Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I have another problem


  • Please log in to reply

#1
themoirae

themoirae

    Member

  • Member
  • PipPip
  • 20 posts
Hi,
"Buckeye Sam" helped me reomve Virtumond from my system a little while back, but I am having a problem with my laptop still. Every so ofen it seems as though some mystery program or something starts running on my system- something I cannot find or identify- but something that causes my hard drive to run at maximum. I check on applications running, and only those which I know are running. let's say IE, show up...but I look at CPU, and it is just about off the chart.
I have run, and re-run all the suggested malware removal programs, etc. and nothing out of the ordinary pops up.
When I boot up...there is at the very beginning, an outline of a 'window' that I can barely see. If I were to blink I would miss it. Also, on start-up, I sometimes see, on the start bar, an icon of a 'window' , small white box with a blue title bar, that I would also miss if I blinked. I have tried to catch it and right click on it, but cannot.Any suggestions on what might be causing this , how to find out, or where to go from here?
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi themoirae! :tazz:

Let's see if we can find out what's going on.
Please post a hijackthis log.
  • 0

#3
themoirae

themoirae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Sam,
Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 11:12:15 AM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Real\RealPlayer\starz\starzd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\Dit.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TiA\Start Menu\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: MereSurfer Band - {4C12361F-3431-4A69-B0CA-CA788A8F7C12} - C:\Program Files\MereSurfer 2005 Free\MereSurfInstall.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MereSurfer - {340166BC-786B-401F-96AC-7C8821EFA9CD} - C:\Program Files\MereSurfer 2005 Free\MereSurferF.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [starzd] "C:\Program Files\Real\RealPlayer\starz\starzd.exe" 86400000
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to &banner block list - res://C:\Program Files\MereSurfer 2005 Free\MereSurferF.dll/AddImageBanner.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: http://*.geekstogo.com
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...cm/ICSCM_ca.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131841702515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C08FC2FC-0CBF-4367-8DDB-58B3762455CD}: NameServer = 192.168.0.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CFSvcs - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

...and there you have it. I upgraded my Real Player and allowed a Google Tool Bar to be installed, but don't actually have it after all. I see in the log that it appears as if I do..hmmm. Also, I wonder why DVDRam driver appears to be running in this log when I am not at this time using that device. Glad to have you helping me out again, Sam, thanks so much for your time. Ti'A
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log doesn't show me any malware. Let's cut down a little on the unnecessary apps that you have running at startup and then we'll dig a little deeper.

Please fix these lines with Hijackthis.

O4 - HKLM\..\Run: [starzd] "C:\Program Files\Real\RealPlayer\starz\starzd.exe" 86400000
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE



Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
  • 0

#5
themoirae

themoirae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Sam,
Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 10/30/2005 11:55:06 PM 170053 C:\WINDOWS\tsc.exe
UPX! 3/14/2005 1:38:28 PM 56832 C:\WINDOWS\Unwash6.exe
PECompact2 10/30/2005 11:55:06 PM 16257389 C:\WINDOWS\VPTNFILE.919
qoologic 10/30/2005 11:55:06 PM 16257389 C:\WINDOWS\VPTNFILE.919
SAHAgent 10/30/2005 11:55:06 PM 16257389 C:\WINDOWS\VPTNFILE.919
UPX! 10/30/2005 11:55:06 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 10/30/2005 11:55:06 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 3/31/2003 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 2/26/2005 1:01:40 PM 174080 C:\WINDOWS\SYSTEM32\ExMenu.dll
UPX! 2/26/2005 1:01:38 PM 113152 C:\WINDOWS\SYSTEM32\ExPMenu.dll
UPX! 2/26/2005 1:01:40 PM 202240 C:\WINDOWS\SYSTEM32\ExTab.dll
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 3/31/2003 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 11/3/2005 12:30:22 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 11/3/2005 12:30:22 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 11/3/2005 12:30:22 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 11/3/2005 12:30:22 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/3/2005 12:23:46 PM S 2048 C:\WINDOWS\bootstat.dat
11/12/2005 8:39:34 PM H 0 C:\WINDOWS\inf\oem44.inf
10/13/2005 5:35:36 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6752e343d22c025be1f290a6267a146d\BIT14.tmp
10/28/2005 4:18:52 PM HS 162263 C:\WINDOWS\system32\oqtwa.bak1
11/4/2005 3:45:56 PM HS 191155 C:\WINDOWS\system32\oqtwa.bak2
11/4/2005 4:17:12 PM HS 190946 C:\WINDOWS\system32\oqtwa.ini
12/3/2005 12:19:04 PM H 35864 C:\WINDOWS\system32\vsconfig.xml
11/22/2005 6:56:02 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 8:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
12/3/2005 12:23:36 PM H 8192 C:\WINDOWS\system32\config\default.LOG
12/3/2005 12:24:14 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/3/2005 12:23:48 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
12/3/2005 12:24:16 PM H 65536 C:\WINDOWS\system32\config\software.LOG
12/3/2005 12:23:54 PM H 1110016 C:\WINDOWS\system32\config\system.LOG
11/9/2005 7:26:08 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
11/9/2005 7:21:10 PM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
11/9/2005 7:21:10 PM S 70226 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
11/9/2005 7:21:10 PM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
11/9/2005 7:21:10 PM S 128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
11/9/2005 1:02:52 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c71f206e-49ff-4640-a10b-3b33a1001931
11/9/2005 1:02:52 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
12/3/2005 12:22:18 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
TOSHIBA Corp. 10/31/2003 2:28:06 PM 520192 C:\WINDOWS\SYSTEM32\HWSETUP.CPL
Intel Corporation 4/7/2003 3:14:30 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 11/20/2003 7:41:52 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 7/27/2003 1:05:54 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
9/5/2003 4:36:40 PM 495616 C:\WINDOWS\SYSTEM32\TOSCDSPD.cpl
TOSHIBA Corporation 11/20/2003 12:16:36 AM 1257472 C:\WINDOWS\SYSTEM32\TPwrSave.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 4/7/2003 3:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0013\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/20/2003 6:46:40 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/3/2005 7:08:56 PM 772 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/20/2003 10:37:56 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/8/2005 8:29:52 PM 6494 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
11/20/2003 6:46:40 PM HS 84 C:\Documents and Settings\TiA\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
11/20/2003 10:37:56 AM HS 62 C:\Documents and Settings\TiA\Application Data\desktop.ini
11/15/2004 1:34:14 AM 0 C:\Documents and Settings\TiA\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{8C504614-A455-4CBA-81B4-D279644B8A7D}
= tfaxext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C12361F-3431-4A69-B0CA-CA788A8F7C12}
MereSurfBand Class = C:\Program Files\MereSurfer 2005 Free\MereSurfInstall.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
{340166BC-786B-401F-96AC-7C8821EFA9CD} = MereSurfer : C:\Program Files\MereSurfer 2005 Free\MereSurferF.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Yahoo! Services :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar3.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar3.dll
{340166BC-786B-401F-96AC-7C8821EFA9CD} = MereSurfer : C:\Program Files\MereSurfer 2005 Free\MereSurferF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
00THotkey C:\WINDOWS\System32\00THotkey.exe
000StTHK 000StTHK.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
AGRSMMSG AGRSMMSG.exe
Apoint C:\Program Files\Apoint2K\Apoint.exe
TouchED C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
TFNF5 TFNF5.exe
PadTouch "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
TPSMain TPSMain.exe
TFncKy TFncKy.exe
Pinger C:\TOSHIBA\IVP\ISM\pinger.exe /run
Dit Dit.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
C-DillaCdaC11BA 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/3/2005 12:31:54 PM
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Double click on this file.

C:\WINDOWS\system32\oqtwa.ini

It should open up in notepad. Please copy the text that appears and post in your next reply.
  • 0

#7
themoirae

themoirae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Sam,
I don't know where I am supposed to double click this file to open it. Can you point me in the right direction? Thanks.
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You just have to navigate to it.

Go to My Computer -> Local Drive(C:) -> Windows -> System32
Then look for oqtwa.ini
  • 0

#9
themoirae

themoirae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Well, I tried that; its not there, and Searching Files and folders( says not found) and eventually tried to open it through Run. It opened a Notepad file as follows :
pR `    1 1  . 4 b b b O        `fb"13 !2313
!2313
!2313fcfbR13Pb*313dcfb2o6bcfb2313( !2313bcfb23 bcfb23%sc WGP[)\ }Z Bf%2J1U[W# vvVT Tur ^WqT"%Psrt
!2313
!2313gcfb2313 BRXT A'!{wPSVW@64.aH
PMRL
QLSUR @A[\BPP @ [W @E
VJX@NCF\C
JYVHD
\SJ@JN
@ZV V@PDKXTJ AEA DKR N WJF\@TREKK XTJ A]\DKXTJ ASF
DKR N WJF\@AVIKK XTJ A]ZDKXTJ AT]
WAJE\CWA@U^AWKK VZV V@C
@^AJE\CWA
^_TA@JN WJF\@@V]ZDKXTJ ACV
WABKJOJS]U ]AU@@^
N WJF\@VZTG@JN WJF\@EVXT

A@KJN WJF\@SKXW@JN WJF\@A\\R@JN WJF\@AVCRAOJYVHD
R_K

DKXTJ ASV  @ZV V@]

X
@WB
F ]AU@@ FRJE\CWA\\CKK
KD^ADSE^A@JN WJF\@QZAA
AOJYVHD
VBT DKXTJ ACR
@ZV V@I
X
@WB ^ ]AU@@ SKJE\CWA VVAKK
KD^AD]AP_@JN WJF\@TRBG
DKXTJ ABG X
@WB
DRJE\CWA\GPP@JN\WX
@WBZGJ JYVHD
_^@AOJYVHD
_^@AOKZV V@C
@ ]AU@@ [V_KK
KD^AD^VB@AOJYVHD
WH@@ZV V@W J
JYVHD
_^A@^AJE\CWAX
@WBX
@WBSSITKJN WJF\@QZP_ DKXTJ APG  X
@WB]_JE\CWA\PPC@JN WJF\@]QT] DKXTJ A]\ X
@WB ]^JE\CWA STCR@JN WJF\@QV]VDKXTJ AK\ X
@WB
\VJE\CWAFAP^@JN WJF\@SWP_DKXTJ AAA
X
@WB
@RJE\CWABPXW@JN WJF\@W_PE DKXTJ A\R X
@WB SIJE\CWA[R_V@JN WJF\@^VG_
DKXTJ AKJX
@WBW_JE\CWA[CTK@JN WJF\@\VIZDKXTJ AGR
X
@WB FRJE\CWA[E^AAOJYVHD
_TE
X
@WB
DR\KK
KD^ADSKXCDKXTJ AP_
Q ]AU@@WP^]@JN WJF\@AGX_ @ZV V@_  G^JE\CWA @ZUZAOJYVHD
GPTX
@WBV\\KK
KD^AD^\_RDKXTJ AKR ^ ]AU@@AGPG@JN WJF\@VR]^
@ZV V@E []JE\CWA
VVX]AOJYVHD
KT] X
@WBTV\KK
KD^ADW_WZDKR_WJE\CWA@ZV V@A  ]AU@@ AZD^@JN WJF\@AVCV@ZV V@Z
WKJE\CWA WCYV AOJYVHD
ITTX
@WB
QVEKK VZV V@TX
@WBAOKXTJ AK\
J ]AU@@]KH_@JN WJF\@FV\V@ZV V@^ FRJE\CWA\FPGAOJYVHD
_TE X
@WB ]AEKK
KD^AD
S_RZ

DKXTJ ACV ] ]AU@@]^X_@JN WJF\@_\VR @ZV V@R@RJE\CWA
\R\Z AOJYVHD
RUZ X
@WBBRIKK
KD^AD S@^]DKXTJ ARV J
JYVHD
CCVDKXTJ AKJN WJF\@\\SA  @ZV V@C \VJE\CWA]EP]AOJYVHD
ITQX
@WB
 WGHKK
KD^AD
PVKZ DKXTJ AAA
@ ]AU@@ _WPJ@JN WJF\@S]TK
@ZV V@@ [WJE\CWA
J\ER AOJYVHD
_XC  X
@WB @Z]KK
KD^ADGRKV @ZV V@CBR\KK
KD^ADW_TQ@ZV V@V \\BKK
KD^ADK@P]
@ZV V@W BR\KK
KD^AD^PXW
@ZV V@C

SCTKK
KD^AD ]PER
@ZV V@G[]TKK
KD^AD ]A\Z @ZV V@U  QVEKK
KD^AD ^\_\
@ZV V@@
@VBKK
KD^AD GPER @ZV V@C

AVRKK
KD^ADFRE\ @P]K
KD^AD@\JE\CWA AGKK
KD^ADS_TC @ZV V@E
@ZAKK
KD^AD^GC\
@ZV V@C
[VEKK
KD^AD[E^G

@ZV V@V[_TKK
KD^AD
@_X@@ZV V@A
\\]KK
KD^AD]_AZ @ZV V@P HR\KK
KD^AD]AA[
@ZV V@V@\IKK
KD^AD^VIV

@ZV V@C QZPKK
KD^AD
JRKV @ZV V@I
^VIKK
KD^AD@R\R
@ZV V@P FZ_KK
KD^ADW@E\

@ZV V@@

]PEKK
KD^AD@R_K
@ZV V@[WCP^@JN WJF\@_VEU
 \ ]AU@@ZA^^DKXTJ AEA AZ]KK VZV V@_
@ZV V@[
@X
@WB 
FV_PAOJYVHD
PT_ [QJE\CWA
@^^]
@ZV V@G
]_P^@JN WJF\@S_]VA ]AU@@\GCZDKXTJ AEVBR\KK
KD^ADSWP_R N WJF\@HR_G DKXTJ A@JOJYVHD
XTG S^JE\CWAFRK\ @ZV V@G \\X]@JN\WX
@WBDKXTJ AP]
 ]AU@@U@P
DKXTJ A\VBR\KK
KD^AD@\RRX
@WB
ZA^ZAOJYVHD
\IJ 
\VJXTJ ARRDKXTJ ABX
DKZV V@]
\GX]@JN WJF\@[QDC \
JYVHD
GPQAOJYVHD
_TE
AOKXTJ AK\
]]TKK
KD^ADWGYR X
@WB HVARAOJYVHD
@H] 
[WJE\CWA WCCR
R N WJF\@V[KK
KD^AD\\]\AOKR_WJE\CWA
D_T]@JN WJF\@FAXKJN WJF\@URSR[]JE\CWAGP^C
X
@WB @ZKZ DKXTJ ARZ
BAP^@JN WJF\@^VG\ 
[WJE\CWA GAPIX
@WB@R]Z DKXTJ A_ZWCP^@JN WJF\@_\\V
\VJE\CWA Q\AA
 X
@WB SI^_DKXTJ AW_ FZ_V@JN WJF\@PFERS_JE\CWA HR_Z
X
@WB@ZUZ DKXTJ AKR P^^@JN WJF\@Q_^]S^JE\CWA TVUZ
X
@WB  SITCDKXTJ A_Z VZ_V@JN WJF\@DRCW
[_JE\CWA _\EZ
X
@WB
 PZ^G DKXTJ ABZ SUX_@JN WJF\@VVAA ]]JE\CWA
W]EV X
@WBSI^_DKXTJ AYJ 
KA^ZAOJYVHD
@X^SGX]@JN WJF\@AZSF[]TKK
KD^ADZV_G \VJE\CWAF\CC

^ ]AU@@ S@EV
X
@WB SITC@ZV V@@@ZAG
DKXTJ AR[
FVC\AOJYVHD
[HW 
V\_V@JN WJF\@QRCZ ]W^_@JN WJF\@XR_WP^^@JN WJF\@SIXG
 KPX]@JN WJF\@SG^ASGX]@JN WJF\@BZ\V [^D@@JN WJF\@W@^^H\]V@JN WJF\@^\C^WCP^@JN\WX
@WB

] ]AU@@ ^V_KJN\WX
@WB @\]KK
KD^ADQZUKJN WJF\@\\CT _REV@JN\WX
@WB K_^K@JN WJF\@A\]KJN WJF\@ZJAV@\XW@JN WJF\@QR_C
P^^@JN WJF\@^VG\ ]KX]AOJYVHD
VUA]ATDKXTJ ASF ]AA[
@ZV V@R
[CEJ
X
@WB B[TG W ]AU@@F[H_ [\_KK
KD^ADWE^]
AGCVAOJS]U ]AU@@
]WJE\CWAW@BFDKZV V@VARGVM
_
JYVHD
@]VDKXTJ AUZ WABKJN WJF\@B[T]
FAPI
@ZV V@P
SWCFH]^JXTJ AGZ@ZV V@C^\\R@JOJYVHD
PHP \IPC
R N WJF\@Z\C^

@ZV V@G

[WKK VZV V@^W ]AU@@SKP]AOKR_WJE\CWA]Q]VDKXTJ ABG
ZJE\CWABVCP
@KP
DKXTJ AR[ [RKV  VVJE\CWA\WCF
@VP
DKR_WJE\CWA SQTGDKXTJ A\V
 \VKK
KD^ADS]PW@^PPM
_ ]AU@@S_\V ^Z_VL N
 ]]BHJ [GX\ A
BFAKK
G]EPAOOHRR U]p#0/,}RSSR
71*1I[XPWMAZ_\ FVC@L Z_WHZCT VREB^VBHJATT @ZX]^> FDPA? \@^UWoFZ [@AJWAOJ@VVXD
YPDo ERCV> A\WGnDX]
 ACHDB @JN
@ZV V@P ]
JYVHD
PP@
@^AJXTJ AARAOJ]AX
@WB Y ]AU@@ CFTKJOJYVHD
]TG@JN WJF\@TF_KK
KD^ADSAJE\CWAP ]AU@@
R N WJF\@\VEKK XTJ AE[AOJYVHD
P^^@JN WJF\@TATV@JOKXTJ AE[AOJYVHD
G^C@JN WJF\@PVEKK
KD^ADU^JE\CWA \ ]AU@@ X
@WBZ[^@ZV V@A
@ZV V@U
@ZV V@X
@ZV V@A@ZV V@X
@ZV V@T@ZV V@_
@P]K
KD^AD[GHKK XTJ AC\
@ZV V@R FZRKJOJYVHD
\UWAOJYVHD
@]\AOJYVHD
_X] AOJS]U ]AU@@W
N WJF\@P_PP Y
JYVHD
YPP AOJYVHD
Q]RDK ]AU@@ W
JYVHD
QT@AOJ]AX
@WB
X
@WB
JE\CWA T\JE\CWA
_CJXTJ AA_DK\C ]AU@@ W ]AU@@
F@JE\CWA
\VHKK
KD^AD[]_VDKR_WJE\CWA QXJE\CWASPZKJN\WX
@WB
@]TG@JN WJF\@A_^GAOKX
@WBX
@WB
R N WJF\@UR\V@JN
@ZV V@QDKR_WJE\CWA
@
N WJF\@TF_KK
KD^AD]^AF@ ]AU@@ X
@WB@ZV V@\@ZV V@@ @ZV V@P@ZV V@_
@P]K
KD^AD^\EKK XTJ AWADKXTJ AVR X
@WB
[]TKJOJYVHD
UCVAOJYVHD
C]RAOJYVHD
AD_AOJYVHD
U]R DKXTJ ARA@ZV V@G
X
@WB

W]JE\CWA @GDRAOJYVHD
TP^  U ]AU@@
WA_VAOJYVHD
@^UW ]AU@@ ^VEGAOJYVHD
@EAK
JYVHD
UCVAOJYVHD
]TG@JOJYVHD
W^D  V ]AU@@QRCRAOJYVHD
WXA 
@JJE\CWASPZY
@ZV V@W
]RU@@JN\WX
@WB X
@WB YJXTJ AB[@ZV V@D@X
@WB @VB@ @P]K
KD^AD]XTA@JN WJF\@DZUV
AOKR_WJE\CWA
AGJE\CWA
BF]RAOKXTJ AU\

SWPQDKR_WJE\CWAP_TKK
KD^AD SPRR@JXTJ AB_
DK\C ]AU@@X
@WBX
@WBX
@WB
X
@WBX
@WBW
JYVHD
UD]@JN WJF\@T\CKJN WJF\@_RR[
@ZV V@@
@GJXTJ A\R  W
N WJF\@TATV@JN WJF\@B\ZVAOKZV V@^  \VBKK
KD^AD \GTA @ZV V@G
 S^T]AOJS]U ]AU@@
A[JE\CWAURBKJN\WX
@WB \TR_DKXTJ ASVAOKX
@WB
X
@WB X
@WBX
@WB@ ]AU@@ WJJXTJ AF\@^AJE\CWA
W
JYVHD
DXWAOJYVHD
DTQ@JOKP]K
KD^AD]]TJ@JN
@ZV V@U
DKXTJ ACVDKX
@WBZ ]AU@@ []JE\CWA
YVCKK
KD^AD \WTK@JN\WX
@WB A
N WJF\@PVBG@JN WJF\@TATV@JN WJF\@T_P@
AOJYVHD
W^D  V ]AU@@ BFEVAOJYVHD
@^UW ]AU@@
QX[RDKX
@WB \ ]AU@@S@JE\CWA FVBKK
KD^ADS^T@@JN WJF\@AFAVAOJYVHD
@A\DKR_WJE\CWASCBKK XTJ AWADKXTJ AER @ZV V@AE ]AU@@
WA_VAOJYVHD
A^FW ]AU@@SGTTAOJS]U ]AU@@GATKK
KD^ADSUTKJOKXTJ AY\@P]K
KD^ADB\CG@JN
@ZV V@Q

@P]K
KD^AD ]\ZKK XTJ ASV U
JYVHD
P^@DKXTJ ACZDKZV V@GEZ_WAOJS]U ]AU@@^ ]AU@@WVEKJN\WX
@WB ^ ]AU@@ SQ]R @KJN WJF\@P\_FAOJYVHD
\_]DKXTJ A]Z @ZV V@T
X
@WBA ]AU@@WAJE\CWA]GBKK VZV V@Q

\K
KD^AD WDJE\CWA F[JE\CWA WVJE\CWAAGJE\CWA U]JXTJ AWADK\C ]AU@@ Z ]AU@@\ ]AU@@]@XG@JOKXTJ A\\ @ZV V@^
X
@WB
AZEKK
KD^AD \GTA @ ]AU@@ \@JE\CWA
FV]KK
KD^AD@R_W@JN WJF\@Q[XCAOJYVHD
\WUDKR_WJE\CWA
YVCKK XTJ A]Z DKXTJ AGZ @ZV V@Z \VEKK
KD^AD ^RRX R N WJF\@XRRX@JN WJF\@P_PP AOKR_WJE\CWAK_TKK
KD^AD[WT\@JOKZV V@A F ]AU@@]@HKK
KD^AD[ARFAOJS]U ]AU@@ []TKK R_WJE\CWA V
N WJF\@PVEG
@P]K
KD^ADB\CG@JN WJF\@P\^X@JOKZV V@G
DKXTJ ASVAOJYVHD
]TG@JN\WX
@WB @^AJE\CWA Q ]AU@@ JE\CWAE ]AU@@ V ]AU@@W ]AU@@W ]AU@@W ]AU@@^ ]AU@@
V ]AU@@
K ]AU@@ Z ]AU@@ A ]AU@@ ] ]AU@@F
JYVHD
UCVAOJ]AX
@WB X
@WB X
@WB X
@WB
R N WJF\@B_PJ@JN
@ZV V@U
DKR_WJE\CWA_VJE\CWA
@KJN WJF\@QAPCAOJYVHD
^^]DKXTJ AS\ @ZV V@P
S
JYVHD
PP]@ZV V@T@JE\CWA
\XJXTJ AVRDK\C ]AU@@
K ]AU@@W ]AU@@ WAJE\CWA @GDRAOJYVHD
WXA 
@JKJN\WX
@WB \K
KD^AD[GTKK
KD^AD
VWBKK
KD^ADS]ZVAOKZV V@@@ZV V@@ @ZV V@P

@ZV V@Q

X
@WBZ ]AU@@ Y@JE\CWASCBKK
KD^ADWTP_@JN WJF\@ERVVAOJYVHD
PHQDKXTJ AA\ @ZV V@R
X
@WB V
JYVHD
Q^]DK\C ]AU@@ Z ]AU@@F ]AU@@\FAKK
KD^ADWC^@ DKX
@WBA ]AU@@
F@JE\CWA[WTKK
KD^ADS^T@@JN WJF\@_\_VAOJYVHD
CPJ
@ZV V@A

@ ]AU@@[]VKK
KD^AD
]]T@AOJYVHD
C]R @ZV V@@ W ]AU@@[VFKK
KD^AD WDT@AOJYVHD
C^A
@ZV V@TW ]AU@@[]VKK
KD^ADWC^@ DKR_WJE\CWA
G ]AU@@  ]AU@@FFP_@JN WJF\@XRRX @ZV V@B
FJJE\CWA\XX]AOJYVHD
QTG
X
@WB AVBKK
KD^AD[@EZ DKXTJ ATF S]JE\CWA
E]]\DKXTJ AX] WGJE\CWA_Q]Z DKXTJ AFR \TJE\CWAQPPADKXTJ ASF
A@JE\CWA
TGFRDKXTJ AC\FVJXTJ AVR
\TJ JS]U ]AU@@\K
KD^AD WGEZ DKR_WJE\CWA FVJE\CWAAGKJOJYVHD
TP^AOJYVHD
@XGAOJYVHD
QT@AOJYVHD
UCVAOJYVHD
C^XDKXTJ AVF @ZV V@PX
@WB A ]AU@@
[WTKK
KD^ADWPDAAOJYVHD
Z_GF
JYVHD
W^D  V ]AU@@WKJN\WX
@WBV ]AU@@  ]AU@@
QX[RDKXTJ A]RWABKK
KD^AD[ATP X
@WB ]GX\ AOJS]U ]AU@@
@GJE\CWA
]XKK VZV V@Y
@ZV V@Q  ]AU@@
]A\R
R N WJF\@BRH\DKXTJ AWRDKP]K
KD^AD]XTA@JN WJF\@DZUV
AOKXTJ A\Z S^X]AOJYVHD
A^JLQ\\KK VZV V@@ @ZV V@^  \VKK VZV V@@
SATKK
KD^AD W]^KJN WJF\@[]EV
[\_RAOJS]U ]AU@@[]VKK
KD^AD
[TYVDKP]K
KD^AD \GTA @ZV V@Q \TKK
KD^AD@\\\
AR\AOJS]U ]AU@@ SZ_KK
KD^ADS^T@L KK VZV V@CW
N WJF\@ACX]@JN WJF\@@\IJ@JOKXTJ A^]
X
@WB

JZJE\CWA
KR]V@JN WJF\@B_PJDKXTJ AT^
X
@WB VRJE\CWA
\VBG@JN WJF\@BRH\DKXTJ AX]
 X
@WBWAJE\CWADZTD@JN WJF\@]]]DKXTJ AA\X
@WB \TJE\CWAFZ^]@JN WJF\@UR\QDKXTJ ASR X
@WB[GJE\CWA\ZRR@JN WJF\@UR\Q@ZV V@D

E@JE\CWAFGX]AOJYVHD
T]R X
@WB ]\UKK
KD^AD
\]Z DKXTJ AAR A ]AU@@ YC^G@JN WJF\@VVA\
@ZV V@@ S_JE\CWA@AP[AOJYVHD
EXAX
@WB
BRHKK
KD^AD\T]Z DKXTJ AEA Q ]AU@@_\_W@JN WJF\@^ZBG
@ZV V@[

\WJE\CWA S]RR DKXTJ ATC 
\VJE\CWA_Q]Z DKR_WJE\CWA \ ]AU@@ @JE\CWA\VEZ
DKXTJ AW\
V@JE\CWA
TGFRDKXTJ A^U
@VJE\CWASA]FDKXTJ AX] WGJXTJ ABZDKXTJ AFV AOKXTJ AFR \TJE\CWAPVCQDKXTJ ASR SGJE\CWAFV]_DKXTJ AP^S]JXTJ AVR
\TJ JYVHD
DTQ@JN WJF\@A_^G@JN WJF\@TATV@JN WJF\@^Z_V@JN WJF\@QAPCAOJYVHD
PHQDKXTJ AVF @ZV V@Q

X
@WB AVJE\CWA_Z_T@JN WJF\@DZCG
@ZV V@A

FGTKK
KD^AD \GTA @ZV V@@
SATKK
KD^AD ^RRX R N WJF\@AC^AAOJYVHD
Q^\ AOKR_WJE\CWA QXJE\CWASPZKJN\WX
@WB
@ ]AU@@W\KJOJYVHD
A^FW
JYVHD
A^FW
N WJF\@V\F] X
@WB
@]TG@JN WJF\@P_PP Y
JYVHD
YPP AOJYVHD
Q]RDK ]AU@@ FATRAOJS]U ]AU@@
WA_VAOJ]AX
@WB \TJE\CWAP@RA @P]K
KD^ADSPZKK
KD^AD ^RRX@JOKP]K
KD^ADSTPI
@^AJE\CWASJTA@JN WJF\@X\DA 
@ ]AU@@QRCVAOJS]U ]AU@@ \_^RAOJ]AX
@WBZ ]AU@@FFP_@JOKXTJ AU\

SWJE\CWAF[DA @P]K
KD^ADS@JE\CWAURBKJN WJF\@Z\]_
V ]AU@@
P^^@JN WJF\@_Z_] S ]AU@@F\DP
DKXTJ AP^FRCKK
KD^AD]FX@ R N WJF\@S_]KK
KD^AD^\E@@JOJYVHD
GC\
\RJXTJ ASZAOJYVHD
U]R DKZV V@C
FZ^]@JN WJF\@P_PP Y
JYVHD
ZB_AOJYVHD
PPC
DKP]K
KD^ADSPZKK
KD^AD ^RRX@JOJYVHD
PP_  \ZPKK
KD^AD]]_VGGJXTJ ARR @ZV V@^


JYVHD
C]RDKXTJ AC\
@R N WJF\@SG\KK
KD^AD@VAR DKP]K
KD^ADSAUKK
KD^AD@VUZAOKR_WJE\CWA U[JE\CWA
^_TA@JOJYVHD
^X@
[CAZ@JN WJF\@_ZRA
[]VKK
KD^AD \U^A ]]JXTJ A\R
@ZV V@Q  [JXTJ AYZDKXTJ AFZ_JXTJ ABC
X
@WB@JXTJ ABF [CEZ

DK\C ]AU@@
KVCKK
KD^AD]FC]DKR N WJF\@^Z_V@JN WJF\@ERVV

JYVHD
@AV
X
@WB
 @JE\CWA FVCG
W]EKK
KD^ADS
BV
K
\_X]AOJS]U ]AU@@S@DAAOJYVHD
ZB_
@R N WJF\@XRRX @ZV V@D
 \TBKJN\WX
@WB 
@\^^@JN WJF\@P_PP YKJN WJF\@WPP@
@P]K
KD^ADS@X]
DK\C ]AU@@ []TKK VZV V@\  W
N WJF\@DVVRAOJYVHD
AP]
X
@WB@Z_T@JOKXTJ AX]
 X
@WB
@]TG@JN WJF\@UR\Q
R N WJF\@_RR[
\K
KD^AD^\EKK
KD^AD^\E@@JOKXTJ ARR

@]XR@JN\WX
@WB
X
@WB@Z_T@JOKZV V@P ]@JE\CWAAZ_\ @ZV V@P ]P^^@JN WJF\@\@B @ZV V@]AZ_\@JN WJF\@TATV \\JE\CWA WGP
DKXTJ A@U H]^JE\CWAAZ_\ X
@WB \\^] DKXTJ ARR

YZ_T@JN WJF\@UAPQL X
@WB 
QRBZ DKXTJ ARR

QZEJ@JN WJF\@Q_DQ \\JXTJ ABC
@ZV V@Q

@^AJXTJ A^]
\K VZV V@T[]VKK XTJ ARV P^^@JN WJF\@PVEG
LQ\\KJOJYVHD
TDZH]^JE\CWA FVB @ZV V@Q \TP
DKXTJ AVR
\TP
DKXTJ AFR \TP
DKX
@WB P^^@JN WJF\@UFCFL X
@WB
 AR\AOJYVHD
@TR LQ\\KK VZV V@@ P^^@JN WJF\@PVEG
@R N WJF\@UR\Q
P^^@JN WJF\@T\^G 
KK
KD^AD X  @ZV V@PQRBZ DKXTJ ARR

UR\VAOJYVHD
TCR AZ_\@JN WJF\@FAD^M
_ ]AU@@ []^\
X
@WBLQ\F AOJYVHD
 QH]^JE\CWAAZ_\  A ]AU@@
F@P
DKXTJ ASZ  LQ\\KK
KD^ADS@X]
M X
@WB \\FAOJYVHD
VICLQ\\KK
KD^ADS@X]
H@ ]AU@@ ]QP @ZV V@Z]R\AOJYVHD
PP@
LQ\\KK
KD^ADHQTGM
_ ]AU@@  PVE @ZV V@R WR\AOJYVHD
EXVLQ\\KK
KD^ADS@X]
[]TKK
KD^ADQG^C \\BKK
KD^AD XA_VM
_ ]AU@@ []^A U ]AU@@
^_P @ZV V@Q AR\AOJYVHD
QPA

LQ\\KK
KD^AD
\_X] []^KK
KD^ADV_P
HP ]AU@@T^^B @ZV V@P ]AT@
@ZV V@P ]@RAOJYVHD
PP@
L\VEKK
KD^AD]FSVM
_ ]AU@@SWX]L X
@WB []^ @ZV V@Z \\P
DKXTJ A P ]_VAOJYVHD
GT_P^^@JN WJF\@QRBZ L\VEKK
KD^ADS@X]
 FF_V@JN WJF\@QRBZ LQ\\KK
KD^ADQRBZ H]^JE\CWAS@X]
M
_ ]AU@@]QTGL X
@WBPZV @ZV V@Q
@@P
DKXTJ A^R LQ\F AOJYVHD
RR@
P^^@JN WJF\@U\E LQ\\KK
KD^AD
\_X] []^@@JN WJF\@CLQ\\KK
KD^ADS@X]
N ]TG@JN WJF\@DZCG
S@X]
AOJYVHD
QTGP^^@JN WJF\@PVEG
LQ\\KK
KD^ADWGPQH]^JE\CWA@AP[M
_ ]AU@@A[XT
M
_ ]AU@@P_T HY ]AU@@AR_WM
_ ]AU@@ F\_RM
_ ]AU@@EVTCM
_ ]AU@@S@X]
M
_ ]AU@@ BWXPM
_ ]AU@@]GTXM
_ ]AU@@WASVM
_ ]AU@@P_X]MF ]AU@@WS@X]
M
_ ]AU@@ []^T[]VKK
KD^ADWTP@LQ\\KK
KD^ADU^VA
LQ\\KK
KD^ADAPP@
LQ\\KK
KD^AD^PP@
LQ\\KK
KD^AD
]R[

LQ\\KK
KD^ADS@X]
M
FZKK
KD^ADFRC_
LQ\\KK
KD^AD WG^]LQ\\KK
KD^ADG][\
LQ\\KK
KD^AD[^B_
LQ\\KK
KD^AD SWCZLQ\\KK
KD^AD^_B_
LQ\\KK
KD^AD^FSW LQ\\KK
KD^AD]PP@
LQ\\KK
KD^ADUAF]G
LQ\\KK
KD^ADSABR LQ\\KK
KD^AD PP@
LQ\\KK
KD^AD^_RALQ\\KK
KD^AD^\E_
LQ\\KK
KD^ADS@X]
LQ\\KK
KD^ADRPP@
LQ\\KK
KD^ADPTP^ LQ\\KK
KD^ADS^S_
LQ\\KK
KD^ADPP@
LQ\\KK
KD^ADS@X]
LQ\\KK
KD^AD WGC\
LQ\\KK
KD^ADWPP@
LQ\\KK
KD^ADZVVA
LQ\\KK
KD^AD S_]JLQ\\KK
KD^ADSPCF LQ\\KK
KD^ADS@X]
LQ\\KK
KD^AD[_UY
LQ\\KK
KD^ADS@X]
LQ\\KK
KD^AD APP@
LQ\\KK
KD^AD^PP@
LQ\\KK
KD^AD]KF\
LQ\\KK
KD^AD]GP_ LQ\\KK
KD^ADS@X]
LQ\\KK
KD^ADWTP@LQ\\KK
KD^ADS^S_
S@X]
AOJYVHD
PP@
WG]DKXTJ AB_
 DVC @ZV V@E AZ_\L X
@WB \\FV M U ]AU@@ []^^
H WGJE\CWAWPP@
LQ\\KK
KD^ADDCRR

P^^@JN WJF\@QRBZ WR\AOJYVHD
PP@
GKP
DKXTJ AP
 STT @ZV V@Q 
]_]RL X
@WB \\]Z HS ]AU@@ []^@H]^JE\CWAAZ_\LQ\\KK
KD^ADUUA P^^@JN WJF\@ERVV WR\AOJYVHD
]TG \TP
DKXTJ A P ]R\L
@ZV V@U^\E@L X
@WB \R]_M
_ ]AU@@ F\WZ H]^JE\CWAAZ_\LQ\\KK
KD^AD ^RRX P^^@JN WJF\@PGUP ]R\AOJYVHD
[^^ WAP
DKXTJ AX]WFI @ZV V@P ]G^CL X
@WB \\SRM
_ ]AU@@PP@
LTAJE\CWA H]XILQ\\KK
KD^AD \GTA P^^@JN WJF\@^FRXTR\AOJYVHD
FBR \\P
DKXTJ ARR

\VE @ZV V@@P\^XL X
@WB
]]UY
M
_ ]AU@@ []^P L\_JE\CWA]G@FLQ\\KK
KD^AD]_U@
P^^@JN WJF\@SEXP ]R\AOJYVHD
@XR \\P
DKXTJ AB_
URB @ZV V@PPAZ_\L X
@WB \\AH[
JYVHD
\__
@ZV V@P ]BKJN WJF\@EVSP ]R\AOJYVHD
  \\P
DKXTJ AW\WV_@L X
@WB \\ZZ H]^JE\CWABVC@ P^^@JN WJF\@YZFZ \\P
DKXTJ ARR

WFC\L X
@WB WRU\H]^JE\CWAWV_@ P^^@JN WJF\@ADTVGQP
DKR_WJE\CWA
YVCKK
KD^AD]\\ @X
@WB \\GVH]^JE\CWAAZ_\ P^^@JN WJF\@QRBZ  FJP
DKXTJ A\\  S_]@L X
@WBUTQOQRBZ H]^JE\CWA \ZRR

P^^@JN WJF\@QRBZ K \GP
DKXTJ AVR[_]VL X
@WB QRBZ H]^JE\CWAW
\RR

P^^@JN WJF\@_R[\WAP
DKXTJ ARR

@R\RL X
@WB \\BH]^JE\CWA
WQXT P^^@JN WJF\@ ZP ]@P
DKXTJ AW\ WQPJL X
@WBACP_H]^JE\CWASZ]C
P^^@JN WJF\@QRCWWAP
DKXTJ ARR

J^FL X
@WB \\FZH]^JE\CWA
KR]CQRBZ DKXTJ AGZ []^@L X
@WB
QRBZ H]^JE\CWA \PP@
P^^@JN WJF\@
TA \\P
DKXTJ A\\
\@D]L X
@WB ^ETTH]^JE\CWA]D_A P^^@JN WJF\@SQXI ^WP
DKXTJ ARR

DX]L X
@WB QRBZ H]^JE\CWAP^X_
P^^@JN WJF\@S^TA @@P
DKXTJ AC\^RRVL X
@WB \\VF LE@JE\CWA[]ARP^^@JN WJF\@U\E\ \\P
DKXTJ AUV]D_@L X
@WB JU^AH]^JE\CWAVRRR

P^^@JN WJF\@B_PP WGP
DKXTJ ARR

BRH@L X
@WBLQRBZ H
@TJE\CWAAZ_\
P^^@JN WJF\@YZB@ \\P
DKXTJ AA_
^FRXL X
@WB @ZGRH]^JE\CWAWRRR

P^^@JN WJF\@X \\P
DKXTJ ARR

]]_VM
_ ]AU@@ HRRR

P^^@JN WJF\@QRBZ [WT @ZV V@^QRBZ H]^JE\CWA\WXP@_VAOJYVHD
R []^@L X
@WB E\^WL RDKK
KD^AD ]RCW
^EP
DKXTJ ASV WR]VM
_ ]AU@@ []^P
P^^@JN WJF\@E\C_ \VC @ZV V@P ]RKGH]^JE\CWA
\GTP ]R\AOJYVHD
F]G WQTGL X
@WB \\E\LQ\\KK
KD^ADS@X]
 Y@P
DKXTJ AY\
W_CVM
_ ]AU@@ZVRR

P^^@JN WJF\@QRBZ G^P @ZV V@A
 QRBZ H]^JE\CWAQ]CRR

AR\AOJYVHD
S []^@L X
@WB \\[FLQ\\KK
KD^ADSJP] \\P
DKXTJ ASV A_DP M
_ ]AU@@ []^@
P^^@JN WJF\@QRBZ 
@XK @ZV V@@ @\HRH]^JE\CWA FVCD\R\AOJYVHD
V_GAZ_\L X
@WB \\]F PYKK
KD^ADS@X]
AJP
DKXTJ AP_
S@X]
M
_ ]AU@@ YC^G
P^^@JN WJF\@QRBZ
]XZVL@ZV V@C
QRBZ H]^JE\CWAS]UP ]R\AOJYVHD
DFDLKS@X]
MX
@WB \\B\LQ\\KK
KD^AD^RH[
]]P
DKXTJ A
S@X]
M
_ ]AU@@ []^^P^^@JN WJF\@UAP] []T @ZV V@T QRBZ H]^JE\CWA[@BP ]R\AOJYVHD
PP@
]^DL X
@WBS_PJ LQ\\KK
KD^ADSET_ SFP
DKXTJ AVR E\C_M
_ ]AU@@@\RR

P^^@JN WJF\@QRBZ KVTF_ @ZV V@CFC^XH]^JE\CWA
QXH]FR\AOJYVHD
DX_
ZZ]_L X
@WBAG^DLQ\\KK
KD^ADS@X]
W@P
DKXTJ ARR

FBWM
_ ]AU@@ []^A
P^^@JN WJF\@U\]W
 UVCP ] ]AU@@ []^^


P^^@JN WJF\@QRBZ SZC @ZV V@P ]PPH]^JE\CWA
@GD]
_R\AOJYVHD
T^\ []^@L
X
@WB \\CV
LQ\\KK
KD^AD]]EVO ^\P
DKXTJ AR_  S@E_M
_ ]AU@@ V@RR

P^^@JN WJF\@QRBZ KS^P @ZV V@C@@^]H]^JE\CWA
FGBP ]R\AOJYVHD
Z_GAZ_\L X
@WB
 APP@
LQ\\KK
KD^ADS@X]
[PP
DKXTJ ACR
UR\VM
_ ]AU@@SAU\ AR\AOJYVHD
@X_]_]RM
_ ]AU@@SVR P ]R\AOJYVHD
PP@
O]]]Z HA ]AU@@ AGRR

AR\AOJYVHD
C]RAZ_\M
_ ]AU@@ []^WA_VAOJYVHD
ZB_
S@X]
M
_ ]AU@@S@X]
@R\AOJYVHD
 SVAZ_\M
_ ]AU@@ []^@ ^R\AOJYVHD
GYV \\_VM
_ ]AU@@
F@RR

AR\AOJYVHD
@^PAZ_\M
_ ]AU@@\WHP ]R\AOJYVHD
[^_QRBZ H ^ ]AU@@ []^@LPR\AOJYVHD
PYVS@X]
M
_ ]AU@@
S@X]

PR\AOJYVHD
PP@
OZ\D@MF ]AU@@ VV_CWR\AOJYVHD
G^CS@X]
M
_ ]AU@@[VP ]R\AOJYVHD
RCT
S@X]
M
_ ]AU@@ YC^G SR\AOJYVHD
PP@
S^X]M
_ ]AU@@ []^PLQ\F AOJYVHD
P^D S@X]
M
_ ]AU@@ VV_]FR\AOJYVHD
PP@
ZR_PM
_ ]AU@@RVRRR

AR\AOJYVHD
@D]S@X]
M
_ ]AU@@V _VBP ]R\AOJYVHD
PP@
OFR\CM
_ ]AU@@WAP ]R\AOJYVHD
@DU
V\F]M
_ ]AU@@ []^W
 \R\AOJYVHD
PP@
WA]Z M
_ ]AU@@
F@AA
FR\AOJYVHD
^TA
S@X]
M
_ ]AU@@AVEVH]^RAOJYVHD
DX] 
\_X]M
_ ]AU@@ []^ M[]UVAOJYVHD
PP@
W_CZ
M
_ ]AU@@WARR

R\AOJYVHD
PP@
^RHVM
_ ]AU@@ GPZP ]R\AOJYVHD
PX]S@X]
M
_ ]AU@@ []^G HR\AOJYVHD
V\C AP]F M
_ ]AU@@BG \\FAOJYVHD
A^JS@X]
M
_ ]AU@@ @FBP ]R\AOJYVHD
UW^@^X]M
_ ]AU@@S@X]
WR\AOJYVHD
\__
S@X]
M
_ ]AU@@]PP ]R\AOJYVHD
I^]NAZ_\M
_ ]AU@@YJT^
@R\AOJYVHD
DFDL []^_HW ]AU@@WTP ]R\AOJYVHD
PP@
OWKEAM
_ ]AU@@
GCT \\UAOJYVHD
ATGLF\P ] ]AU@@DS \\AAOJYVHD
DFDLTAZ_\M
_ ]AU@@ PRBP ]R\AOJYVHD
PP@

\_X]M
_ ]AU@@WAE\

FR\AOJYVHD
DFDL []^FM
_ ]AU@@ []^WR\AOJYVHD
DFDL []^Q

HA ]AU@@ A[P_
WR\AOJYVHD
CP_ S@X]
M
_ ]AU@@ @R]W\R\AOJYVHD
QTG E\C_M
_ ]AU@@ []^P
@R\AOJYVHD
EXADVVRM
_ ]AU@@
QX[R \R\AOJYVHD
WT_S@X]
M
_ ]AU@@ []^Q[P
AOJYVHD
RCT
S@X]
H]^JE\CWAW^RB@ \\B @ZV V@P ]^^A


P^^@JN WJF\@EDFS@X]
M
_ ]AU@@ []^@O []TDKXTJ AFDMQPP@
LQ\\KK
KD^ADS@X]
 G@FL X
@WBLZFEP ]R\AOJYVHD
PP@
S]ERH]^JE\CWATRPVBG \\B @ZV V@DH ]@RR

P^^@JN WJF\@U\]W S@X]
M
_ ]AU@@ []^@L
P
DKXTJ ARR

\FVTLQ\\KK
KD^ADS@X]
 YZ_TL X
@WBLQRBZ H]^C AOJYVHD
PP@
WGC\ H WGJE\CWA VZP] \\B @ZV V@P ]@^]
P^^@JN WJF\@EDFS@X]
M
_ ]AU@@ UX \\P
DKXTJ AU []^@UTQLQ\\KK
KD^ADS
[^_AZ_\L X
@WBAZRP ]R\AOJYVHD
PP@
OWKAVH]^JE\CWA
F\WA_VB @ZV V@P ]GCRP^^@JN WJF\@P_PP YPM
_ ]AU@@WWPJ \\P
DKXTJ AEA  F_^F LQ\\KK
KD^AD@VB@ ^FRXL
X
@WBLADP] \\@AOJYVHD
DFDLQRBZ H]^JE\CWAAZ_\
A\C @ZV V@P ]]XRP^^@JN WJF\@]ASZ
S@X]
M
_ ]AU@@ SAE@ \\P
DKXTJ AVR
\TVF L\VEKK
KD^ADEDP ]IL X
@WB \\BVAR\AOJYVHD
PP@
@\A[H]^JE\CWAS_^] \\B @ZV V@DHPP@
P^^@JN WJF\@\__
S@X]
M
_ ]AU@@_\_G \\P
DKXTJ AS_
SPZZ  LQ\\KK
KD^AD
S^AG

AZ_\L X
@WBLAGPA \\DAOJYVHD
PP@
OYFC@
LQ[JE\CWAAGSV []^ @ZV V@D
@WRR

P^^@JN WJF\@]WU@ YVC HY ]AU@@ []^^
WAP
DKXTJ ARR

T\CG
LQ\\KK
KD^AD
@_TR AZ_\L X
@WBL_VVR \\AAOJYVHD
DFDLOQRBZ H]^JE\CWA@R\Z []^ @ZV V@DHS@X]
 P^^@JN WJF\@EDF S@X]
M
_ ]AU@@@DA \\P
DKXTJ AW\ WG^DLQ\\KK
KD^ADEDP ]@DAL X
@WBLQRBZ UTR\AOJYVHD
PP@
SATVH]^JE\CWAUTWPJ []^ @ZV V@DHSU]LAZ_\@JN WJF\@_ZBGKS@X]
M
_ ]AU@@ [QSV

^WP
DKXTJ A[R
FCP_ LQ\\KK
KD^ADS@X]
 V\C@L X
@WBVZ_P ]R\AOJYVHD
WXR QRBZ H]^JE\CWAAZ_\AGH @ZV V@D

E@RR

P^^@JN WJF\@EDF \\RSHG ]AU@@ []^ ^VP
DKXTJ ARR

AG^CLQ\\KK
KD^ADG]RAAZ_\L X
@WB
FGBP ]R\AOJYVHD
\__
S@X]
H]^JE\CWAEFQO []^ @ZV V@DH ]RR

P^^@JN WJF\@QRBZ WAXPM
_ ]AU@@AGPA \\P
DKXTJ ARR

\_ LQ\\KK
KD^ADS^S_
[^T@L X
@WB
S@X]
FR\AOJYVHD
PP@
S^T@VQH]^JE\CWA_Q]Z 
\XB @ZV V@P ]XX] P^^@JN WJF\@QRBZ KWQRRM
_ ]AU@@ []^V_VP
DKXTJ ARR
^PP@
LQ\\KK
KD^ADSXTEZ\\VL X
@WBL\DRR

AR\AOJYVHD
DFDL []^@LLGXJE\CWA
@GD] \TT @ZV V@^SJRR

P^^@JN WJF\@QRBZ 
^W RM
_ ]AU@@ YC^G \\P
DKXTJ AEA
PP@
LQ\\KK
KD^ADRRA
S@X]
M
_ ]AU@@PP@
[^T @ZV V@P ]@^UWR\AOJYVHD
  \\^] LQ\\KK
KD^ADG]GVS@X]
M
_ ]AU@@PP@
CFP @ZV V@D

UV\P ]R\AOJYVHD
DFDLSPP@
LQ\\KK
KD^AD@VBG S@X]
M
_ ]AU@@
F@T[]V @ZV V@G
KVRR

AR\AOJYVHD
DFDL []^A
 TCKK
KD^ADED\
S@X]
M U ]AU@@ []^@ZVC @ZV V@DAZ_\WR\AOJYVHD
ATV
PPP@
LQ\\KK
KD^ADS@X]
\WSRM
_ ]AU@@ []^R FZB @ZV V@O []^ AR\AOJYVHD
DFDLWPP@
DBKK
KD^AD[ABGS@X]
M
_ ]AU@@ []^WAB @ZV V@_GPZP ]R\AOJYVHD
PP@
Z\XPM
FZKK
KD^AD ^RRX C]RM
_ ]AU@@@ER []^ @ZV V@P ]A_
KR\AOJYVHD
RRV
@GBQ

LQ\\KK
KD^ADS@X]
NFD^A M
_ ]AU@@
A_^G []^ @ZV V@DHS@X]
HYR\AOJYVHD
CYR
APP@
LQ\\KK
KD^ADR SVAZ_\M
_ ]AU@@
QX[R[WT @ZV V@P ]]\
@_VAOJYVHD
R]_
@PP@
LQ\\KK
KD^ADS@X]
N_VB H] ]AU@@
WAXRSPT @ZV V@DHS@X]
KPR\AOJYVHD
PP@
VTF_UCKK
KD^ADYPP@
^FS HY ]AU@@WPP@
S@Y
@ZV V@DHFY^P ]R\AOJYVHD
X VPP@
LQ\\KK
KD^AD _CTA 
S@X]
M
_ ]AU@@F\CP
^VC @ZV V@@ ]]RR

AR\AOJYVHD
DFDL []^Q

LQ\\KK
KD^AD]_UTS@X]
M
_ ]AU@@ []^\ \VE @ZV V@Q
]D_Q  [R\AOJYVHD
R\V
QRBZ L\VEKK
KD^AD^RHTS@X]
M
_ ]AU@@ []^V\PT @ZV V@DHS@X]
S@PAOJYVHD
PP@
OBRCG L\VEKK
KD^ADS@X]
S@DAM
_ ]AU@@P_X]NSAB @ZV V@P ]@EAKR\AOJYVHD
PP@
]\Z^
LQ\\KK
KD^ADS^S_S_PPM
_ ]AU@@W^^ []^ @ZV V@T
^FSP ]R\AOJYVHD
DFDL []^ALQ\\KK
KD^ADZ\FW
S@X]
M
_ ]AU@@ _VCP []^ @ZV V@U []TP ]R\AOJYVHD
PXG
PPP@
LQ\\KK
KD^ADP\__
S@X]
M
_ ]AU@@PP@
DVC @ZV V@D SPZP ]R\AOJYVHD
QXT \\S\ LQ\\KK
KD^ADS@X]

AGTAM
_ ]AU@@ []^[^VB @ZV V@Z \VEP ]R\AOJYVHD
PPA
^PP@
LQ\\KK
KD^ADEDP ]CX^M
_ ]AU@@  FVCQSAZ @ZV V@P ]QP_
_R\AOJYVHD
R\V
APP@
L\VEKK
KD^AD ^RRX F\^_M
_ ]AU@@P^W []^ @ZV V@DHA@SP ]R\AOJYVHD
PP@
WRCP
LQ\\KK
KD^AD
SAC\KS@X]
M
_ ]AU@@PP@
STT @ZV V@A
PVEP ]R\AOJYVHD
DFDLPP@
LQ\\KK
KD^AD \UX] S@X]
M
_ ]AU@@ @ZRR []V
@ZV V@Q

WABG
\R\AOJYVHD
ETTVPP@
LQ\\KK
KD^AD^FSW S@X]
M
_ ]AU@@
\VEC
Q_T @ZV V@DHS@X]
Y_VAOJYVHD
QXTZPP@
LQ\\KK
KD^ADFRC_
S@X]
M
_ ]AU@@PP@
VTT @ZV V@Q V\VP ]R\AOJYVHD
RR

^ZBG
LQ\\KK
KD^AD]A]W
DVVRM
_ ]AU@@  WASV []^ @ZV V@Q@APP ]R\AOJYVHD
UXE@PP@
LQ\\KK
KD^ADF_P]
S@X]
M
_ ]AU@@ []^_URB @ZV V@@  FPYP ]R\AOJYVHD
GXUAPP@
LQ\\KK
KD^ADEDX
PP@
LG@JE\CWAER\S@X]
M
_ ]AU@@ AZTFNAZ_\L X
@WB \\RZW@B @ZV V@QS@X]
 VVP
DKXTJ AFDMAZ_\NAR\AOJYVHD
DFDL []^Z
P^^@JN WJF\@XRRX G]RG LQ\\KK
KD^ADEDT
QRBZ H]^JE\CWAERR

\UWMF ]AU@@PP@
BJP
M X
@WBLQRBZ []V @ZV V@P
 AVD^ \\P
DKXTJ AFDM
W^BP ]R\AOJYVHD
DFDL []^G
]TG@JN WJF\@EDF \\Q

FBKK
KD^ADS@X]
BR]^H]^JE\CWAW@VA
S@X]
M
_ ]AU@@W_RZAZ_\L X
@WB 
\_X] []^ @ZV V@QS@X]

F@P
DKXTJ AFDM^FSP ]R\AOJYVHD
PP@
ZVRX
P^^@JN WJF\@PVBG \\UVLQ\\KK
KD^AD[ETA QRBZ H]^JE\CWAERR

JR_G

H@ ]AU@@QWOQRBZ H
\_X]MX
@WB \\S\ [@E @ZV V@DHQRCW \\P
DKXTJ A\F

S_]P ]R\AOJYVHD
DFDLS@X]
 P^^@JN WJF\@Z] APP@
LQ\\KK
KD^ADEDP ]RH]^JE\CWAF[DA S@X]
M
_ ]AU@@SVU]]]Z AZ_\L X
@WBLQRBZ K[]T
@ZV V@P ]WT_^VT DKXTJ AFDMAZ_\OW@FAOJYVHD
 UZ V@RR

P^^@JN WJF\@QRBZ O]]]Z H \U^KK
KD^ADED@
 QRBZ H]^JE\CWAERR

QA^D M
_ ]AU@@XX]AZ_\L X
@WBL]]]Z AZ_\L@ZV V@DHS@X]
GQP
DKXTJ AFDMSPYP ]R\AOJYVHD
DFDL []^ P^^@JN WJF\@PATR KPP@
LQ\\KK
KD^ADWTP@ QRBZ H]^JE\CWA
GARR

UFXWM
_ ]AU@@PP@
OEV]_L X
@WB 
ADTVYVB @ZV V@DHUAVP@ \\P
DKXTJ AP^FRCP ]R\AOJYVHD
DFDL []^B P^^@JN WJF\@\J_J
^PP@
LQ\\KK
KD^ADEDQQRBZ H]^JE\CWAVR\__
S@X]
M
_ ]AU@@
QX[R\GTAL X
@WB F[P
ISZ_
 @ZV V@\  WPP@
S]P
DKXTJ AFDM VZ^P ]R\AOJYVHD
BG \\^]
P^^@JN WJF\@EDF []^PLQ\\KK
KD^ADEDP ]@P_H]^JE\CWA_Z_T B\ZVM
_ ]AU@@WA_ZAZ_\L X
@WB ^V_T []^ @ZV V@DHS@X]
W@P
DKXTJ AFDMAZ_\O G@PAOJYVHD
DFDL Q[RR

ARI@JN WJF\@EDFWPP@
LQ\\KK
KD^AD W@EP ]@U
H]^JE\CWAW@XW
S@X]
M
_ ]AU@@FWTR []^@L X
@WB [IPA
VWB @ZV V@DHS@X]
N FJ]DKXTJ AFDM@VBP ]R\AOJYVHD
G^C \\CV
P^^@JN WJF\@EDF \\CVL\VEKK
KD^AD@VTP ]@RR H]^JE\CWA DVC\S@X]
M
_ ]AU@@[^\ AZ_\L X
@WBQRBZ S_B @ZV V@DH
\_X]NAZ_\L @ZV V@@ WETAO []^ @ZV V@Q EZU\ []^ @ZV V@DHS@X]
N WCAVL@ZV V@P ]GCR
WDB @ZV V@T
AT^_ []^ @ZV V@DH
\_X]NAZ_\L @ZV V@DHS@X]
A\] @ZV V@DH GPZJ []^ @ZV V@DHS@X]
N
_CB @ZV V@DHGZUVP []^ @ZV V@\  WRR

AV\L @ZV V@@DVVR []^ @ZV V@DHS@X]
\VE @ZV V@CF_DP []^ @ZV V@DHVQRBZ _VB @ZV V@EBR]^ []^ @ZV V@\  WPP@
O @ZV V@DHS]H\ []^ @ZV V@DHSCP]O []^ @ZV V@EDZ]_ []^ @ZV V@D
FATV []^ @ZV V@DHS@X]

\FB @ZV V@P ^R_P]AE @ZV V@DH QRBZ VZP @ZV V@DH]]EJ []^ @ZV V@DHQG^C \\B @ZV V@A
S_PP []^ @ZV V@DHSA^F []^ @ZV V@DHS^FRX []^ @ZV V@DHQJSV []^ @ZV V@DH]PP_ \\B @ZV V@DHS@X]
M
_X]@ZV V@DHS@X]
N]^^ @ZV V@RSAZ_\ AVB @ZV V@P ]APG
^FS @ZV V@DHHVR[ \\B @ZV V@DHS@X]
FFT_L @ZV V@P ]R_K[PT @ZV V@DHS@X]
[]P @ZV V@DHS@X]
W @ZV V@DH SAPX []^ @ZV V@P ]Q^][WT @ZV V@DH PVPG \\B @ZV V@DHS@X]
B_H @ZV V@@^Z_V \\B @ZV V@TZ\EV []^ @ZV V@\  WP ]@Z  @ZV V@DH@VB[O []^ @ZV V@DHS]H\ []^ @ZV V@DH][PD []^ @ZV V@DHGZUVO []^ @ZV V@DHFAXF []^ @ZV V@DHS]UZ []^ @ZV V@Z QRBZ 
YVC @ZV V@DHW^^] \\B @ZV V@DH ]@YV []^ @ZV V@DH WG\R []^ @ZV V@P ]S\SAU @ZV V@DHS@X]
NWAE @ZV V@DHS@X]
NVD @ZV V@DH
\_X]NAZ_\L@ZV V@Q
BRCG []^ @ZV V@DH]WXR []^ @ZV V@DHWTP@U []^ @ZV V@DHS@X]
 VV @ZV V@P ]AR Q[T @ZV V@DH
@RR_ []^ @ZV V@R ]_X@ \\B @ZV V@DHS@X]
KYR\L
@ZV V@DHBRUV []^ @ZV V@DH QRBZ 
\FB @ZV V@P ]@^USZC @ZV V@DHS@X]
NPR\L
@ZV V@Q XRRXV[]V @ZV V@P ]]F ]FCTL@ZV V@TPR_X []^ @ZV V@DHS@X]
 TF_ @ZV V@DHSUPA []^ @ZV V@DHW_P]
[]^ @ZV V@DHW\A_ []^ @ZV V@P ]CTA LTATVL@ZV V@DHGCTAZ []^ @ZV V@SN ^Z_VO []^@L@ZV V@DHSAEV []^ @ZV V@DHPQRBZ 
@_U @ZV V@DHSAG^CO []^ @ZV V@DH]XTAO []^ @ZV V@DHS@X]
@CP @ZV V@RAZ_\ WDB @ZV V@Z VATV []^ @ZV V@DHS@X]
N[R_ @ZV V@P ]R\LSPZY
@ZV V@PDVVR []^ @ZV V@DH
\_X]NAZ_\L@ZV V@A PV]_ []^ @ZV V@T
\ATV []^ @ZV V@\  WPP@
WDB @ZV V@DHS@X]
 FVC @ZV V@DH[AEFAZ_\L@ZV V@\  WPP@

W_A @ZV V@DHS@X]
VVB @ZV V@CFA^P []^ @ZV V@P ]]^E
FZP @ZV V@G
WC]R []^ @ZV V@EPATR []^ @ZV V@P ]@P


@WT @ZV V@DHW]^AO []^ @ZV V@A@RV\ []^ @ZV V@DH SGDAAZ_\L X
@WBLQ[D^S@X]
M
_ ]AU@@@ZJ
QRBZ H]^JE\CWAEZZ 
_PP@
LQ\\KK
KD^AD[_]Z

 @VRR

P^^@JN WJF\@A_^G
[]T\
FR\AOJYVHD
QT@NAZ_\O G@P
DKXTJ AFDM@\B \\B @ZV V@DHZRERAZ_\L X
@WBLUR]R \\B HY ]AU@@RKZ^]
QRBZ H]^JE\CWASPZY

\GYVLQ\\KK
KD^ADEDD
@@RR

P^^@JN WJF\@^FRX
UVEP ]R\AOJYVHD
T^_]^A@ \\P
DKXTJ AFDMAZ_\O]AX_L@ZV V@DHKPP@
UV_GL X
@WBLUAP] []^ H @ ]AU@@C]RMAZ_\L LGXJE\CWA
@GD]
_PP@
LQ\\KK
KD^ADEDA S@X]
M
_PF@JN WJF\@EDF]GBP ]R\AOJYVHD
DFDLU\]W \\P
DKXTJ AFDM AZUV \\B @ZV V@P ]PP@
@]TJL X
@WB
^VF\
S@X]
M
_ ]AU@@
F^PP

QRBZ H]^JE\CWAEBG JPP@
LQ\\KK
KD^ADS@X]
 G@WZ P^^@JN WJF\@EDF \\R[
@R\AOJYVHD
RS ^Z_V \\P
DKXTJ AFDMWO^FRX []^ @ZV V@DHSPZ@

AZ_\L X
@WBLSK \\B HY ]AU@@ FPP@
WEXVH]^JE\CWA]GB\  WPP@
LQ\\KK
KD^ADEDP ]GCR\CT@JN WJF\@EDF \\ARLQ\F AOJYVHD
T^_[TTA \\P
DKXTJ AFDMAZ_\ A[@ @ZV V@DH[]RZAZ_\L X
@WB
W]BGS@X]
M
_ ]AU@@PP@
@VTW
H]^JE\CWA
Z]ARYPP@
LQ\\KK
KD^AD[AEF FJRR

P^^@JN WJF\@QRBZ 
KR]V
^R\AOJYVHD
DFDL []^R_\P
DKXTJ AFDM ^Z_VO []^@L @ZV V@DHS_PI AZ_\L X
@WBSSK
\_X]NAZ_\M
_ ]AU@@_PFKS@X]
H]^JE\CWAAZ_\O
W]BJ WTKK
KD^AD[R\\ GQRR

P^^@JN WJF\@EDF P\FP ]R\AOJYVHD
DFDL
BZRR \\P
DKXTJ AFDM
]_RR []^ @ZV V@DH
\]Z AZ_\L X
@WB 
]URRS@X]
M
_ ]AU@@\]W QRBZ H]^JE\CWAEBR PP@
LQ\\KK
KD^ADEDP ]ATE P^^@JN WJF\@EDF [_]P ]R\AOJYVHD
DFDL
[ETP ]@P
DKXTJ AYZ SXT@ \\B @ZV V@TQRBZ \ZRVL X
@WBLQRBZ 
A^^C
HW ]AU@@W\A\ ^RB@ H]^JE\CWAAZ_\ WACRL RDKK
KD^AD ^RRX PR]_ P^^@JN WJF\@PVBG \\B@FR\AOJYVHD
DFDL []^Q

W@\DKXTJ AFDMGQGZ []^ @ZV V@P ]QTG
S_TAL X
@WBL\VFJ

S@X]
M
_ ]AU@@WPCZ QRBZ H]^JE\CWAERQRBZ L]AVKK
KD^ADED@@RR

P^^@JN WJF\@EDF \\T_ V\PAOJYVHD
DFDL^ZT@ \\P
DKXTJ AFDMAZ_\OKPZ @ZV V@\  WRR

[^^M
X
@WBZ[^O]]]Z KS@X]
M
_ ]AU@@PP@
ZREVH]^JE\CWAERR

AFCU
LQ\\KK
KD^ADEDP ]AT[  P^^@JN WJF\@EDF ]CPP ]R\AOJYVHD
PP@
S^S_
L[ P
DKXTJ ACZ
ST^_ []^ @ZV V@DHS^T_
AZ_\L X
@WBSZ_P

S@X]
M
_ ]AU@@ []^C F@YRH]^JE\CWAEEF
BPP@
LQ\\KK
KD^ADP^]
PP@
P^^@JN WJF\@EDF
[TYP ]R\AOJYVHD
C]RQ_DQ \\P
DKXTJ AFDMAZ_\
FFE @ZV V@DHS@X]
SZSVL X
@WBLZ\CZ S@X]
M
_ ]AU@@CPP QRBZ H]^JE\CWAERR

W_C\
LQ\\KK
KD^ADGZRX

WARR

P^^@JN WJF\@EDF ^VP ]R\AOJYVHD
DFDL []^
P^DKXTJ AFDM
AVSF []^ @ZV V@T
\QP_AZ_\L X
@WBLQRBZ Y\_\M
_ ]AU@@P ][^FH]^JE\CWAEXF NAZ_\M
FZKK
KD^AD
\_X] []^ P^^@JN WJF\@EDF
QVP ]R\AOJYVHD
DFDLQR]@ \\P
DKXTJ AFDM W@ER \\B @ZV V@DHB\CGM
_RR

X
@WB \\B\E\C_M
_ ]AU@@^ZP^


QRBZ H]^JE\CWAERR

^RGVLQ\\KK
KD^ADS@X]
N]^^G P^^@JN WJF\@_ZRX^FSP ]R\AOJYVHD
RBG
PZ^ MQRBZ DKXTJ AFDMQ
\_X] []^ @ZV V@DHWGBD
AZ_\L X
@WB
A\__
S@X]
M
_ ]AU@@[^G
QRBZ H]^JE\CWA^@ER
@GBQ

LQ\\KK
KD^AD
\_X]MAZ_\
P^^@JN WJF\@EDF \\E\LQ\F AOJYVHD
PP@
OARX]WAH @ZV V@DHS@X]
[@XV M
_ ]AU@@]T\ KPP@
LQ\\KK
KD^ADEDG
QVBP ]R\AOJYVHD
DFDLWXX] []^ @ZV V@T
\CP_ S@X]
M
_ ]AU@@PP@
OF\A@ LQ\\KK
KD^ADEDP ]ETA
AR\AOJYVHD
DFDLWC]R []^ @ZV V@SRK
\_X]NAZ_\M
_ ]AU@@PP@
[]E[
LQ\\KK
KD^ADEDA

S]UP ]R\AOJYVHD
QEWO []T \\B @ZV V@R FZRP S@X]
M
_ ]AU@@F\_JNSPZY
LQ\\KK
KD^ADEDR
PRP ]R\AOJYVHD
DFDL\WRR

A^_ @ZV V@P ]@PF^RBZM
_ ]AU@@ATR APP@
LQ\\KK
KD^AD []V]\VBP ]R\AOJYVHD
DFDL WAEJ \\B @ZV V@DH@\AZ
S@X]
MF ]AU@@SVR \  WPP@
LQ\\KK
KD^AD []V@
 S]BP ]R\AOJYVHD
QT@NAZ_\O O\VE @ZV V@DH@\F] \\P
HG ]AU@@QXT \\VF LQ\\KK
KD^ADEDC
 [KP ]R\AOJYVHD
O []T \\B @ZV V@DHSQRBZ FZ_TM
_ ]AU@@\]JPP@
L\VEKK
KD^ADEDP

QG^P ]R\AOJYVHD
DFDL []^@O \VC @ZV V@DH]]EVS@X]
M
_ ]AU@@PP@
[_UDLQ\\KK
KD^ADEDP ]^^\ ER\AOJYVHD
DFDL []^Q @VBGL @ZV V@P ]@]\P_X]M
_ ]AU@@PP@
OB[PA LQ\\KK
KD^ADEDP ]EXA ]R\AOJYVHD
GCVWG^^ []^ @ZV V@DHS@X]
 SABGHW ]AU@@ PZV\  WPP@
LQ\\KK
KD^AD[_GV ^RCP ]R\AOJYVHD
DFDLS]EZ []^ @ZV V@\  WQTG
PFUWM
_ ]AU@@CX] KPP@
LQ\\KK
KD^ADEDTSJRR

AR\AOJYVHD
GYVO []T \\B @ZV V@DHWWBG

S@X]
M
_ ]AU@@C^XAZ_\M
FZKK
KD^AD@RGZM
A@RR

AR\AOJYVHD
DFDL _\UV []^ @ZV V@DH W@E
KS@X]
M
_ ]AU@@GC\
\RRR

[DKK
KD^ADEDP ]V]VW_VAOJYVHD
DFDL []^G
W]E @ZV V@DHZVC\ S@X]
M
_ ]AU@@W^A
APP@
LQ\\KK
KD^ADEDP ]^PA 
SR\AOJYVHD
Q^^ 
\_X] []^ @ZV V@DH]CD_AZ_\MF ]AU@@DTQ \\R\LQ\\KK
KD^ADED^P\IP ]R\AOJYVHD
DFDLWA Z []^ @ZV V@DHSXT@ S@X]
MF ]AU@@CCV
PP@
LQ\\KK
KD^ADEDD

]RZP ]R\AOJYVHD
DFDL 
QGPD \\B @ZV V@R K
\_X]NAZ_\M
_ ]AU@@@ER QRBZ LQ\\KK
KD^ADEDU[^TP ]R\AOJYVHD
DFDL []^T
 ]\Z @ZV V@DH@VTXS@X]
M
_ ]AU@@PP@

]GAZLQ\\KK
KD^AD^\CZHS@X]
KR\AOJYVHD
R]_O []^ AVB @ZV V@Q@JR\S@X]
M
_ ]AU@@[^G@PP@
LQ\\KK
KD^ADEDQS@X]

PR\AOJYVHD
DFDL []^
\ZR @ZV V@DHSAZ@ S@X]
M
_ ]AU@@P]Z
SPP@
LQ\\KK
KD^ADED \\B\  W_VAOJYVHD
DFDLK@VPGO []^ @ZV V@V SX]S@X]
M
_ ]AU@@PP@
[GHPLQ\\KK
KD^ADW@TA ^RCP ]R\AOJYVHD
DFDL TATV \\B @ZV V@DHS@X]
_R\VM
_ ]AU@@EVBG \\VF LQ\\KK
KD^ADEDT
 SABP ]R\AOJYVHD
DFDL
QXRR []^ @ZV V@ O]]]Z KS@X]
M
_ ]AU@@^Z_@ QPP@
LQ\\KK
KD^ADS^T@L []TP ]R\AOJYVHD
DFDL^\UT []^ @ZV V@P ]UVO FATRM
_ ]AU@@PP@
Z\FW
L\VEKK
KD^ADEDW
K]^P ]R\AOJYVHD
DFDL
KAXP
[]^ @ZV V@DHST]VS@X]
M
_ ]AU@@DTQ \\S\ LQ\\KK
KD^ADEDP]]RR

P^DKXTJ AFDMWFRR

TP^M
_ ]AU@@ETTSGRR

P^^@JN WJF\@EDF \\PF^ZP @ZV V@DHZVVZ QRBZ H]^JE\CWAE]F]_UP ]R\AOJYVHD
DFDL QRBZ TVC@L X
@WBLBAXE WPP@
LQ\\KK
KD^ADEDP ]D^AE@P
DKXTJ AFDM
_^T]S@X]
M
_ ]AU@@ []T �
  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hmmmm....that's not going to be helpful.

Let's have another go at it.

Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • Make sure "Hide extensions for known file types" is unchecked
  • Make sure "Hide protected operating system files (recommended)" is unchecked
  • For more info on how to show hidden files click here.

Now it should be visible to you if you navigate to the C:\Windows\System32 folder.
Double click on it and see if it opens with readable text this time.
If so, post that text here.


If you still get gibberish, I'd like to have you send it to me via email.
Email it as an attachment to sampson_32 AT hotmail.com
  • 0

Advertisements


#11
themoirae

themoirae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Sam,
I had already tried "show hidden files..." but tried again. This time, at least, I found it is Search but still got gibberish so I have emailed the file to you. The letters of this file are the same, I think, as the Virtumond virus only switched around. Check our previous logs when dealing with that problem to be sure. Be careful; TiA
  • 0

#12
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I got it, thanks. It's definitely corrupted though.

Go ahead and delete these files.

C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\vsconfig.xml
C:\WINDOWS\system32\zllictbl.dat



Now let's take a look at another log.
Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
  • 0

#13
themoirae

themoirae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Sam,
I couldn't delete vsconfig.xml as I got the message that it was being used; wouldn't it be nice if Windows would tell you what process was using it? I closed everything I could, then brought it up in Search, and still it would not delete. Any suggestions?
Here is the log from Black light:
12/05/05 11:51:41 [Info]: BlackLight Engine 1.0.25 initialized
12/05/05 11:51:41 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/05/05 11:51:41 [Note]: 4019 4
12/05/05 11:51:41 [Note]: 4005 0
12/05/05 11:51:48 [Note]: 4006 0
12/05/05 11:51:48 [Note]: 4011 1500
12/05/05 11:51:49 [Note]: FSRAW library version 1.7.1013
12/05/05 11:54:24 [Note]: 4007 0

t
  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's leave that file for now. In that location it may be getting used by Zone Alarm.

Please check to see if this folder is present on your computer and let me know.

C:\Windows\Microsoft.Net\Framework\v1.0.3705\


Is there any change in the way your computer is working?

Edited by Buckeye_Sam, 05 December 2005 - 05:39 PM.

  • 0

#15
themoirae

themoirae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Yes, the folder is present with 4 files. My computer is much, much quieter without any of those super warp CPU surges, thank-you! What's next?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP