Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby thedrevlow » January 16th, 2009, 9:03 pm

Okay, so I've been having problems for about a month and a half. Initially I had some virus that kept opening internet windows to ad pages. After I downloaded PCS Shield Defender and ran that scan a few times, I could block the windows, but I am still constantly getting various trojans, etc. (mostly "trojan mailfinder.win32). I also have some program that I can't get rid of called "globaladsolutions" and my search bar is stuck on "Yoog Search" no matter how many times I've deleted it.

I'm not exactly a computer extraordinaire. Please help.

Logfile of HijackThis v1.99.1
Scan saved at 6:50:11 PM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
F:\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=3061015
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=3061015
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {09D84F57-1A2D-41FF-9CC2-8C123641990B} - C:\WINDOWS\system32\xxyVlkhe.dll (file missing)
O2 - BHO: (no name) - {45600EA0-5E2A-4926-AE08-57AA1B256986} - C:\WINDOWS\system32\byXOgddd.dll (file missing)
O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack.dll
O2 - BHO: (no name) - {AB16D62F-1601-4C08-9D43-31A8499CE005} - C:\WINDOWS\system32\pmnoPfFX.dll (file missing)
O2 - BHO: globaladsolution - {db445654-90fe-4b7b-2d31-f612daf56622} - C:\WINDOWS\system32\nsi89.dll
O2 - BHO: {407351a0-9a43-fa9a-14b4-2f05d2f79fee} - {eef97f2d-50f2-4b41-a9af-34a90a153704} - C:\WINDOWS\system32\ijadhi.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunesHelper.exe"
O4 - HKLM\..\Run: [Qdotuxegeqe] rundll32.exe "C:\WINDOWS\Bfatonev.dll",e
O4 - HKLM\..\Run: [Xjijememe] rundll32.exe "C:\WINDOWS\ixeqovuzitohapu.dll",e
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.NCS.COM
O15 - Trusted Zone: *.ncspearson.com
O15 - Trusted Zone: *.pearson.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://ependownload.ncspearson.com/auth ... wswaxd.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2009 (AVP) - Unknown owner - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
thedrevlow
Active Member
 
Posts: 9
Joined: January 16th, 2009, 11:50 am
Advertisement
Register to Remove

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby Bv202 » January 22nd, 2009, 7:09 am

Sorry for the delay.

Welcome to Malware Removal!
My name is Bjorn, known as Bv202 on this forum and I'll be happy to assist you with all your malware problems you have on your computer.

Before we start fixing your computer, there are a few points you need to know:
  • Please don't start a new topic, but reply on this one.
  • If you don't understand something, please ask!
  • If you find any new problems and/or details, please post them!
  • Please always try to reply within 5 days. If you know you won't be able to reply for any reason, please tell me so we don't close your thread.
  • As I'm still in training here at Malware Removal, all my posts needs to be checked by an expert first.

Remember: absence of symptoms does not mean your computer is clean!!
Please reply to this topic until I say your computer is clean.

I'm now researching your log. Once it's done, I'll be back to you.

In the meantime, please do this:
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby Bv202 » January 22nd, 2009, 8:12 am

Hi thedrevlow

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby thedrevlow » January 23rd, 2009, 8:20 pm

Hey, thank you for the help. So here is the combo fix log, followed by a fresh hijackthislog:

ComboFix 09-01-21.04 - Drevs 2009-01-23 17:46:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.246 [GMT -6:00]
Running from: c:\documents and settings\Drevs\Desktop\ComboFix.exe
AV: The Shield Deluxe 2009 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
c:\documents and settings\Drevs\Application Data\gadcom
c:\documents and settings\Drevs\Application Data\GetModule
c:\documents and settings\Drevs\Application Data\GetModule\dicik.gz
c:\documents and settings\Drevs\Application Data\GetModule\kwdik.gz
c:\documents and settings\Drevs\Application Data\GetModule\ofadik.gz
c:\documents and settings\Drevs\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\GetPack
c:\program files\GrandPack
c:\program files\GrandPack\GrandPack.dll
c:\program files\GrandPack\qdrloader.exe
c:\program files\GrandPack\Uninstall.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Microsoft Common
c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\a.exe
c:\windows\system32\cont_globaladsolution-remove.exe
c:\windows\system32\cpjnbshy.dll
c:\windows\system32\dddgOXyb.ini
c:\windows\system32\dddgOXyb.ini2
c:\windows\system32\ehklVyxx.ini
c:\windows\system32\ehklVyxx.ini2
c:\windows\system32\fmddzn.dll
c:\windows\system32\ifofqeit.dll
c:\windows\system32\ihwzyf.dll
c:\windows\system32\iwhiepsc.dll
c:\windows\system32\kxytabvu.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\qbqwqorr.dll
c:\windows\system32\qosdspgl.dll
c:\windows\system32\rbolwope.dll
c:\windows\system32\scjqdpgg.dll
c:\windows\system32\tuxfzo.dll
c:\windows\system32\wpv601228549733.cpx
c:\windows\system32\XFfPonmp.ini
c:\windows\system32\XFfPonmp.ini2
c:\windows\system32\zupflf.dll
c:\windows\wiaserviv.log
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.

2009-01-23 17:12 . 2009-01-23 17:12 <DIR> d-------- c:\program files\uTorrent
2009-01-23 17:12 . 2009-01-23 17:54 <DIR> d-------- c:\documents and settings\Drevs\Application Data\uTorrent
2009-01-16 22:07 . 2009-01-16 22:13 <DIR> d-------- c:\documents and settings\Drevs\Application Data\PeaZip
2009-01-16 20:56 . 2009-01-16 20:57 <DIR> d-------- c:\program files\PeaZip
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\scripting
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\en
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\bits
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\l2schemas
2009-01-15 23:03 . 2009-01-15 23:03 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-15 22:43 . 2009-01-15 22:43 <DIR> d-------- c:\windows\EHome
2009-01-15 20:23 . 2009-01-15 21:55 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-12 14:52 . 2008-04-13 13:00 30,080 --a------ c:\windows\system32\drivers\modem.sys
2009-01-11 22:25 . 2004-08-03 22:29 1,897,408 --a------ c:\windows\system32\drivers\nv4_mini.sys
2009-01-11 21:35 . 2009-01-13 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-01-11 21:34 . 2009-01-11 21:34 <DIR> d-------- c:\program files\Common Files\iS3
2009-01-11 21:34 . 2009-01-15 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-11 20:38 . 2009-01-11 20:38 1,256,329 --ahs---- c:\windows\system32\yhsbnjpc.ini
2009-01-11 16:46 . 2009-01-11 16:46 132,096 --a------ c:\windows\ixeqovuzitohapu.dll
2009-01-11 16:34 . 2009-01-11 16:34 40,448 --a------ c:\windows\Bfatonev.dll
2009-01-11 16:02 . 2009-01-11 16:02 1,256,329 --ahs---- c:\windows\system32\jcwvnbuk.ini
2009-01-11 09:23 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-11 09:23 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-11 09:22 . 2009-01-11 09:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-10 20:03 . 2009-01-10 20:06 <DIR> d-------- c:\program files\QuickTime
2009-01-10 17:25 . 2009-01-10 17:27 <DIR> d-------- c:\program files\Safari
2009-01-10 16:46 . 2009-01-10 16:46 <DIR> d-------- c:\program files\Conduit
2009-01-10 16:02 . 2009-01-10 16:04 1,256,329 --ahs---- c:\windows\system32\btiyysws.ini
2009-01-07 07:08 . 2009-01-07 07:08 686,080 --a------ c:\windows\system32\nsi89.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 23:55 9,040,672 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-23 23:55 276,512 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-01-23 23:55 25,280 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-01-23 23:55 117,116 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-23 18:13 --------- d-----w c:\documents and settings\All Users\Application Data\PCSecurityShield
2009-01-17 02:16 --------- d-----w c:\program files\BitLord
2009-01-11 15:22 --------- d-----w c:\program files\iPod
2009-01-11 15:22 --------- d-----w c:\program files\Common Files\Apple
2009-01-11 07:06 --------- d-----w c:\program files\iTunes
2008-12-17 16:16 --------- d-----w c:\documents and settings\Drevs\Application Data\U3
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 20:09 --------- d-----w c:\program files\Google
2008-12-06 01:03 --------- d-----w c:\documents and settings\Drevs\Application Data\Azureus
2008-12-02 02:45 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-12-02 02:45 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-12-02 02:43 --------- d-----w c:\program files\PCSecurityShield
2008-12-02 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\PCSecurityShield Setup Files
2008-12-02 02:25 --------- d-----w c:\documents and settings\Drevs\Application Data\eMusic
2008-02-21 05:07 826 ----a-w c:\documents and settings\Drevs\Application Data\wklnhst.dat
2008-09-05 06:06 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 10:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2007-03-01 06:03 88 --sh--r c:\windows\system32\5956ED434D.sys
2007-03-01 06:03 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:11 1,028,096 --sha-w c:\windows\system32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sha-w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 11,776 --sha-w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db445654-90fe-4b7b-2d31-f612daf56622}]
2009-01-07 07:08 686080 --a------ c:\windows\system32\nsi89.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-10-15 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-05 29744]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-07-03 64000]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="F:\iTunesHelper.exe" [2008-11-20 290088]
"Qdotuxegeqe"="c:\windows\Bfatonev.dll" [2009-01-11 40448]
"Xjijememe"="c:\windows\ixeqovuzitohapu.dll" [2009-01-11 132096]
"AVP"="c:\program files\PCSecurityShield\The Shield Deluxe 2009\avp.exe" [2008-10-08 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2009\\avp.exe"=
"f:\\dimeadozen\\BitLord\\BitLord.exe"=
"f:\\iTunes.exe"=
"f:\\dimeadozen\\eMule\\emule.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
R3 PAC207;Webcam 1200;c:\windows\system32\drivers\PFC027.SYS [2008-08-08 611584]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-10-15 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f7584f-6302-11db-9bf4-001676a21b23}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a339258d-e543-11db-856d-001676a21b23}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3392593-e543-11db-856d-001676a21b23}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b67fe15a-59ad-11dd-8609-001676a21b23}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{09D84F57-1A2D-41FF-9CC2-8C123641990B} - c:\windows\system32\xxyVlkhe.dll
BHO-{45600EA0-5E2A-4926-AE08-57AA1B256986} - c:\windows\system32\byXOgddd.dll
BHO-{AB16D62F-1601-4C08-9D43-31A8499CE005} - c:\windows\system32\pmnoPfFX.dll
BHO-{eef97f2d-50f2-4b41-a9af-34a90a153704} - c:\windows\system32\ijadhi.dll
Toolbar-SITEguard - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... bd=3061015
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: NCS.COM
Trusted Zone: NCS.COM\erpepen.ic
Trusted Zone: ncspearson.com
Trusted Zone: pearson.com
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
FF - ProfilePath - c:\documents and settings\Drevs\Application Data\Mozilla\Firefox\Profiles\xaad3v30.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\mozilla plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 17:57:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\PCSecurityShield\The Shield Deluxe 2009\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1012)
c:\program files\PCSecurityShield\The Shield Deluxe 2009\dnsq.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\miscr3.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\fssync.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-23 18:09:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-24 00:08:46

Pre-Run: 31,039,787,008 bytes free
Post-Run: 56,276,152,320 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

278 --- E O F --- 2009-01-17 09:02:31



And then here is the new hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 6:11:55 PM, on 1/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061015
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: globaladsolution - {db445654-90fe-4b7b-2d31-f612daf56622} - C:\WINDOWS\system32\nsi89.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunesHelper.exe"
O4 - HKLM\..\Run: [Qdotuxegeqe] rundll32.exe "C:\WINDOWS\Bfatonev.dll",e
O4 - HKLM\..\Run: [Xjijememe] rundll32.exe "C:\WINDOWS\ixeqovuzitohapu.dll",e
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.NCS.COM
O15 - Trusted Zone: *.ncspearson.com
O15 - Trusted Zone: *.pearson.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://ependownload.ncspearson.com/auth ... wswaxd.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2009 (AVP) - Unknown owner - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe



Thank you again.
thedrevlow
Active Member
 
Posts: 9
Joined: January 16th, 2009, 11:50 am

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby thedrevlow » January 23rd, 2009, 8:22 pm

Also, I don't know if you still need it, but here is the uninstall list, you had requested in the previous post:

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
AOLIcon
Apple Mobile Device Support
Apple Software Update
ArcSoft Magic-i 3
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
ArcSoft WebCam Companion 2
Bonjour
Charter High Speed Internet Self-Installation Wizard
Contextual Platform Globaladsolution
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Resource CD
Dell Support 3.2
Digital Content Portal
EarthLink setup files
eMule
FLAC 1.2.1b (remove only)
Google Desktop
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 8.0
HP Deskjet 8.0 Software
HP Imaging Device Functions 8.0
HP Photo Imaging Software
HP Photo Printing Software
HP Photosmart Essential
HP Share-to-Web
HP Solution Center 8.0
HP Update
HPSSupply
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Speed Monitor
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 4
Learn2 Player (Uninstall Only)
LiveUpdate 2.6 (Symantec Corporation)
Logitech QuickCam
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft DirectX 9.0 SDK Update (Summer 2003)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
mkw Audio Compression Toolkit
MobileMe Control Panel
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NetZeroInstallers
PeaZip 2.4.1
Qualxserve Service Agreement
QuickTime
RealPlayer Basic
Rhapsody
Rhapsody Player Engine
Rhapsody Player Engine
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
SearchAssist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Sonic Activation Module
Sonic Update Manager
SoundMAX
The Shield Deluxe 2009
The Shield Deluxe 2009
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
URL Assistant
Viewpoint Media Player
WD Diagnostics
Webcam 1200
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3
thedrevlow
Active Member
 
Posts: 9
Joined: January 16th, 2009, 11:50 am

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby Bv202 » January 25th, 2009, 10:28 am

Hi thedrevlow
Yes, thank you for the uninstall list :)

Remove P2P software
While looking over your log, I have noticed the following Peer-to-Peer filesharing programs are present on your computer:

uTorrent
BitLord
eMule


These programs are the #1 source of infected systems. Although the software itself can be clean, the files you download are often infected with malware. Because of this, we do not allow P2P software present on machines we're cleaning anymore..

This means you must remove the above Peer-to-Peer filesharing programs and any others present on your machine. For an fully explanation of our policy, please read the following P2P Program Policy.

You can uninstall eMule in the Control Panel -> Add/remove Programs.
To remove the other 2 please do this:
uTorrent: Remove c:\program files\uTorrent
Bitlord: Remove c:\program files\BitLord

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\system32\yhsbnjpc.ini
    c:\windows\ixeqovuzitohapu.dll
    c:\windows\Bfatonev.dll
    c:\windows\system32\jcwvnbuk.ini
    c:\windows\system32\btiyysws.ini
    c:\windows\system32\nsi89.dll
    
    Registry:: 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Qdotuxegeqe"=-
    "Xjijememe"=-
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db445654-90fe-4b7b-2d31-f612daf56622}]
    
    [-HKEY_CLASSES_ROOT\CLSID\{db445654-90fe-4b7b-2d31-f612daf56622}]
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next reply, please post:
1) The ComboFix log
2) A new HijackThis log
3) Tell me how the computer is running now
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby thedrevlow » January 25th, 2009, 2:21 pm

Here is the combofix log:

ComboFix 09-01-21.04 - Drevs 2009-01-25 11:41:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.601 [GMT -6:00]
Running from: c:\documents and settings\Drevs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Drevs\Desktop\CFScript.txt
AV: The Shield Deluxe 2009 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Bfatonev.dll
c:\windows\ixeqovuzitohapu.dll
c:\windows\system32\btiyysws.ini
c:\windows\system32\jcwvnbuk.ini
c:\windows\system32\nsi89.dll
c:\windows\system32\yhsbnjpc.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Bfatonev.dll
c:\windows\ixeqovuzitohapu.dll
c:\windows\system32\awvujret.ini
c:\windows\system32\bflfdrgp.ini
c:\windows\system32\btiyysws.ini
c:\windows\system32\cspeihwi.ini
c:\windows\system32\exfdvtta.ini
c:\windows\system32\fpruepnd.ini
c:\windows\system32\ggsaymtg.ini
c:\windows\system32\icogachi.ini
c:\windows\system32\iscqybho.ini
c:\windows\system32\jcwvnbuk.ini
c:\windows\system32\lfpcvgbj.ini
c:\windows\system32\mfnsxtfa.ini
c:\windows\system32\mpufmlke.ini
c:\windows\system32\nsi89.dll
c:\windows\system32\nyxdonxv.ini
c:\windows\system32\ovdsipln.ini
c:\windows\system32\rwhsveki.ini
c:\windows\system32\stiktrks.ini
c:\windows\system32\tieqfofi.ini
c:\windows\system32\xbngtyun.ini
c:\windows\system32\yhgxjunq.ini
c:\windows\system32\yhsbnjpc.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

2009-01-16 22:07 . 2009-01-16 22:13 <DIR> d-------- c:\documents and settings\Drevs\Application Data\PeaZip
2009-01-16 20:56 . 2009-01-16 20:57 <DIR> d-------- c:\program files\PeaZip
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\scripting
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\en
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\bits
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\l2schemas
2009-01-15 23:03 . 2009-01-15 23:03 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-15 22:43 . 2009-01-15 22:43 <DIR> d-------- c:\windows\EHome
2009-01-15 20:23 . 2009-01-15 21:55 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-12 14:52 . 2008-04-13 13:00 30,080 --a------ c:\windows\system32\drivers\modem.sys
2009-01-11 22:25 . 2004-08-03 22:29 1,897,408 --a------ c:\windows\system32\drivers\nv4_mini.sys
2009-01-11 21:35 . 2009-01-13 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-01-11 21:34 . 2009-01-11 21:34 <DIR> d-------- c:\program files\Common Files\iS3
2009-01-11 21:34 . 2009-01-15 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-11 09:23 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-11 09:23 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-11 09:22 . 2009-01-11 09:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-10 20:03 . 2009-01-10 20:06 <DIR> d-------- c:\program files\QuickTime
2009-01-10 17:25 . 2009-01-10 17:27 <DIR> d-------- c:\program files\Safari
2009-01-10 16:46 . 2009-01-10 16:46 <DIR> d-------- c:\program files\Conduit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-25 17:47 9,040,672 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-25 17:47 276,512 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-01-25 17:47 27,104 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-01-25 17:47 123,308 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-24 17:31 --------- d-----w c:\documents and settings\All Users\Application Data\PCSecurityShield
2009-01-11 15:22 --------- d-----w c:\program files\iPod
2009-01-11 15:22 --------- d-----w c:\program files\Common Files\Apple
2009-01-11 07:06 --------- d-----w c:\program files\iTunes
2008-12-17 16:16 --------- d-----w c:\documents and settings\Drevs\Application Data\U3
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 20:09 --------- d-----w c:\program files\Google
2008-12-06 01:03 --------- d-----w c:\documents and settings\Drevs\Application Data\Azureus
2008-12-02 02:45 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-12-02 02:45 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-12-02 02:43 --------- d-----w c:\program files\PCSecurityShield
2008-12-02 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\PCSecurityShield Setup Files
2008-12-02 02:25 --------- d-----w c:\documents and settings\Drevs\Application Data\eMusic
2008-02-21 05:07 826 ----a-w c:\documents and settings\Drevs\Application Data\wklnhst.dat
2008-09-05 06:06 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 10:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2007-03-01 06:03 88 --sh--r c:\windows\system32\5956ED434D.sys
2007-03-01 06:03 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:11 1,028,096 --sha-w c:\windows\system32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sha-w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 11,776 --sha-w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-10-15 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-05 29744]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-07-03 64000]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="F:\iTunesHelper.exe" [2008-11-20 290088]
"AVP"="c:\program files\PCSecurityShield\The Shield Deluxe 2009\avp.exe" [2008-10-08 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2009\\avp.exe"=
"f:\\dimeadozen\\BitLord\\BitLord.exe"=
"f:\\iTunes.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
R3 PAC207;Webcam 1200;c:\windows\system32\drivers\PFC027.SYS [2008-08-08 611584]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-10-15 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f7584f-6302-11db-9bf4-001676a21b23}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a339258d-e543-11db-856d-001676a21b23}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3392593-e543-11db-856d-001676a21b23}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b67fe15a-59ad-11dd-8609-001676a21b23}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... bd=3061015
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: NCS.COM
Trusted Zone: NCS.COM\erpepen.ic
Trusted Zone: ncspearson.com
Trusted Zone: pearson.com
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
FF - ProfilePath - c:\documents and settings\Drevs\Application Data\Mozilla\Firefox\Profiles\xaad3v30.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\mozilla plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 11:49:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\PCSecurityShield\The Shield Deluxe 2009\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1016)
c:\program files\PCSecurityShield\The Shield Deluxe 2009\dnsq.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\miscr3.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\fssync.dll

- - - - - - - > 'explorer.exe'(4384)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\miscr3.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\fssync.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\scrchpg.dll
F:\iTunesMiniPlayer.dll
f:\itunesminiplayer.resources\en.lproj\iTunesMiniPlayerLocalized.dll
f:\itunesminiplayer.resources\iTunesMiniPlayer.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\HP Software Update\HPWUCli.exe
.
**************************************************************************
.
Completion time: 2009-01-25 11:59:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-25 17:58:41
ComboFix2.txt 2009-01-24 00:09:11

Pre-Run: 56,239,927,296 bytes free
Post-Run: 56,188,907,520 bytes free

251 --- E O F --- 2009-01-17 09:02:31

Here is the new hijackthislog:
Logfile of HijackThis v1.99.1
Scan saved at 12:12:27 PM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
F:\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061015
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.NCS.COM
O15 - Trusted Zone: *.ncspearson.com
O15 - Trusted Zone: *.pearson.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://ependownload.ncspearson.com/auth ... wswaxd.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2009 (AVP) - Unknown owner - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


My computer seems to be running okay, but I still have Yoog Search installed as my search engine. I do not see Globaladsolution on my program list. I tried to uninstall all the p2p programs as you said, but I had already uninstalled bitlord and it still existed on my computer even though it didn't come up on my programs list. I went through and deleted the files, but I'm not sure if it is gone now or now?
thedrevlow
Active Member
 
Posts: 9
Joined: January 16th, 2009, 11:50 am

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby Bv202 » January 25th, 2009, 3:39 pm

Hi again thedrevlow

Yes, it looks like most of the P2P software is gone; we'll remove the leftovers :)
Let's try to solve the search engine problem too ;)

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder::
    c:\documents and settings\Drevs\Application Data\Azureus
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "f:\\dimeadozen\\BitLord\\BitLord.exe"=-
    
    Firefox:: 
    FF - ProfilePath - c:\documents and settings\Drevs\Application Data\Mozilla\Firefox\Profiles\xaad3v30.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
    FF - prefs.js: browser.search.selectedEngine - Yoog Search
    FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
    FF - user.js: browser.search.selectedEngine - Yoog Search
    FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
    FF - user.js: browser.search.defaultenginename - Yoog Search
    FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next reply, please post:
1) The combofix log
2) A new HijackThis log
3) Have a look if you have still problems with the search engine
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby thedrevlow » January 27th, 2009, 12:21 am

Here's my Combofix log:

ComboFix 09-01-21.04 - Drevs 2009-01-26 21:32:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.510 [GMT -6:00]
Running from: c:\documents and settings\Drevs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Drevs\Desktop\CFScript.txt
AV: The Shield Deluxe 2009 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Drevs\Application Data\Azureus
c:\documents and settings\Drevs\Application Data\Azureus\.certs
c:\documents and settings\Drevs\Application Data\Azureus\.keystore
c:\documents and settings\Drevs\Application Data\Azureus\.lock
c:\documents and settings\Drevs\Application Data\Azureus\active\0816B55F3E4DD75FEBC011CCD85F702BF2E0BA90.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0816B55F3E4DD75FEBC011CCD85F702BF2E0BA90.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\08529E5132B6FB845B7B6EC5A4B3E43C0092A7D2.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\08529E5132B6FB845B7B6EC5A4B3E43C0092A7D2.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\08D6D3F7003B8C2400C3E037BC8694C8EB5C76C3.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\08D6D3F7003B8C2400C3E037BC8694C8EB5C76C3.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\090B3829DC728F470E75D1320B2C1E3CBE96ACD4.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\090B3829DC728F470E75D1320B2C1E3CBE96ACD4.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0B3CD41FA3424BFF0C389CC8F5B7C3BDFC5CE217.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0B3CD41FA3424BFF0C389CC8F5B7C3BDFC5CE217.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0B72340A9EAE02932A213DF0F8C434B1D6ED5DCE.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0B72340A9EAE02932A213DF0F8C434B1D6ED5DCE.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0BCFD3060F84BA3AA6B38959338808F18A00CB3A.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0BCFD3060F84BA3AA6B38959338808F18A00CB3A.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0C42F28FE26192F9D8310399C976FCB2E015F20D.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0C42F28FE26192F9D8310399C976FCB2E015F20D.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0C79BD863CC664B1748DAA3326BE73D6C45F21C4.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0C79BD863CC664B1748DAA3326BE73D6C45F21C4.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0D52A5CB3105A874FA38370E23C823AA18903AC0.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0D52A5CB3105A874FA38370E23C823AA18903AC0.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0DBD2848A92628FF61AC29A4DB1A9266089ECD72.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0DBD2848A92628FF61AC29A4DB1A9266089ECD72.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0E62DC8F626049CA306B49D770A4B15A2B592FA4.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0E62DC8F626049CA306B49D770A4B15A2B592FA4.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0FAEA1DE6BA95CD3C3551A64025D4DEE6378A24D.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0FAEA1DE6BA95CD3C3551A64025D4DEE6378A24D.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\0FB85323E3E1F492095D6302832F5367E55ACA53.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\0FB85323E3E1F492095D6302832F5367E55ACA53.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\1366D824953DB68A8B46EB3A9BCBCF7E28310CB2.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\1366D824953DB68A8B46EB3A9BCBCF7E28310CB2.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\16B14CEA4F90182705AABECDACDAD7524F094431.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\16B14CEA4F90182705AABECDACDAD7524F094431.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\1803C515CB43BED8C66C52975416BE95EC2DB378.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\1803C515CB43BED8C66C52975416BE95EC2DB378.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\18629C792D3A9306ADB80498294DB47F2CF83BFF.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\18629C792D3A9306ADB80498294DB47F2CF83BFF.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\19CFE5FA1C887971267C87B3F77E6B5525D4AAB5.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\19CFE5FA1C887971267C87B3F77E6B5525D4AAB5.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\21B46DEB5293A23B54C0BA8E99EB3D032C07E7CE.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\21B46DEB5293A23B54C0BA8E99EB3D032C07E7CE.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\21FDDC995F6C44A5ABFF31CAA06F56DAFEC2D045.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\21FDDC995F6C44A5ABFF31CAA06F56DAFEC2D045.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\23CFA806D492FF1D44939171EE4D2941EFE90F32.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\23CFA806D492FF1D44939171EE4D2941EFE90F32.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\26B092164F3F19F1CEEE5F3BF517CB8139E1FD31.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\26B092164F3F19F1CEEE5F3BF517CB8139E1FD31.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\26FEAC3823F5C431802EF147943702ABDF874D21.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\26FEAC3823F5C431802EF147943702ABDF874D21.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\272932F019B5ED66CC6A8BD27D5B9FB344C87840.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\272932F019B5ED66CC6A8BD27D5B9FB344C87840.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\27A4799EE8BD8521F205B44A2230AFD1720BD0B2.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\27A4799EE8BD8521F205B44A2230AFD1720BD0B2.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\28C05FC04650D40702B19BD6402A9C46DC7B21F9.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\28C05FC04650D40702B19BD6402A9C46DC7B21F9.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\29135A8FA0E04A982151751612AFAAFA229C49B1.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\29135A8FA0E04A982151751612AFAAFA229C49B1.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\296CB8B837EDAA270A09A82E6408EF136B8DAA5A.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\296CB8B837EDAA270A09A82E6408EF136B8DAA5A.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\2B426DB688CEF0E5024FEA30757A89C75EB366B6.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\2B426DB688CEF0E5024FEA30757A89C75EB366B6.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\30A9758DE4E37A4933C148117132BADE6A9F3780.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\30A9758DE4E37A4933C148117132BADE6A9F3780.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\30FD45CC4B9B59A51797E73A42227BABC8157800.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\30FD45CC4B9B59A51797E73A42227BABC8157800.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\32FC91A30EBF9E9AF10EF12FC6CF402C331C56AA.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\32FC91A30EBF9E9AF10EF12FC6CF402C331C56AA.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\3361C62998716CF5863B9E8BAB5FBBA4579071AF.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\3361C62998716CF5863B9E8BAB5FBBA4579071AF.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\338A5F5D044472E0BE722EB1678963668938677A.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\338A5F5D044472E0BE722EB1678963668938677A.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\35C76FDE9D7AFA83711DED9908B9EC3F8D1A1F83.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\35C76FDE9D7AFA83711DED9908B9EC3F8D1A1F83.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\36DDB251C3BCAC97CD61105B07773DDB88294A2C.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\36DDB251C3BCAC97CD61105B07773DDB88294A2C.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\3793FF681A48610BD765DF81A297421D828C7754.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\3793FF681A48610BD765DF81A297421D828C7754.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\381C5325C4F17E7940A8269702DA457E15C572A1.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\381C5325C4F17E7940A8269702DA457E15C572A1.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\39265E015CEB7B1771B6420FEDF4F744F71024EE.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\39265E015CEB7B1771B6420FEDF4F744F71024EE.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\3BBD1FD2DB3AA231112A94048DD937B06486468C.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\3BBD1FD2DB3AA231112A94048DD937B06486468C.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\3C45D3110250FFA35A9FB1688A7820D32A831C9F.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\3C45D3110250FFA35A9FB1688A7820D32A831C9F.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\3C4AF9D86234F0BC6774ABE2B4B6BF8C484A535E.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\3C4AF9D86234F0BC6774ABE2B4B6BF8C484A535E.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\3CA854A76B36010FAB09995FDC5E1BB7A4E71DF6.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\3CA854A76B36010FAB09995FDC5E1BB7A4E71DF6.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\3EE9ADE725FA8CD6C852FA0B83FE8B2741F1F7C2.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\3EE9ADE725FA8CD6C852FA0B83FE8B2741F1F7C2.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\4256CDA086242A487D1EDA8415135496A53005AF.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\4256CDA086242A487D1EDA8415135496A53005AF.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\43AFF6F7295EF6634B529F8C4CA6ECD42A9E9CD2.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\43AFF6F7295EF6634B529F8C4CA6ECD42A9E9CD2.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\452D27A03B7788F41647AAAF1A44BBB9987462E5.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\452D27A03B7788F41647AAAF1A44BBB9987462E5.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\458AA587507EBED20E09CF3D77488CB7DC2107E9.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\458AA587507EBED20E09CF3D77488CB7DC2107E9.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\47941867B2A93CFE3ECC37A05E7DD80691631223.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\47941867B2A93CFE3ECC37A05E7DD80691631223.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\481F280F140533E1C3CCDF392EAFE151641026B4.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\481F280F140533E1C3CCDF392EAFE151641026B4.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\4A47A2C18A770C89CB9DD5E34C5D63D57101D4CA.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\4A47A2C18A770C89CB9DD5E34C5D63D57101D4CA.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\4EF8AE432F6EEFCCEA49C4596ADEAAAFD6B331BC.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\4EF8AE432F6EEFCCEA49C4596ADEAAAFD6B331BC.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\4F71CD1360953232A79DCF1FAFE57727A4C705A1.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\4F71CD1360953232A79DCF1FAFE57727A4C705A1.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\51B494025A7A2514DCE6A49A64FF25706E61FC0F.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\51B494025A7A2514DCE6A49A64FF25706E61FC0F.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\57AA32732914DBE4F96AD0DF31B19D2B9981EE2B.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\57AA32732914DBE4F96AD0DF31B19D2B9981EE2B.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\59B839ACF91F7C6553454988A679384BDB98248B.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\59B839ACF91F7C6553454988A679384BDB98248B.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\5C12B76F793467D0A43FD1938DEBFF4F426047AB.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\5C12B76F793467D0A43FD1938DEBFF4F426047AB.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\5E2BC9C84705D6B866FBDEBEF7A7C7C9858C1CB6.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\5E2BC9C84705D6B866FBDEBEF7A7C7C9858C1CB6.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\5EA4F190B8EE292DEACB014FAC007680F1F77D39.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\5EA4F190B8EE292DEACB014FAC007680F1F77D39.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\5FEF420A6EB52CC69ABAAD1086943103216093F4.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\5FEF420A6EB52CC69ABAAD1086943103216093F4.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\60F26507C8FB240144BCE4F4E33A737BCB966874.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\60F26507C8FB240144BCE4F4E33A737BCB966874.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\61CCBB7C795597A6A72D4BB0DA59991B9BF8A0AA.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\61CCBB7C795597A6A72D4BB0DA59991B9BF8A0AA.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\61E2161B100A805D363C494F97253EA3D789320B.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\61E2161B100A805D363C494F97253EA3D789320B.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\63FE51559ED9013CBC96918897F69944342A76F6.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\63FE51559ED9013CBC96918897F69944342A76F6.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\6517399E2E1DBAC7F6ED242B815A4224929DDFCE.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\6517399E2E1DBAC7F6ED242B815A4224929DDFCE.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\65E71F61DFEFCDA816BDACE4BD773187152CA2F8.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\65E71F61DFEFCDA816BDACE4BD773187152CA2F8.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\68913B8637180A529DE6AAD8491540B06378B3DA.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\68913B8637180A529DE6AAD8491540B06378B3DA.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\6D98C19A1ABBFC09611A10720D4431BD7D255102.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\6D98C19A1ABBFC09611A10720D4431BD7D255102.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7096E22301FBC5CA9600E0E480CAF797AC75CFE8.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7096E22301FBC5CA9600E0E480CAF797AC75CFE8.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7162A8A0918174BD0C2CFFC88F705A787BC1EA5C.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7162A8A0918174BD0C2CFFC88F705A787BC1EA5C.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\71CE25A15A94D2C95F9FB247AD848545E55D0C1A.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\71CE25A15A94D2C95F9FB247AD848545E55D0C1A.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\726FDEF19E3530681622CF0C6B4E169DDD61F4B5.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\726FDEF19E3530681622CF0C6B4E169DDD61F4B5.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7325C6392258CD586CFDF9B42C696D55FEAFEE1B.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7325C6392258CD586CFDF9B42C696D55FEAFEE1B.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\75118BFA10F90E8397CB2B4A424A7187A54D3114.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\75118BFA10F90E8397CB2B4A424A7187A54D3114.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7842F8E96A82083DC28396D6C4E383433574E9DD.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7842F8E96A82083DC28396D6C4E383433574E9DD.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7874C54F0046AB60CAD5297D2F70B29055AB0DA8.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7874C54F0046AB60CAD5297D2F70B29055AB0DA8.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\79197F7CDBA2E9FC527C684A60820FFD62D6A4E8.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\79197F7CDBA2E9FC527C684A60820FFD62D6A4E8.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7C1B48CA7100BB755CAD32C0852F62F663B207F2.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7C1B48CA7100BB755CAD32C0852F62F663B207F2.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7C38602EC2A8D854C2B03DE7A2CE1E42B154443A.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7C38602EC2A8D854C2B03DE7A2CE1E42B154443A.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7D8071DEB3069CA4BD2E36C619972E1FA7CE680B.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7D8071DEB3069CA4BD2E36C619972E1FA7CE680B.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7DD84EA01EA4A99F51732B1745807C7465F33043.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7DD84EA01EA4A99F51732B1745807C7465F33043.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\7EFD5734A0F13D3EF9AE5D4F4163069F9329BE63.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\7EFD5734A0F13D3EF9AE5D4F4163069F9329BE63.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\806B2723C551C309856643414DE7BB9719E2A37A.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\806B2723C551C309856643414DE7BB9719E2A37A.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\818F13DDBD8AF0879BBB23167763D5239731612E.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\818F13DDBD8AF0879BBB23167763D5239731612E.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\82893043D259B0A9CDCF96098CA4D807FB85773E.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\82893043D259B0A9CDCF96098CA4D807FB85773E.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\83AAEC66694440C033A91C22C5C66EF8354C62FF.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\83AAEC66694440C033A91C22C5C66EF8354C62FF.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\84FEEE0DD61B60424998B70EEBBA1B662C667016.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\84FEEE0DD61B60424998B70EEBBA1B662C667016.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\86D08B4E0E5198D1F03297417D20B9BD4B51EB77.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\86D08B4E0E5198D1F03297417D20B9BD4B51EB77.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\8A7BA53E8DF6D27A2DEBB0FECF93A31A5935AB06.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\8A7BA53E8DF6D27A2DEBB0FECF93A31A5935AB06.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\8C64174C3FF08DFD7483FFE76DD0C69720A2E68B.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\8C64174C3FF08DFD7483FFE76DD0C69720A2E68B.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\8F49EAE59CF38BDC0287489A2FCB0C6117066AC5.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\8F49EAE59CF38BDC0287489A2FCB0C6117066AC5.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\8F4CDDA3B48B949CA632F5F6CFCF84FD9E2306C2.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\8F4CDDA3B48B949CA632F5F6CFCF84FD9E2306C2.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\92C384B665FE1E9D6ADCD65A04D45FCE6433F814.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\92C384B665FE1E9D6ADCD65A04D45FCE6433F814.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\94CDCDC4988BAE2E8954A2B9255538B5A0696155.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\94CDCDC4988BAE2E8954A2B9255538B5A0696155.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\96AA98C3AD8826CAC9364A2A4EF52C4242A78237.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\96AA98C3AD8826CAC9364A2A4EF52C4242A78237.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\990F4DB6E7EF5B9E3AAFC98B5DA89F098690A332.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\990F4DB6E7EF5B9E3AAFC98B5DA89F098690A332.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\9ADA886C83138D50895DD3CD85573C7FC331B0C9.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\9ADA886C83138D50895DD3CD85573C7FC331B0C9.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\9F471A2C6831DF5780DDD9CD47BA705714DC3A74.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\9F471A2C6831DF5780DDD9CD47BA705714DC3A74.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\A0D7FEB865F6AEBA09B01FDA69B8D0FAE971BCCA.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\A0D7FEB865F6AEBA09B01FDA69B8D0FAE971BCCA.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\A0FC1BE5154265EE2A765A916D9AB4182C36A36B.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\A0FC1BE5154265EE2A765A916D9AB4182C36A36B.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\A3B642C32F1EBCCFBB79012D42B16EC46152F779.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\A3B642C32F1EBCCFBB79012D42B16EC46152F779.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\A709FC84B4A1072F47BA93E865250CBAB9B6A294.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\A709FC84B4A1072F47BA93E865250CBAB9B6A294.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\B381DB175435E3547E9A55EF9598824EDD73DC6D.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\B381DB175435E3547E9A55EF9598824EDD73DC6D.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\B4F62EEF16B78C3DE5A11EDF4EB236C2FD806CC2.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\B4F62EEF16B78C3DE5A11EDF4EB236C2FD806CC2.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\B66A11C42F2C453FD87B94BEC113083E35395E6D.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\B66A11C42F2C453FD87B94BEC113083E35395E6D.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\B8230CC6033C4880D1600A0EEBEA14F847D63B01.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\B8230CC6033C4880D1600A0EEBEA14F847D63B01.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\B93C716588FB39ECB3B7B77FB463A4B214BA17F5.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\B93C716588FB39ECB3B7B77FB463A4B214BA17F5.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\B96952D1CA93F1D9EED7642D52A45A0015796E83.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\B96952D1CA93F1D9EED7642D52A45A0015796E83.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\BB9CBE1C81E5AEDEEF215D7E2ECDD9D18F1C5EE0.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\BB9CBE1C81E5AEDEEF215D7E2ECDD9D18F1C5EE0.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\BC44F3641EA94F7BA744D5F2C0F522EAB5330346.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\BC44F3641EA94F7BA744D5F2C0F522EAB5330346.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\C22E7127579D4FD61AD4CB5A81B72FA02FB9858D.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\C22E7127579D4FD61AD4CB5A81B72FA02FB9858D.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\C2B3E536BCA99F966F4221BF6D774D42C71F8CE7.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\C2B3E536BCA99F966F4221BF6D774D42C71F8CE7.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\C34D4AEEAEA916DA59F8F58D7B88BE5DA0C7D5EF.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\C34D4AEEAEA916DA59F8F58D7B88BE5DA0C7D5EF.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\C67E00200F821CC0291846EC8CE682B4351C69CB.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\C67E00200F821CC0291846EC8CE682B4351C69CB.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\C70E5820308FF3C9187393FB34A9D31CF1A9BCCB.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\C70E5820308FF3C9187393FB34A9D31CF1A9BCCB.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\C8155A2A83701ADE0D477EE1FDC4E9117F0E31EF.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\C8155A2A83701ADE0D477EE1FDC4E9117F0E31EF.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\C99AB37F81DAAE21CCCF3B2D842DDB8061C78D0A.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\C99AB37F81DAAE21CCCF3B2D842DDB8061C78D0A.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\cache.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\CB4B890A299524A84524891D2954C639F9ED18FC.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\CB4B890A299524A84524891D2954C639F9ED18FC.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\CCFD6C8A96D7D08B1F634B308E67BD76B7D38B86.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\CCFD6C8A96D7D08B1F634B308E67BD76B7D38B86.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\CD4E3C885364160D478495A269E774658A4390FA.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\CD4E3C885364160D478495A269E774658A4390FA.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\D1304B63D25747D68847D8DB82536931344D91F7.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\D1304B63D25747D68847D8DB82536931344D91F7.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\D33E77CA8062907F8867B688F177ECA72BA5125A.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\D33E77CA8062907F8867B688F177ECA72BA5125A.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\D3762E126DDFAE99DE20324E8A093146F07C9C89.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\D3762E126DDFAE99DE20324E8A093146F07C9C89.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\D4A1DED517BF168556B2E53D61A11B6B26B3B8FE.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\D4A1DED517BF168556B2E53D61A11B6B26B3B8FE.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\D6A38389E36C46B7DD7DC93E1BBED4742A2917A9.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\D6A38389E36C46B7DD7DC93E1BBED4742A2917A9.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\DB2734800947A6866405FD4275776FC22FA866F4.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\DB2734800947A6866405FD4275776FC22FA866F4.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\DB3EADDB0F7E11EC3590F5040DA8BFC67492180B.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\DB3EADDB0F7E11EC3590F5040DA8BFC67492180B.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\DC0E5F9AC3D418C09C6C15E54EDC7929948FDE90.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\DC0E5F9AC3D418C09C6C15E54EDC7929948FDE90.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\DE3D75572DC8D9AC0196118CB8C268A2AF32B995.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\DE3D75572DC8D9AC0196118CB8C268A2AF32B995.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\DF49A93CDC4C0DFE5E36DB39952C31202E7982B6.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\DF49A93CDC4C0DFE5E36DB39952C31202E7982B6.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\E285D158A4781C8B4ED7AE2B8BF39D456D485B22.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\E285D158A4781C8B4ED7AE2B8BF39D456D485B22.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\E31018DA2C763C70A7D7FB49CB60C0BF329477FF.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\E31018DA2C763C70A7D7FB49CB60C0BF329477FF.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\E5D6712773FB4B113948C43DCE1904339A8D393B.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\E5D6712773FB4B113948C43DCE1904339A8D393B.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\E65952AF4CEF5EEB3377CB1FC725E0793C3418E9.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\E65952AF4CEF5EEB3377CB1FC725E0793C3418E9.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\E7E84B87A1F49420E9B287B78B99E06E72E9A2A8.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\E7E84B87A1F49420E9B287B78B99E06E72E9A2A8.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\EA5368E0295204A891F0ED0E4B26CAC33E56F2EA.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\EA5368E0295204A891F0ED0E4B26CAC33E56F2EA.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\EAB3C4D7CEDF4651B0C92ACFD26E99A215EFB616.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\EAB3C4D7CEDF4651B0C92ACFD26E99A215EFB616.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\EB6E456309B45F6F56439ED8CCAD584D7FF8BE39.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\EB6E456309B45F6F56439ED8CCAD584D7FF8BE39.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\ECB8DCA8B032C4164E1FD7B4C89F225D8815848D.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\ECB8DCA8B032C4164E1FD7B4C89F225D8815848D.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\ED3ECB8309A8EA1E1BD69754AA9924AA4AB4B92F.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\ED3ECB8309A8EA1E1BD69754AA9924AA4AB4B92F.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\F449B4B6840B76F94BC1748DD3A721BFD7EA2466.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\F449B4B6840B76F94BC1748DD3A721BFD7EA2466.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\F61BF9CF6BD4A4987579ED9845AED38CA176533C.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\F61BF9CF6BD4A4987579ED9845AED38CA176533C.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\F78DC9260E528203350D66F76A12F408048DAE94.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\F78DC9260E528203350D66F76A12F408048DAE94.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\FAB5A35DC30E03E8CF75C1D2AEA497932861424C.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\FAB5A35DC30E03E8CF75C1D2AEA497932861424C.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\FABBE95C0184C95516906DD7AE2B447F4CF11855.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\FABBE95C0184C95516906DD7AE2B447F4CF11855.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\FB8ED9BF0C5EE992E3667A03E1992CA0AC5A800E.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\FB8ED9BF0C5EE992E3667A03E1992CA0AC5A800E.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\FBF174C13A7FFBECEB0AA3A573F81F1BB3B53AFF.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\FBF174C13A7FFBECEB0AA3A573F81F1BB3B53AFF.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\FF80FFEE8BEC4C99AF9354BD2796855F052067FC.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\FF80FFEE8BEC4C99AF9354BD2796855F052067FC.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\active\FFE4897B7AA6A91C913B0710D0A1AFE6D8523AD3.dat
c:\documents and settings\Drevs\Application Data\Azureus\active\FFE4897B7AA6A91C913B0710D0A1AFE6D8523AD3.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\azureus.config
c:\documents and settings\Drevs\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\azureus.statistics
c:\documents and settings\Drevs\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Drevs\Application Data\Azureus\banips.config
c:\documents and settings\Drevs\Application Data\Azureus\banips.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Drevs\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Drevs\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Drevs\Application Data\Azureus\dht\general.dat
c:\documents and settings\Drevs\Application Data\Azureus\dht\version.dat
c:\documents and settings\Drevs\Application Data\Azureus\downloads.config
c:\documents and settings\Drevs\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\friends.config
c:\documents and settings\Drevs\Application Data\Azureus\friends.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Drevs\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\AutoSpeed_2.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\AutoSpeedSearchHistory_2.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\Friends_2.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Drevs\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\Drevs\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\Drevs\Application Data\Azureus\logs\MetaSearch_Engine_6.txt
c:\documents and settings\Drevs\Application Data\Azureus\logs\MetaSearch_Engine_9.txt
c:\documents and settings\Drevs\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\seltrace_2.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\SpeedMan_2.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\v3.PMsgr_2.log
c:\documents and settings\Drevs\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Drevs\Application Data\Azureus\metasearch.config
c:\documents and settings\Drevs\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\net\pm_20115.dat
c:\documents and settings\Drevs\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Drevs\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Drevs\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\subs\32E8D1849848B7F51127.vuze
c:\documents and settings\Drevs\Application Data\Azureus\subs\3A9C8A0AE7D876DABCD6.vuze
c:\documents and settings\Drevs\Application Data\Azureus\subs\41B5BA8E964DADE2D58B.vuze
c:\documents and settings\Drevs\Application Data\Azureus\subs\447229A3A371779E8871.vuze
c:\documents and settings\Drevs\Application Data\Azureus\subs\67490319D7F79247C3B0.vuze
c:\documents and settings\Drevs\Application Data\Azureus\subs\6E9476EB71E5154EB768.vuze
c:\documents and settings\Drevs\Application Data\Azureus\subs\8604680C6C0217A05619.vuze
c:\documents and settings\Drevs\Application Data\Azureus\subs\9167E16C9B7944056AC7.vuze
c:\documents and settings\Drevs\Application Data\Azureus\subs\E67D8443DF3B6D5C02B4.vuze
c:\documents and settings\Drevs\Application Data\Azureus\subscriptions.config
c:\documents and settings\Drevs\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\tables.config
c:\documents and settings\Drevs\Application Data\Azureus\tables.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\timingstats.dat
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57022.tmp
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57023.tmp
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57024.tmp
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57025.tmp
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57026.tmp
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57027.tmp
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57028.tmp
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57029.tmp
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57030.tmp
c:\documents and settings\Drevs\Application Data\Azureus\tmp\AZU57031.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\_ToddSnider2008-03-01.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU11948.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU11950.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU14175.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU17389.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU17391.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU19082.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU23961.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU23964.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU29805.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU3015.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU33550.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU3600.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU42233.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU49726.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU49732.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU49736.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU49738.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU51629.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU60668.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU62291.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\AZU62294.tmp
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Beatles[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Billy_Bragg_&_Wilco_-_Man_In_The_Sand_(1999)_[DVDrip_Xvid][1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Bright.Eyes.-.BBC.Session.2007_03_15[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Bright.Eyes.2006-06-16.4011s.16.Bit[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\brighteyes2007-03-07[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\BrightEyes2007-11-19[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\CAE..Dec.12.2004.and.Jun.24.2005[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\CashDenmark[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Cat.Power.-.2006.09.17-Austin.City.Limits[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Cat.Power.2008-01-29-mp2[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Cat_Power_-_compilation.3431541.TPB[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\George_Carlin_-_Complaints_and_Grievances_(2001).avi[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\George_Carlin_-_More_Napalm_and_Silly_Putty_(2_CD_set)[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Highwaymen.-.960604.-.Los.Angeles%2C.CA[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\HoldSteady2007-11-19.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Jack_White_and_Alicia_Keys-Another_Way_To_Die-Promo_CDS-2008-XXL[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\JerryJeff[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Jesse.Malin.-.Cambridge%2C.MA.-.April.1%2C.2008.%28sbd%29[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\John.Prine.Paramount.Thea.Denver.12.Apr.2007[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\John_Prine_-_Great_Days_Anthology[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Josh.Ritter.-.2007-10-21.-.Seattle[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Josh.Ritter.-.Live.On.KCRW[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Josh.Ritter.2005-10-20.etree[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\joshritter2007-08-24.aud.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\joshritter2007-08-24.fm.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\los_campesinos-hold_on_now_youngster(retail)-PJS[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Los_Campesinos!_-_Hold_On_Now,_Youngster..._[2008][1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Malcolm_Middleton_-_A_Brighter_Beat_[2007][1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Max_Brooks_-_World_War_Z_An_Oral_History_of_the_Zombie_War[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Modest_Mouse_-_15_Full_Albums__amp__EPs.3787941.TPB[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Mountain_Goats,_The_-_Black_Pear_Tree_EP[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\No.Stone.Uncovered.Vol.22.-.A.Rolling.Stones.Covers.Project.%28various.artists%29[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\NSD.11[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\NSD.14[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider.2007-09-21[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_19921210[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_20050128[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_20070118[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_20070307[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_20070804[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_20071026[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_20071117[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_20080313[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_elmobuzz08[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_hood_20030710[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider_prinecompilation[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\snider20070920[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\SniderTodd06-10-15MarilynsSacramentoCA[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Sons_And_Daughters_-_Johnny_Cash.mpg[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\The.Hold.Steady.2007-11-19.4011s.16.Bit[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\The_Dan_Band_-_Live![1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\The_Weepies_Happiness[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\TheHoldSteady2008-03-27[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\todd.4-21-02.SHN[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Todd.Snider.-.2004-12-30.-.Chicago%2C.IL[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Todd.Snider.-.2005-03-05.-.Clear.Lake%2C.IA[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Todd.Snider.-.Tales.From.Moondawgs.Tavern[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Todd.Snider.2007-11-10[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\TODD.SNIDER.20080216.CEDAR.RAPIDS.IA.USA[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Todd.Snider.Nov..8th.2007.DVD[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Todd_Snider-4_album-[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Todd_Snider2006-09-17_SBD_16_shn[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\ToddSnider2003-03-29.shn[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\ToddSnider2007-10-12.Indianapolis%2C.IN.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\ToddSnider2008-02-22.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\ToddSnider2008-03-01.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\ToddSnider2008-03-14.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\ToddSnider2008-03-15.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\ToddSnider9-22-07.Dayton%2C.OH.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\TS.2007.02.26[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\ts2004-02-27.sbd.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\tsnider2007-01-26.ck61.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\tsnider2007-03-06.flac16[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\TV_On_The_Radio.3850182.TPB[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\TV_on_the_Radio_-_Discography[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\Warren.Zevon.1994-03-06.Aspen.CO[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\zevon.early.show.december.26%2C.1991.flac[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\torrents\ZEVON1991.12.26.LATE.AUD.FLAC[1].torrent
c:\documents and settings\Drevs\Application Data\Azureus\tracker.config
c:\documents and settings\Drevs\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\unsentdata.config
c:\documents and settings\Drevs\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Drevs\Application Data\Azureus\update.log
c:\documents and settings\Drevs\Application Data\Azureus\update.properties
c:\documents and settings\Drevs\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Drevs\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Drevs\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Drevs\Application Data\Azureus\VuzeActivities.config.bak

.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-16 22:07 . 2009-01-16 22:13 <DIR> d-------- c:\documents and settings\Drevs\Application Data\PeaZip
2009-01-16 20:56 . 2009-01-16 20:57 <DIR> d-------- c:\program files\PeaZip
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\scripting
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\en
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\bits
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\l2schemas
2009-01-15 23:03 . 2009-01-15 23:03 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-15 22:43 . 2009-01-15 22:43 <DIR> d-------- c:\windows\EHome
2009-01-15 20:23 . 2009-01-15 21:55 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-12 14:52 . 2008-04-13 13:00 30,080 --a------ c:\windows\system32\drivers\modem.sys
2009-01-11 22:25 . 2004-08-03 22:29 1,897,408 --a------ c:\windows\system32\drivers\nv4_mini.sys
2009-01-11 21:35 . 2009-01-13 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-01-11 21:34 . 2009-01-11 21:34 <DIR> d-------- c:\program files\Common Files\iS3
2009-01-11 21:34 . 2009-01-15 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-11 09:23 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-11 09:23 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-11 09:22 . 2009-01-11 09:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-10 20:03 . 2009-01-10 20:06 <DIR> d-------- c:\program files\QuickTime
2009-01-10 17:25 . 2009-01-10 17:27 <DIR> d-------- c:\program files\Safari
2009-01-10 16:46 . 2009-01-10 16:46 <DIR> d-------- c:\program files\Conduit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 03:52 9,429,536 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-26 04:25 276,512 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-01-26 04:25 27,296 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-01-26 04:25 126,476 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-25 18:20 --------- d-----w c:\documents and settings\All Users\Application Data\PCSecurityShield
2009-01-11 15:22 --------- d-----w c:\program files\iPod
2009-01-11 15:22 --------- d-----w c:\program files\Common Files\Apple
2009-01-11 07:06 --------- d-----w c:\program files\iTunes
2008-12-17 16:16 --------- d-----w c:\documents and settings\Drevs\Application Data\U3
2008-12-14 16:59 129,024 ----a-w c:\windows\system32\vumrjara.dll
2008-12-14 16:59 129,024 ----a-w c:\windows\system32\vgoeve.dll
2008-12-13 23:44 129,024 ----a-w c:\windows\system32\psvjvcsw.dll
2008-12-13 23:44 129,024 ----a-w c:\windows\system32\gnfijm.dll
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 02:45 129,024 ----a-w c:\windows\system32\wftseglu.dll
2008-12-12 02:45 129,024 ----a-w c:\windows\system32\guvzis.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 01:09 72,704 ----a-w c:\windows\system32\vxnodxyn.dll
2008-12-06 20:09 --------- d-----w c:\program files\Google
2008-12-02 02:45 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-12-02 02:45 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-12-02 02:43 --------- d-----w c:\program files\PCSecurityShield
2008-12-02 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\PCSecurityShield Setup Files
2008-12-02 02:25 --------- d-----w c:\documents and settings\Drevs\Application Data\eMusic
2008-02-21 05:07 826 ----a-w c:\documents and settings\Drevs\Application Data\wklnhst.dat
2008-09-05 06:06 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 10:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2007-03-01 06:03 88 --sh--r c:\windows\system32\5956ED434D.sys
2007-03-01 06:03 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:11 1,028,096 --sha-w c:\windows\system32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sha-w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 11,776 --sha-w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-23_18.05.54.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-16 05:46:49 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-26 04:24:48 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-16 05:46:49 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-26 04:24:48 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-16 05:46:49 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-26 04:24:48 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-10-15 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-05 29744]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-07-03 64000]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="F:\iTunesHelper.exe" [2008-11-20 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2009\\avp.exe"=
"f:\\iTunes.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
R3 PAC207;Webcam 1200;c:\windows\system32\drivers\PFC027.SYS [2008-08-08 611584]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-10-15 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f7584f-6302-11db-9bf4-001676a21b23}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a339258d-e543-11db-856d-001676a21b23}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3392593-e543-11db-856d-001676a21b23}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b67fe15a-59ad-11dd-8609-001676a21b23}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... bd=3061015
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: NCS.COM
Trusted Zone: NCS.COM\erpepen.ic
Trusted Zone: ncspearson.com
Trusted Zone: pearson.com
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
FF - ProfilePath - c:\documents and settings\Drevs\Application Data\Mozilla\Firefox\Profiles\xaad3v30.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\mozilla plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 21:50:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\PCSecurityShield\The Shield Deluxe 2009\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1012)
c:\program files\PCSecurityShield\The Shield Deluxe 2009\dnsq.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\miscr3.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\fssync.dll
.
Completion time: 2009-01-26 21:57:53
ComboFix-quarantined-files.txt 2009-01-27 03:57:46
ComboFix2.txt 2009-01-25 17:59:47
ComboFix3.txt 2009-01-24 00:09:11

Pre-Run: 56,655,761,408 bytes free
Post-Run: 56,624,914,432 bytes free

693 --- E O F --- 2009-01-17 09:02:31

Here's my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:27 PM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
F:\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061015
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.NCS.COM
O15 - Trusted Zone: *.ncspearson.com
O15 - Trusted Zone: *.pearson.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://ependownload.ncspearson.com/auth ... wswaxd.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2009 (AVP) - Unknown owner - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
thedrevlow
Active Member
 
Posts: 9
Joined: January 16th, 2009, 11:50 am

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby Bv202 » January 27th, 2009, 12:21 pm

Hi thedrevlow

There are some other bad files in the logs now... we'll remove them first.

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\system32\vumrjara.dll
    c:\windows\system32\vgoeve.dll
    c:\windows\system32\psvjvcsw.dll
    c:\windows\system32\gnfijm.dll
    c:\windows\system32\wftseglu.dll
    c:\windows\system32\guvzis.dll
    c:\windows\system32\vxnodxyn.dll
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply.

In your next reply, please post:
1) The ComboFix report
2) The Kaspersky report
3) A new HijackThis log
4) Tell me how the computer is running now.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby thedrevlow » January 27th, 2009, 9:35 pm

Here is the Combofix log:

ComboFix 09-01-21.04 - Drevs 2009-01-27 13:47:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.261 [GMT -6:00]
Running from: c:\documents and settings\Drevs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Drevs\Desktop\CFScript.txt
AV: The Shield Deluxe 2009 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\gnfijm.dll
c:\windows\system32\guvzis.dll
c:\windows\system32\psvjvcsw.dll
c:\windows\system32\vgoeve.dll
c:\windows\system32\vumrjara.dll
c:\windows\system32\vxnodxyn.dll
c:\windows\system32\wftseglu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gnfijm.dll
c:\windows\system32\guvzis.dll
c:\windows\system32\psvjvcsw.dll
c:\windows\system32\vgoeve.dll
c:\windows\system32\vumrjara.dll
c:\windows\system32\vxnodxyn.dll
c:\windows\system32\wftseglu.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-16 22:07 . 2009-01-16 22:13 <DIR> d-------- c:\documents and settings\Drevs\Application Data\PeaZip
2009-01-16 20:56 . 2009-01-16 20:57 <DIR> d-------- c:\program files\PeaZip
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\scripting
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\en
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\system32\bits
2009-01-15 23:09 . 2009-01-15 23:09 <DIR> d-------- c:\windows\l2schemas
2009-01-15 23:03 . 2009-01-15 23:03 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-15 22:43 . 2009-01-15 22:43 <DIR> d-------- c:\windows\EHome
2009-01-15 20:23 . 2009-01-15 21:55 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-12 14:52 . 2008-04-13 13:00 30,080 --a------ c:\windows\system32\drivers\modem.sys
2009-01-11 22:25 . 2004-08-03 22:29 1,897,408 --a------ c:\windows\system32\drivers\nv4_mini.sys
2009-01-11 21:35 . 2009-01-13 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-01-11 21:34 . 2009-01-11 21:34 <DIR> d-------- c:\program files\Common Files\iS3
2009-01-11 21:34 . 2009-01-15 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-11 09:23 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-11 09:23 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-11 09:22 . 2009-01-11 09:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-10 20:03 . 2009-01-10 20:06 <DIR> d-------- c:\program files\QuickTime
2009-01-10 17:25 . 2009-01-10 17:27 <DIR> d-------- c:\program files\Safari
2009-01-10 16:46 . 2009-01-10 16:46 <DIR> d-------- c:\program files\Conduit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 19:53 9,529,888 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-27 19:53 280,096 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-01-27 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\PCSecurityShield
2009-01-26 04:25 27,296 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-01-26 04:25 126,476 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-11 15:22 --------- d-----w c:\program files\iPod
2009-01-11 15:22 --------- d-----w c:\program files\Common Files\Apple
2009-01-11 07:06 --------- d-----w c:\program files\iTunes
2008-12-17 16:16 --------- d-----w c:\documents and settings\Drevs\Application Data\U3
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-06 20:09 --------- d-----w c:\program files\Google
2008-12-02 02:45 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-12-02 02:45 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-12-02 02:43 --------- d-----w c:\program files\PCSecurityShield
2008-12-02 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\PCSecurityShield Setup Files
2008-12-02 02:25 --------- d-----w c:\documents and settings\Drevs\Application Data\eMusic
2008-02-21 05:07 826 ----a-w c:\documents and settings\Drevs\Application Data\wklnhst.dat
2008-09-05 06:06 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 10:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2007-03-01 06:03 88 --sh--r c:\windows\system32\5956ED434D.sys
2007-03-01 06:03 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:11 1,028,096 --sha-w c:\windows\system32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sha-w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 11,776 --sha-w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-23_18.05.54.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-16 05:46:49 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-26 04:24:48 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-16 05:46:49 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-26 04:24:48 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-16 05:46:49 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-26 04:24:48 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-10-15 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-05 29744]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-07-03 64000]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="F:\iTunesHelper.exe" [2008-11-20 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2009\\avp.exe"=
"f:\\iTunes.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
R3 PAC207;Webcam 1200;c:\windows\system32\drivers\PFC027.SYS [2008-08-08 611584]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-10-15 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f7584f-6302-11db-9bf4-001676a21b23}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a339258d-e543-11db-856d-001676a21b23}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3392593-e543-11db-856d-001676a21b23}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b67fe15a-59ad-11dd-8609-001676a21b23}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... bd=3061015
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: NCS.COM
Trusted Zone: NCS.COM\erpepen.ic
Trusted Zone: ncspearson.com
Trusted Zone: pearson.com
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
FF - ProfilePath - c:\documents and settings\Drevs\Application Data\Mozilla\Firefox\Profiles\xaad3v30.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\mozilla plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 13:53:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\PCSecurityShield\The Shield Deluxe 2009\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1012)
c:\program files\PCSecurityShield\The Shield Deluxe 2009\dnsq.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\miscr3.dll
c:\program files\PCSecurityShield\The Shield Deluxe 2009\fssync.dll
.
Completion time: 2009-01-27 13:58:51
ComboFix-quarantined-files.txt 2009-01-27 19:57:31
ComboFix2.txt 2009-01-27 03:58:07
ComboFix3.txt 2009-01-25 17:59:47
ComboFix4.txt 2009-01-24 00:09:11

Pre-Run: 56,664,064,000 bytes free
Post-Run: 56,644,722,688 bytes free

208 --- E O F --- 2009-01-17 09:02:31

Here is the Kaspersky scan log:

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 27, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 27, 2009 19:28:31
Records in database: 1711107
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 118575
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:59:39

No malware has been detected. The scan area is clean.

The selected area was scanned.

And here is the new hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:03 PM, on 1/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
F:\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\iTunes.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061015
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.NCS.COM
O15 - Trusted Zone: *.ncspearson.com
O15 - Trusted Zone: *.pearson.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://ependownload.ncspearson.com/auth ... wswaxd.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/ ... dl.sun.com
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2009 (AVP) - Unknown owner - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
thedrevlow
Active Member
 
Posts: 9
Joined: January 16th, 2009, 11:50 am

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby Bv202 » January 28th, 2009, 6:35 am

Hi thedrevlow

Run HijackThis Scan and Fix
Start HijackThis and click Do a system scan only
Tick the following entry:
O15 - Trusted Zone: *.NCS.COM
O15 - Trusted Zone: *.ncspearson.com
O15 - Trusted Zone: *.pearson.com


O15 Entry
It may be helpful to know that when you put an item in your Trusted Zone, it pretty much has full access to your computer. Are you sure you trust this site to that degree? It is recommended NOT to have O15 entries such as this. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please fix the O15 entries.


Close all windows except HijackThis
Click Fix Checked in HijackThis and close HijackThis


Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 11.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 11
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u11-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

In your next reply, please post a new HijackThis log. Are there still problems? If not, I will only have to make one more post :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby thedrevlow » January 31st, 2009, 12:16 am

Thanks for all the help. Here is my hijackthis scan:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:54 PM, on 1/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
F:\iTunesHelper.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\iTunes.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=3061015
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://ependownload.ncspearson.com/auth ... wswaxd.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2009 (AVP) - Unknown owner - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Let me know if there's anything else. At this time, the computer seems to be behaving normally.
thedrevlow
Active Member
 
Posts: 9
Joined: January 16th, 2009, 11:50 am

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby Bv202 » January 31st, 2009, 8:29 am

Hi thedrevlow

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Image
The above procedure will uninstall ComboFix. It will reset your System Restore and clear out the backups and quarantines created during the course of this fix.


Congratulations, your machine appears to be clean! :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Make sure you enable Automatic Updates for your computer. You can set this in the control panel -> windows update.
An alternative way is to visit Microsoft often to get the latest updates for your computer:
http://www.update.microsoft.com


Here are some free programs I recommend that could help you improve your computer's security.

Malwarebytes' Anti-Malware
Download it from here. Click "Download" and you'll get redirected to download.com, where you can download the product. You can also buy this program, which gives you real-time protection against common malware. However, you can use the free program to scan and remove any infections found.

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm


Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy safe surfing!

Please reply once more to this thread so we know it can be closed. If you have any questions left, it's now the time to ask! :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Trouble with Globaladsolutions + Yoog + Trojan Mailfinder

Unread postby thedrevlow » January 31st, 2009, 12:15 pm

Sounds good. Thanks again. You can go ahead and close it.
thedrevlow
Active Member
 
Posts: 9
Joined: January 16th, 2009, 11:50 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 53 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware