\{567E7211-6D64-4C22-A829-C17F03F58257}.dat
2003-08-28 12:32 32 --sha-w C:\WINDOWS\{DD873066-2B14-49AB-86D8-F895ABD1AF85}.dat
2003-08-28 12:32 32 --sha-w C:\WINDOWS\system32\{5CE9ABEA-F241-4815-91A6-306832FBAEA5}.dat
2003-08-31 19:33 32 --sha-w C:\WINDOWS\system32\{AF9B2B6F-5424-49AB-8D25-94F7D34E018B}.dat
.

((((((((((((((((((((((((((((( [email protected]_15.21.27.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2002-10-29 22:05:00 8,822 ----a-w C:\WINDOWS\mozver.dat
+ 2008-04-10 00:45:13 9,438 ----a-w C:\WINDOWS\mozver.dat
- 2008-04-09 14:24:07 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-11 01:21:49 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-09 14:24:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-11 01:21:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-09 14:24:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-11 01:21:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-25 00:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 00:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-04-09 14:24:26 32,768 ----a-w C:\WINDOWS\Temp\Cookies\index.dat
+ 2008-04-11 01:22:03 32,768 ----a-w C:\WINDOWS\Temp\Cookies\index.dat
- 2008-04-09 14:24:26 32,768 ----a-w C:\WINDOWS\Temp\History\History.IE5\index.dat
+ 2008-04-11 01:22:03 32,768 ----a-w C:\WINDOWS\Temp\History\History.IE5\index.dat
- 2008-04-09 14:24:26 65,536 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-11 01:22:03 65,536 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-11 01:23:59 16,384 ----atw C:\WINDOWS\Temp\usgthrsvc\Perflib_Perfdata_758.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 03:39 548933 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"NvCplDaemon"="NvQTwk" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-08 13:04 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-08 13:04 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-01-14 19:35:56 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp instant support.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
--a------ 2006-07-14 16:36 107008 C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 23:19:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 10:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 21:22:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1665 bytes
C:\WINDOWS\system32\clbdll.dll 40960 bytes executable
C:\WINDOWS\system32\clbdll.old 40960 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable

scan completed successfully
hidden files: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\SearchIndexer.exe
.
**************************************************************************
.
Completion time: 2008-04-10 21:34:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 01:34:02
ComboFix2.txt 2008-04-09 19:22:22
Pre-Run: 85,275,357,184 bytes free
Post-Run: 85,265,080,320 bytes free
.
2008-04-09 03:35:15 --- E O F ---





HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:48 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsou...oad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - https://www.transcen...bs/wspellam.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.co...l/kingcomie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163622349703
O16 - DPF: {AFABF0F0-C13E-4AB2-A1A5-8A8101D38155} (BTClientWorkstation.BeyondTXTClient) - http://workportal.tr...ndTXTClient.CAB
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} (FootPedalCtl Class) - http://philicast1.mt...d/footpedal.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...0.18/ttinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tcimt.webex....ort/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 7632 bytes
  • 0

#20
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Ntf3.tmp
    C:\Ntf4.tmp
    C:\Ntf2.tmp
    C:\Ntf1.tmp
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Viewpoint Manager Service
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#21
medt

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Here is the notepad results: I did have to reboot. I am doing the malwarebytes now and will post in a minute.

File move failed. C:\Ntf3.tmp scheduled to be moved on reboot.
File move failed. C:\Ntf4.tmp scheduled to be moved on reboot.
C:\Ntf2.tmp moved successfully.
C:\Ntf1.tmp moved successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Viewpoint Manager Service >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Viewpoint Manager Service\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04112008_095924

Files moved on Reboot...
File C:\Ntf3.tmp not found!
File C:\Ntf4.tmp not found!
  • 0

#22
medt

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Okay I posted above the notepad part, but the Malware would not launch it says: The MSI must be launched through setup. Then it says in a window behind that Norton 360, not sure what that means, but it will not run for me. THAKNS
  • 0

#23
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download SUPERAntiSpyware Home Edition (free version).
–Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Scan for Alternate Data streams
  • Terminate memory threats before quarantining.
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.

Then run Superantispyware.
  • Double click on the icon to start Superantispyware.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
1. To retrieve the removal information for me please do the following:
2. After reboot, double-click the SUPERAntispyware icon on your desktop.
3. Click Preferences. Click the Statistics/Logs tab.
4. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
5. It will open in your default text editor (such as Notepad/Wordpad).
6. Please highlight everything in the notepad, then right-click and choose copy.
7. Click close and close again to exit the program.
Save the log information. If needed (still infected) paste this info along with your HijackThis log.
  • 0

#24
medt

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Hi, the only thing I cannot seem to access is http://192.168.1.254/ and it is my WireSpeed Dual Connect through BellSouth when I need to access the internet when something is wrong for them to have me check certain things. Everything else seems to be working fine again. THANKS again and just let me know if there is anything else I need to do!!

Here is a copy from notepad of the SuperAntiSpyware Found:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/11/2008 at 01:04 PM

Application Version : 4.0.1154

Core Rules Database Version : 3436
Trace Rules Database Version: 1428

Scan type : Complete Scan
Total Scan Time : 02:26:45

Memory items scanned : 433
Memory threats detected : 0
Registry items scanned : 6326
Registry threats detected : 0
File items scanned : 162278
File threats detected : 215

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Trojan.Fake-Drop/Gen
C:\DECKARD\SYSTEM SCANNER\BACKUP\WINDOWS\TEMP\SALM.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1788\A0225832.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1788\A0225833.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1788\A0225834.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1788\A0225835.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1789\A0228859.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1789\A0228860.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1789\A0228872.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1789\A0228873.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1789\A0229875.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1789\A0229876.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231950.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231951.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231952.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231953.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231954.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231956.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231957.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231958.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231959.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231960.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231961.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231962.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231963.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231964.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231965.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231966.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231967.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231968.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1790\A0231969.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234208.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234209.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234210.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234211.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234212.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234213.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234214.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234215.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234216.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234217.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234218.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234219.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234220.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234221.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234222.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234223.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234487.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234488.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234489.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234490.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234491.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234492.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234493.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234494.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234495.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234496.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234497.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234498.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234499.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234500.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234501.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234502.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234519.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234521.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234522.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234523.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234524.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234538.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234539.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234545.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234549.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234550.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234551.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234553.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234554.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234555.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234556.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234557.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234558.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234559.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234560.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234575.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234576.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234577.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234578.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234579.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234581.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234582.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234583.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234584.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234585.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234586.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234587.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234588.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234589.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234590.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234591.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234592.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234593.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1796\A0234594.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234688.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234689.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234690.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234691.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234692.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234693.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234694.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234695.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234696.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234697.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234700.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234701.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234702.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234703.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234704.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234705.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234706.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234708.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234709.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234710.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234711.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234712.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234713.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234714.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1797\A0234715.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1798\A0234829.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1798\A0234832.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1798\A0234833.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1798\A0234834.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1798\A0234835.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234845.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234847.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234848.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234849.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234850.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234851.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234852.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234854.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234855.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234856.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234857.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234858.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234859.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234885.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234886.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234887.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234888.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234889.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234891.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234892.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234910.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234911.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234912.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234914.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234915.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234916.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234917.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234918.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234919.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234920.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234921.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234922.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234923.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234924.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1802\A0239503.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1802\A0239504.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1802\A0239509.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1802\A0239510.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1802\A0239511.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1802\A0239512.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1802\A0239513.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1804\A0239862.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1804\A0239863.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1804\A0239864.DLL
C:\WINDOWS\ASFERROR32.DLL
C:\WINDOWS\ASYCFILT32.DLL
C:\WINDOWS\ATHPRXY32.DLL
C:\WINDOWS\ATI2DVAA32.DLL
C:\WINDOWS\ATI2DVAG32.DLL
C:\WINDOWS\AUDIOSRV32.DLL
C:\WINDOWS\AUTODISC32.DLL
C:\WINDOWS\AVIFILE32.DLL
C:\WINDOWS\AVISYNTHEX32.DLL
C:\WINDOWS\AVIWRAP32.DLL
C:\WINDOWS\BROWSERAD.DLL
C:\WINDOWS\CHANGEURL_30.DLL
C:\WINDOWS\MSA64CHK.DLL
C:\WINDOWS\MSAPASRC.DLL
C:\WINDOWS\NTNUT.EXE
C:\WINDOWS\SHDOCPE.DLL
C:\WINDOWS\SHDOCPL.DLL
C:\WINDOWS\SYSTEM32\MSNSA32.DLL
C:\WINDOWS\WINSB.DLL

Trojan.Vundo-Variant/F
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\OFFICE\PACKNGO.DLL
C:\INSTALLFILES\O9PRMCD01\PFILES\MSOFFICE\OFFICE\PACKNGO.DLL
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\PACKNGO.DLL

Adware.AdSponsor/ISM
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1788\A0225846.EXE


Here is the Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:42 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsou...oad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - https://www.transcen...bs/wspellam.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.co...l/kingcomie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163622349703
O16 - DPF: {AFABF0F0-C13E-4AB2-A1A5-8A8101D38155} (BTClientWorkstation.BeyondTXTClient) - http://workportal.tr...ndTXTClient.CAB
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} (FootPedalCtl Class) - http://philicast1.mt...d/footpedal.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...0.18/ttinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tcimt.webex....ort/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7877 bytes

  • 0

#25
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
===============================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.

  • 0

Advertisements


#26
medt

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Just a note, I do not see my DVD drive or Disc Rewritable drives. I tried to put a DVD in to play it and I cannot get it to play nor do I see the drives on my computer. THANKS
  • 0

#27
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok thanks for letting me know.
We will fix that issue after the computer is fully clean.

Go ahead with the scanner and we will go from there.
  • 0

#28
medt

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Okay here is the Kaspersky report and thanks again:

KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 7:43:37 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/04/2008
Kaspersky Anti-Virus database records: 698660
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 175931
Number of viruses found 7
Number of infected objects 12
Number of suspicious objects 4
Duration of the scan process 03:44:55

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5867e8d6ece99866e8354904d212f4c2_d701c011-ca47-41f4-96e9-81a3ca9d620e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6585605870967704418f3277905d01ab_d701c011-ca47-41f4-96e9-81a3ca9d620e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.3.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.3.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy3.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/updatetc.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango2.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-11-2008( 13-36-10 ).LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\inm922gq.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_6bc.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Ntf1.tmp Object is locked skipped
C:\Ntf2.tmp Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1778\A0222130.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1778\A0222131.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1778\A0222132.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1778\A0222134.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1778\A0222135.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1778\A0222139.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1788\A0225837.exe Object is locked skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1798\A0234837.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1798\A0234837.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1798\A0234837.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234913.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234913.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1799\A0234913.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1805\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{44D5D61B-6BF5-4DB7-AC72-F8EA5AA909CD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\WINDOWS\Temp\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Temp\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\Temp\usgthrsvc\Perflib_Perfdata_1ec.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1805\change.log Object is locked skipped
Scan process completed.
  • 0

#29
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

C:\Ntf1.tmp
C:\Ntf2.tmp


Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

#30
medt

medt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Here it is and thanks!

File Ntf1.tmp received on 04.12.2008 14:08:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.12.0 2008.04.11 -
AntiVir 7.6.0.85 2008.04.11 -
Authentium 4.93.8 2008.04.11 -
Avast 4.8.1169.0 2008.04.12 -
AVG 7.5.0.516 2008.04.11 -
BitDefender 7.2 2008.04.12 -
CAT-QuickHeal 9.50 2008.04.12 -
ClamAV 0.92.1 2008.04.12 -
DrWeb 4.44.0.09170 2008.04.12 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5692 2008.04.11 -
Ewido 4.0 2008.04.12 -
F-Prot 4.4.2.54 2008.04.11 -
F-Secure 6.70.13260.0 2008.04.11 -
FileAdvisor 1 2008.04.12 -
Fortinet 3.14.0.0 2008.04.12 -
Ikarus T3.1.1.26.0 2008.04.12 -
Kaspersky 7.0.0.125 2008.04.12 -
McAfee 5272 2008.04.11 -
Microsoft 1.3408 2008.04.12 -
NOD32v2 3020 2008.04.11 -
Norman 5.80.02 2008.04.12 -
Panda 9.0.0.4 2008.04.12 -
Prevx1 V2 2008.04.12 -
Rising 20.39.52.00 2008.04.12 -
Sophos 4.28.0 2008.04.12 -
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.12 -
TheHacker 6.2.92.275 2008.04.12 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.11 -
Webwasher-Gateway 6.6.2 2008.04.11 -
Additional information
File size: 7764 bytes
MD5...: 00e4d901830e797ec552e366ee892726
SHA1..: 0e000365b37fabc24eb4a7afe7829d5f8d9b20ac
SHA256: 8cb19d8c883529a8ca64ece0515adf1b6337fa7d29948dc5fbdda096c259bbce
SHA512: 36acb0b1faebe81312467b5145884daa19f671561a70660b03e61e0db8726a66
1c443b73a6879c4713c5791a93bea89f48782ab31048847faed831bee2308957
PEiD..: -
PEInfo: -



File ntf2.tmp received on 04.12.2008 14:11:55 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.12.0 2008.04.11 -
AntiVir 7.6.0.85 2008.04.11 -
Authentium 4.93.8 2008.04.11 -
Avast 4.8.1169.0 2008.04.12 -
AVG 7.5.0.516 2008.04.11 -
BitDefender 7.2 2008.04.12 -
CAT-QuickHeal 9.50 2008.04.12 -
ClamAV 0.92.1 2008.04.12 -
DrWeb 4.44.0.09170 2008.04.12 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5692 2008.04.11 -
Ewido 4.0 2008.04.12 -
F-Prot 4.4.2.54 2008.04.11 -
F-Secure 6.70.13260.0 2008.04.11 -
FileAdvisor 1 2008.04.12 -
Fortinet 3.14.0.0 2008.04.12 -
Ikarus T3.1.1.26.0 2008.04.12 -
Kaspersky 7.0.0.125 2008.04.12 -
McAfee 5272 2008.04.11 -
Microsoft 1.3408 2008.04.12 -
NOD32v2 3020 2008.04.11 -
Norman 5.80.02 2008.04.12 -
Panda 9.0.0.4 2008.04.12 -
Prevx1 V2 2008.04.12 -
Rising 20.39.52.00 2008.04.12 -
Sophos 4.28.0 2008.04.12 -
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.12 -
TheHacker 6.2.92.275 2008.04.12 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.11 -
Webwasher-Gateway 6.6.2 2008.04.11 -
Additional information
File size: 67 bytes
MD5...: e3bee6a882abc9faa25ef59d935334d9
SHA1..: 146adefeb939f1dadf9a373843355f7e728107ba
SHA256: f7299b09b22ddf643f30947672a5e96ba03a03b4d1a744d3005d369a161496f2
SHA512: 9434183bb4fe4d56a0790da45aeec182d467d5a5344543cb2618f72c55a5cd48
ca85e5c71b1b06b42f7fd15e03df06890234f088a4d8c0a4245e1499798e421d
PEiD..: -
PEInfo: -
Bit9 info: http://fileadvisor.b...25ef59d935334d9
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP