Free Malware Removal Forum

[podbay]

Hello DWF. My apologies for the unreadable logs, corrected this time.

As requested:

1. ComboFix.txt

ComboFix 09-04-20.02 - Randy 2009-04-19 16:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2654 [GMT -6:00]
Running from: c:\documents and settings\Randy\Desktop\HJT\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090419-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg
c:\windows\system32\unrar.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-24 185896]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-10 16861184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-02-19 106496]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2008-02-24 37376]

.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\xt71wgkt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://podbaydoor.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 16:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6132)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-04-20 16:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 22:52

Pre-Run: 42,712,203,264 bytes free
Post-Run: 42,617,933,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

122 --- E O F --- 2009-04-19 16:33

--------------

2. Logfile of Trend Micro HijackThis v2.0.2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:54:08, on 2009-04-20
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9847349328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2824299296
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://libcirc.library.ualberta.ca/tsweb/msrdp.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 6935 bytes


Awaiting further instructions.

Thank you.

[DFW]

Hi There

Not all the Combofix report has been posted, can you please post the log again.

The combofix scan log will be in your C:\ drive, named Combofix.txt.
When it is open, select the entire contents (Ctrl + A), copy them (Ctrl + C), and paste them (Ctrl + V) back here as a reply to this post.

[podbay]

Hello. I am recopying and pasting the Combofix report here, but I believe it is exactly the same as I posted before. Am not sure if I did something wrong, but this is it:


ComboFix 09-04-20.02 - Randy 2009-04-19 16:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2654 [GMT -6:00]
Running from: c:\documents and settings\Randy\Desktop\HJT\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090419-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg
c:\windows\system32\unrar.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-24 185896]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-10 16861184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-02-19 106496]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2008-02-24 37376]

.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\xt71wgkt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://podbaydoor.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 16:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6132)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-04-20 16:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 22:52

Pre-Run: 42,712,203,264 bytes free
Post-Run: 42,617,933,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

122 --- E O F --- 2009-04-19 16:33


------------------

I did find another file called Combofix-quarantined-files.txt:

2009-04-20 22:49:37 . 2009-04-20 22:49:37 6,003 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-19 22:47:16 . 2009-04-19 22:47:16 54 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-19 14:07:57 . 2009-04-19 16:36:49 2,742 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp.reg.vir
2008-05-03 16:58:36 . 2006-12-03 20:52:52 200,704 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\UNRAR.EXE.vir

-------------------

I am noticing another problem, which is this: if I click on a link in an email message, it opens up IE with no response, no URL, nothing. Same if I try to click on a saved URL from my desktop. Previously these would open in FF, now I have to copy and paste a link from an email into FF (or IE) for the link to open. Is this related to the malware?

I am off to work now, should be back within 8-9 hours, but may try to get home for lunch.

Thank you.

[DFW]

I think we will try that again, not sure why that happened, let try with a fresh copy.

Delete the current Combofix from you desktop, and delete the log from your C drive, so we dont get confused, C:\Combofix.txt.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

IMPORTANT !!! Save ComboFix.exe to your Desktop

And run again using the instructions from the first Combofix Post.


Please Post back the log below so we can continue cleaning the system.

Combofix Log C:\ComboFix.txt

[podbay]

Hello. I deleted the previous ComboFix.exe and the log as instructed, saved a new ComboFix.exe to my desktop and ran it from there. Here is the log as requested:

ComboFix 09-04-21.06 - Randy 2009-04-20 18:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2828 [GMT -6:00]
Running from: c:\documents and settings\Randy\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090420-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-12-26 09:46 . 2009-12-26 09:46 15791 ----a-w c:\windows\542z9ddware2258.exe
2009-12-23 17:37 . 2009-12-23 17:37 16933 ----a-w c:\windows\system32\1f9baddwzre858.exe
2009-12-22 00:38 . 2009-12-22 00:38 13601 ----a-w c:\windows\system32\5992s5y5ze.ocx
2009-12-20 13:30 . 2009-12-20 13:30 3510 ----a-w c:\windows\25579vi9us2a1z.dll
2009-12-18 19:23 . 2009-12-18 19:23 5481 ----a-w c:\windows\5e5backdoo91667z.ocx
2009-12-18 09:33 . 2009-12-18 09:33 4629 ----a-w c:\windows\77z4t5oj6749.ocx
2009-12-17 02:35 . 2009-12-17 02:35 14608 ----a-w c:\windows\11z59wor95e5.bin
2009-12-16 10:47 . 2009-12-16 10:47 5709 ----a-w c:\windows\system32\98585wormz2.ocx
2009-12-14 20:44 . 2009-12-14 20:44 12182 ----a-w c:\windows\10945wzrm534.dll
2009-12-14 12:16 . 2009-12-14 12:16 6334 ----a-w c:\windows\4faebaz9door1528.bin
2009-12-14 11:25 . 2009-12-14 11:25 18366 ----a-w c:\windows\569fzir16.cpl
2009-12-13 11:15 . 2009-12-13 11:15 9699 ----a-w c:\windows\15308not-a9vzrusfd.ocx
2009-12-13 01:15 . 2009-12-13 01:15 7873 ----a-w c:\windows\z879sp5473.cpl
2009-12-11 15:52 . 2009-12-11 15:52 3222 ----a-w c:\windows\system32\29004zot-9-v5rus52e.exe
2009-12-09 17:40 . 2009-12-09 17:40 6699 ----a-w c:\windows\system32\7z95steal38.bin
2009-12-09 06:54 . 2009-12-09 06:54 11671 ----a-w c:\windows\system32\795cbackdoorz701.ocx
2009-12-07 00:29 . 2009-12-07 00:29 15641 ----a-w c:\windows\system32\5889downloader3136z.bin
2009-12-04 10:22 . 2009-12-04 10:22 4969 ----a-w c:\windows\5fa6spywar92z68.ocx
2009-12-02 19:13 . 2009-12-02 19:13 3917 ----a-w c:\windows\system32\3034znot-a-viru94b5.exe
2009-11-27 17:02 . 2009-11-27 17:02 14435 ----a-w c:\windows\system32\6c9bba9k5oor213z.ocx
2009-11-27 02:30 . 2009-11-27 02:30 5521 ----a-w c:\windows\system32\1069s5arsz23289.cpl
2009-11-24 05:28 . 2009-11-24 05:28 14675 ----a-w c:\windows\system32\2612vz5us6399.cpl
2009-11-24 03:56 . 2009-11-24 03:56 14052 ----a-w c:\windows\system32\29zfvir1155.exe
2009-11-21 04:00 . 2009-11-21 04:00 11550 ----a-w c:\windows\system32\731azown9oa5er2599.bin
2009-11-21 02:22 . 2009-11-21 02:22 7888 ----a-w c:\windows\system32\35c89ir64z.bin
2009-11-20 13:53 . 2009-11-20 13:53 3702 ----a-w c:\windows\29c3t5ief1477z.bin
2009-11-18 22:23 . 2009-11-18 22:23 4300 ----a-w c:\windows\system32\4f555te9lz242.exe
2009-11-18 00:58 . 2009-11-18 00:58 6787 ----a-w c:\windows\53a9ste5l2z799.cpl
2009-11-17 08:57 . 2009-11-17 08:57 16219 ----a-w c:\windows\75z1spy479.ocx
2009-11-16 05:14 . 2009-11-16 05:14 10767 ----a-w c:\windows\4755z9yware3156.bin
2009-11-15 10:10 . 2009-11-15 10:10 13591 ----a-w c:\windows\3095addware18z0.bin
2009-11-14 10:11 . 2009-11-14 10:11 14119 ----a-w c:\windows\system32\197319ro55bz.ocx
2009-11-13 06:50 . 2009-11-13 06:50 11200 ----a-w c:\windows\system32\27c5b9zkdoor3267.ocx
2009-11-11 20:42 . 2009-11-11 20:42 8191 ----a-w c:\windows\system32\37zvir58329.ocx
2009-11-09 21:19 . 2009-11-09 21:19 4578 ----a-w c:\windows\51d95ir243z.dll
2009-11-07 21:51 . 2009-11-07 21:51 6529 ----a-w c:\windows\system32\164115pyza9.bin
2009-11-06 15:09 . 2009-11-06 15:09 5517 ----a-w c:\windows\system32\3719a5dwaze1401.bin
2009-11-06 00:09 . 2009-11-06 00:09 7144 ----a-w c:\windows\18907vizu51c8.dll
2009-11-04 15:41 . 2009-11-04 15:41 8318 ----a-w c:\windows\system32\3e7szar951778.ocx
2009-11-04 11:04 . 2009-11-04 11:04 5077 ----a-w c:\windows\system32\2619down5zader2478.exe
2009-11-04 10:08 . 2009-11-04 10:08 9753 ----a-w c:\windows\592hacktzol15e.cpl
2009-11-04 03:48 . 2009-11-04 03:48 17296 ----a-w c:\windows\z4659ac5door1027.ocx
2009-11-03 14:46 . 2009-11-03 14:46 15310 ----a-w c:\windows\7ez6sp9ware5474.ocx
2009-11-02 18:11 . 2009-11-02 18:11 7346 ----a-w c:\windows\1ez2thre9t186005.ocx
2009-11-01 19:13 . 2009-11-01 19:13 9714 ----a-w c:\windows\system32\z9296spy656.exe
2009-11-01 17:58 . 2009-11-01 17:58 2889 ----a-w c:\windows\5b99zparse1441.ocx
2009-11-01 11:58 . 2009-11-01 11:58 6160 ----a-w c:\windows\z3a05parse961.exe
2009-10-27 18:45 . 2009-10-27 18:45 12760 ----a-w c:\windows\5497wz9m1b1.cpl
2009-10-27 01:12 . 2009-10-27 01:12 8282 ----a-w c:\windows\z2900vi5us59f.bin
2009-10-26 03:12 . 2009-10-26 03:12 13220 ----a-w c:\windows\1916st5al185z.ocx
2009-10-25 09:10 . 2009-10-25 09:10 9485 ----a-w c:\windows\z57949orm5.bin
2009-10-23 22:24 . 2009-10-23 22:24 7158 ----a-w c:\windows\3z9faddwar53239.exe
2009-10-22 14:37 . 2009-10-22 14:37 8654 ----a-w c:\windows\9eathizf13805.dll
2009-10-20 20:24 . 2009-10-20 20:24 9435 ----a-w c:\windows\system32\1a9z9pyw5re1580.exe
2009-10-20 06:11 . 2009-10-20 06:11 3506 ----a-w c:\windows\98509spamz5t182.bin
2009-10-15 03:18 . 2009-10-15 03:18 4293 ----a-w c:\windows\system32\24895viru56z39.dll
2009-10-14 16:01 . 2009-10-14 16:01 16720 ----a-w c:\windows\system32\355zbackdoor2959.bin
2009-10-13 18:04 . 2009-10-13 18:04 16995 ----a-w c:\windows\system32\45f9dzwnl5ade91867.bin
2009-10-11 15:49 . 2009-10-11 15:49 8379 ----a-w c:\windows\system32\23175ha9ztool419.bin
2009-10-10 22:56 . 2009-10-10 22:56 15646 ----a-w c:\windows\system32\4a29dowzload591037.ocx
2009-10-10 04:12 . 2009-10-10 04:12 5724 ----a-w c:\windows\9965hzc5tool7dd.bin
2009-10-10 00:49 . 2009-10-10 00:49 11454 ----a-w c:\windows\system32\35390not-a-vzrus599.ocx
2009-10-09 08:19 . 2009-10-09 08:19 8717 ----a-w c:\windows\system32\2ee9zi52009.ocx
2009-10-09 02:33 . 2009-10-09 02:33 10343 ----a-w c:\windows\system32\235spywzre9235.dll
2009-10-05 14:07 . 2009-10-05 14:07 3945 ----a-w c:\windows\system32\22457spz9bot2fb5.bin
2009-10-05 06:28 . 2009-10-05 06:28 12453 ----a-w c:\windows\system32\1aa2sp5rse9z7.ocx
2009-10-04 02:09 . 2009-10-04 02:09 6519 ----a-w c:\windows\185939ozm149.ocx
2009-10-04 00:34 . 2009-10-04 00:34 4776 ----a-w c:\windows\18zethi5f1959.bin
2009-10-03 11:54 . 2009-10-03 11:54 2932 ----a-w c:\windows\system32\z4995troj321.bin
2009-10-02 07:57 . 2009-10-02 07:57 18318 ----a-w c:\windows\52zdspyw5re2798.cpl
2009-10-02 07:33 . 2009-10-02 07:33 17856 ----a-w c:\windows\system32\735dba9kdoor10z3.dll
2009-09-27 18:24 . 2009-09-27 18:24 7176 ----a-w c:\windows\zc90thre5t169179.bin
2009-09-26 06:40 . 2009-09-26 06:40 6098 ----a-w c:\windows\system32\17b3vir5z099.exe
2009-09-25 18:31 . 2009-09-25 18:31 8704 ----a-w c:\windows\94744hacztool2a85.dll
2009-09-25 12:12 . 2009-09-25 12:12 18141 ----a-w c:\windows\system32\9995sp519z.cpl
2009-09-23 06:40 . 2009-09-23 06:40 6910 ----a-w c:\windows\5d3t9ief780z.exe
2009-09-22 07:03 . 2009-09-22 07:03 4634 ----a-w c:\windows\system32\4a25bzckdoo593.exe
2009-09-21 13:18 . 2009-09-21 13:18 16638 ----a-w c:\windows\1b5z59r2854.cpl
2009-09-21 11:17 . 2009-09-21 11:17 3096 ----a-w c:\windows\3210nzt-a-virus2b95.ocx
2009-09-21 09:35 . 2009-09-21 09:35 13984 ----a-w c:\windows\1c5bdownloa9ez2459.exe
2009-09-19 16:00 . 2009-09-19 16:00 5042 ----a-w c:\windows\74f7a9dwar52635z.bin
2009-09-18 07:17 . 2009-09-18 07:17 5672 ----a-w c:\windows\9f9tzie51126.ocx
2009-09-17 19:53 . 2009-09-17 19:53 15619 ----a-w c:\windows\system32\657azhreat65999.bin
2009-09-17 17:05 . 2009-09-17 17:05 8899 ----a-w c:\windows\system32\26141tr9jz25.bin
2009-09-15 00:12 . 2009-09-15 00:12 12600 ----a-w c:\windows\11996not-5-viruz956.exe
2009-09-14 04:21 . 2009-09-14 04:21 8324 ----a-w c:\windows\5518zn9t-a-virus725.bin
2009-09-12 21:52 . 2009-09-12 21:52 11520 ----a-w c:\windows\965zstea51603.cpl
2009-09-12 21:04 . 2009-09-12 21:04 3969 ----a-w c:\windows\217zv59.cpl
2009-09-12 19:01 . 2009-09-12 19:01 11665 ----a-w c:\windows\147fadd5aze9489.ocx
2009-09-11 07:56 . 2009-09-11 07:56 4518 ----a-w c:\windows\system32\5z592worm29d.bin
2009-09-11 05:09 . 2009-09-11 05:09 7315 ----a-w c:\windows\system32\5c519teal3z3.bin
2009-09-08 22:58 . 2009-09-08 22:58 9669 ----a-w c:\windows\4969zpywar5987.exe
2009-09-04 08:50 . 2009-09-04 08:50 3679 ----a-w c:\windows\system32\2f9ev59120z.bin
2009-09-03 12:33 . 2009-09-03 12:33 3023 ----a-w c:\windows\system32\29991spy2z5.ocx
2009-09-03 00:05 . 2009-09-03 00:05 14252 ----a-w c:\windows\system32\28488worm599z.exe
2009-09-01 17:14 . 2009-09-01 17:14 8607 ----a-w c:\windows\system32\320z6h5cktoo996.dll
2009-08-28 11:07 . 2009-08-28 11:07 7849 ----a-w c:\windows\system32\z075ha9k5ool65f.exe
2009-08-28 09:53 . 2009-08-28 09:53 9056 ----a-w c:\windows\794ddown5o9dzr864.cpl
2009-08-27 18:29 . 2009-08-27 18:29 15592 ----a-w c:\windows\system32\6525threzt29995.exe
2009-08-26 17:16 . 2009-08-26 17:16 17306 ----a-w c:\windows\system32\6ed35iz6909.dll
2009-08-25 09:26 . 2009-08-25 09:26 4890 ----a-w c:\windows\2b35viz1998.dll
2009-08-25 00:38 . 2009-08-25 00:38 15027 ----a-w c:\windows\52b9addw5ze3085.bin
2009-08-22 19:19 . 2009-08-22 19:19 3614 ----a-w c:\windows\system32\65e2sza9se1384.exe
2009-08-21 13:41 . 2009-08-21 13:41 4512 ----a-w c:\windows\70e5downloa9e52z56.bin
2009-08-21 04:38 . 2009-08-21 04:38 9447 ----a-w c:\windows\system32\5177virus9z.bin
2009-08-21 03:56 . 2009-08-21 03:56 4315 ----a-w c:\windows\system32\25089spyz22.dll
2009-08-20 17:12 . 2009-08-20 17:12 11823 ----a-w c:\windows\77dfsp9wa5z256.cpl
2009-08-17 15:17 . 2009-08-17 15:17 11041 ----a-w c:\windows\365ddware12z59.cpl
2009-08-16 18:42 . 2009-08-16 18:42 14555 ----a-w c:\windows\system32\2279vi5us52cz.ocx
2009-08-16 06:05 . 2009-08-16 06:05 3078 ----a-w c:\windows\8923v5rus6az.cpl
2009-08-16 04:53 . 2009-08-16 04:53 17429 ----a-w c:\windows\system32\40zcadd95re2008.dll
2009-08-15 06:32 . 2009-08-15 06:32 14899 ----a-w c:\windows\32631spam5o96z6.ocx
2009-08-15 04:08 . 2009-08-15 04:08 2520 ----a-w c:\windows\system32\56zirus59.cpl
2009-08-10 07:14 . 2009-08-10 07:14 7821 ----a-w c:\windows\3548t5ief9z93.ocx
2009-08-09 23:43 . 2009-08-09 23:43 7589 ----a-w c:\windows\z7557sp93fc.bin
2009-08-09 19:30 . 2009-08-09 19:30 18033 ----a-w c:\windows\19959hacktozl4da.ocx
2009-08-09 15:01 . 2009-08-09 15:01 4717 ----a-w c:\windows\39c7sp5ware15z9.dll
2009-08-08 17:24 . 2009-08-08 17:24 6427 ----a-w c:\windows\75c6tzre599482.bin
2009-08-07 16:05 . 2009-08-07 16:05 6584 ----a-w c:\windows\system32\19676vi9zs85.exe
2009-08-04 16:05 . 2009-08-04 16:05 9299 ----a-w c:\windows\19558zr9j7a9.cpl
2009-08-04 15:20 . 2009-08-04 15:20 9996 ----a-w c:\windows\68025pzrs91480.dll
2009-08-04 09:58 . 2009-08-04 09:58 2710 ----a-w c:\windows\system32\298235zrm3599.dll
2009-08-03 11:55 . 2009-08-03 11:55 13987 ----a-w c:\windows\system32\6z6f5hreat99877.dll
2009-08-03 04:42 . 2009-08-03 04:42 6871 ----a-w c:\windows\7d41addwar5z359.dll
2009-08-02 17:23 . 2009-08-02 17:23 13528 ----a-w c:\windows\system32\9b8espyware6z5.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 16:39 . 2009-04-19 14:07 1867 ----a-w C:\rapport.txt
2009-04-18 18:50 . 2008-05-05 03:21 -------- d-----w c:\program files\Azureus
2009-04-18 17:01 . 2008-05-03 20:03 101744 ----a-w c:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 07:09 . 2008-05-05 03:24 -------- d-----w c:\documents and settings\Randy\Application Data\Azureus
2009-04-18 03:17 . 2008-05-24 21:13 -------- d-----w c:\documents and settings\Randy\Application Data\Intuit Canada
2009-04-18 03:16 . 2008-05-24 21:13 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit Canada
2009-04-04 18:18 . 2008-05-06 03:36 -------- d-----w c:\program files\DivX
2009-03-31 19:07 . 2009-01-01 09:44 -------- d-----w c:\program files\Flickr Uploadr
2009-03-30 22:06 . 2009-03-30 22:06 1120 ----a-w C:\INSTALL.LOG
2009-03-20 04:38 . 2009-03-20 04:38 15989 ----a-w c:\windows\4zc95ir25559.bin
2009-03-17 05:36 . 2009-03-17 05:36 7780 ----a-w c:\windows\4b91spywa5e1z04.dll
2009-03-15 18:10 . 2009-03-15 18:10 6042 ----a-w c:\windows\592adoz9lo5der2469.dll
2009-03-15 02:15 . 2009-03-15 02:14 -------- d-----w c:\program files\iTunes
2009-03-15 02:15 . 2009-03-15 02:14 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 02:14 . 2008-05-06 03:47 -------- d-----w c:\program files\iPod
2009-03-15 02:14 . 2008-05-06 03:46 -------- d-----w c:\program files\Common Files\Apple
2009-03-15 02:13 . 2009-03-15 02:13 -------- d-----w c:\program files\QuickTime
2009-03-15 02:05 . 2008-05-09 02:42 -------- d-----w c:\program files\Safari
2009-03-15 02:03 . 2009-03-15 02:03 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-15 00:18 . 2008-05-06 03:40 -------- d-----w c:\program files\Opera
2009-03-15 00:13 . 2009-01-11 01:21 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 11:13 . 2009-03-11 11:13 10886 ----a-w c:\windows\33f1vi527z09.bin
2009-03-11 07:01 . 2009-03-11 07:01 15634 ----a-w c:\windows\system32\3b95spyzare2328.exe
2009-03-09 12:30 . 2009-03-09 12:30 8871 ----a-w c:\windows\28z47t95j3f9.dll
2009-03-08 01:22 . 2009-03-08 01:22 5478 ----a-w c:\windows\7565vir3259z.dll
2009-03-08 00:00 . 2008-05-06 03:38 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-07 21:50 . 2008-11-16 05:14 -------- d-----w c:\program files\Replay Media Catcher
2009-03-07 19:54 . 2008-11-16 05:15 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-07 07:15 . 2009-03-07 07:15 7768 ----a-w c:\windows\17z625irus6f29.bin
2009-03-06 15:37 . 2009-03-06 15:37 3000 ----a-w c:\windows\16884zor9525.exe
2009-03-06 14:22 . 2008-08-27 06:14 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 17:40 . 2009-03-05 17:40 9557 ----a-w c:\windows\system32\62z9tro9795.bin
2009-03-05 15:58 . 2009-03-05 15:58 6083 ----a-w c:\windows\system32\94a5zddware609.bin
2009-03-02 20:20 . 2009-03-02 20:20 5085 ----a-w c:\windows\15902not-a-zir9s457.dll
2009-03-02 06:28 . 2009-03-02 06:28 5505 ----a-w c:\windows\system32\243zst5al6429.dll
2009-03-01 11:42 . 2009-03-01 11:42 14799 ----a-w c:\windows\system32\9z9fs5arse880.exe
2009-02-27 00:46 . 2008-05-05 03:08 -------- d-----w c:\documents and settings\Randy\Application Data\Ahead
2009-02-27 00:38 . 2009-01-24 19:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 08:02 . 2009-02-26 08:02 11072 ----a-w c:\windows\system32\e529hief31z0.dll
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-22 19:00 . 2009-02-22 19:00 3523 ----a-w c:\windows\4zf5vir4049.dll
2009-02-21 15:47 . 2009-02-21 15:47 14840 ----a-w c:\windows\1z518hack59ol507.exe
2009-02-20 08:10 . 2008-08-27 06:14 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2008-08-27 06:15 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-19 00:32 . 2009-02-19 00:32 10565 ----a-w c:\windows\system32\7cbz5py9are3112.bin
2009-02-12 11:10 . 2009-02-12 11:10 10913 ----a-w c:\windows\system32\5de9spywarez3245.dll
2009-02-11 13:53 . 2009-02-11 13:53 10034 ----a-w c:\windows\system32\7517wozm6e9.bin
2009-02-10 16:26 . 2009-02-10 16:26 9655 ----a-w c:\windows\15531troj593z.exe
2009-02-09 12:10 . 2008-08-27 06:14 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-08-27 06:14 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-08-27 06:14 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-08-27 06:14 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-08-27 06:14 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 21:18 . 2009-02-06 21:18 2880 ----a-w c:\windows\system32\71z9v5rus469.exe
2009-02-06 11:11 . 2008-08-27 06:14 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-08-27 06:14 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2007-07-27 12:00 35328 ------w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-08-27 06:14 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-05 12:50 . 2009-02-05 12:50 9573 ----a-w c:\windows\system32\7ed5t5re9t27z58.dll
2009-02-03 19:59 . 2008-08-27 06:14 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-02 05:01 . 2009-02-02 05:01 2945 ----a-w c:\windows\50z95parse2009.exe
2009-01-27 12:19 . 2009-01-27 12:19 16583 ----a-w c:\windows\192b5ozn9oader2873.bin
2009-01-27 10:48 . 2009-01-27 10:48 3590 ----a-w c:\windows\system32\2055zackdoor17295.bin
2008-05-03 21:38 . 2008-05-03 21:27 64200 ------w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\ssldivx.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-05 05:2008-05-03 21:57 56:21 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-05 05:2008-05-03 21:57 56:21 . c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-20_22.51.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 00:30 . 2009-04-21 00:30 16384 c:\windows\Temp\Perflib_Perfdata_6a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-24 185896]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-10 16861184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-02-19 106496]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2008-02-24 37376]

.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\xt71wgkt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://podbaydoor.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 18:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(16292)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-21 18:51
ComboFix-quarantined-files.txt 2009-04-21 00:50

Pre-Run: 42,921,930,752 bytes free
Post-Run: 42,917,314,560 bytes free

305 --- E O F --- 2009-04-19 16:33

Awaiting further instructions.

[DFW]

Hi Hi podbay

Thankyou that is a lot better.


Reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.




I'd like you to check (a file/some files) for Viruses.

• Go to VirusTotal or Jotti's

c:\windows\system32\ieencode.dll
c:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

• Copy/Paste the first file on the list into the white Upload a file box.
• Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Note details of any viruses found.
• Repeat for all files on the list, and post me the details please.

Very Important!, before running Combofix Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

• Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Code: Select all

   http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=41983&p=429026#p429026
  
  Collect::
  c:\windows\542z9ddware2258.exe
  c:\windows\system32\1f9baddwzre858.exe
  c:\windows\system32\5992s5y5ze.ocx
  c:\windows\25579vi9us2a1z.dll
  c:\windows\5e5backdoo91667z.ocx
  c:\windows\77z4t5oj6749.ocx
  c:\windows\11z59wor95e5.bin
  c:\windows\system32\98585wormz2.ocx
  c:\windows\10945wzrm534.dll
  c:\windows\4faebaz9door1528.bin
  c:\windows\569fzir16.cpl
  c:\windows\15308not-a9vzrusfd.ocx
  c:\windows\z879sp5473.cpl
  c:\windows\system32\29004zot-9-v5rus52e.exe
  c:\windows\system32\7z95steal38.bin
  c:\windows\system32\795cbackdoorz701.ocx
  c:\windows\system32\5889downloader3136z.bin
  c:\windows\5fa6spywar92z68.ocx
  c:\windows\system32\3034znot-a-viru94b5.exe
  c:\windows\system32\6c9bba9k5oor213z.ocx
  c:\windows\system32\1069s5arsz23289.cpl
  c:\windows\system32\2612vz5us6399.cpl
  c:\windows\system32\29zfvir1155.exe
  c:\windows\system32\731azown9oa5er2599.bin
  c:\windows\system32\35c89ir64z.bin
  c:\windows\29c3t5ief1477z.bin
  c:\windows\system32\4f555te9lz242.exe
  c:\windows\53a9ste5l2z799.cpl
  c:\windows\75z1spy479.ocx
  c:\windows\4755z9yware3156.bin
  c:\windows\3095addware18z0.bin
  c:\windows\system32\197319ro55bz.ocx
  c:\windows\system32\27c5b9zkdoor3267.ocx
  c:\windows\system32\37zvir58329.ocx
  c:\windows\51d95ir243z.dll
  c:\windows\system32\164115pyza9.bin
  c:\windows\system32\3719a5dwaze1401.bin
  c:\windows\18907vizu51c8.dll
  c:\windows\system32\3e7szar951778.ocx
  c:\windows\system32\2619down5zader2478.exe
  c:\windows\592hacktzol15e.cpl
  c:\windows\z4659ac5door1027.ocx
  c:\windows\7ez6sp9ware5474.ocx
  c:\windows\1ez2thre9t186005.ocx
  c:\windows\system32\z9296spy656.exe
  c:\windows\5b99zparse1441.ocx
  c:\windows\z3a05parse961.exe
  c:\windows\5497wz9m1b1.cpl
  c:\windows\z2900vi5us59f.bin
  c:\windows\1916st5al185z.ocx
  c:\windows\z57949orm5.bin
  c:\windows\3z9faddwar53239.exe
  c:\windows\9eathizf13805.dll
  c:\windows\system32\1a9z9pyw5re1580.exe
  c:\windows\98509spamz5t182.bin
  c:\windows\system32\24895viru56z39.dll
  c:\windows\system32\355zbackdoor2959.bin
  c:\windows\system32\45f9dzwnl5ade91867.bin
  c:\windows\system32\23175ha9ztool419.bin
  c:\windows\system32\4a29dowzload591037.ocx
  c:\windows\9965hzc5tool7dd.bin
  c:\windows\system32\35390not-a-vzrus599.ocx
  c:\windows\system32\2ee9zi52009.ocx
  c:\windows\system32\235spywzre9235.dll
  c:\windows\system32\22457spz9bot2fb5.bin
  c:\windows\system32\1aa2sp5rse9z7.ocx
  c:\windows\185939ozm149.ocx
  c:\windows\18zethi5f1959.bin
  c:\windows\system32\z4995troj321.bin
  c:\windows\52zdspyw5re2798.cpl
  c:\windows\system32\735dba9kdoor10z3.dll
  c:\windows\zc90thre5t169179.bin
  c:\windows\system32\17b3vir5z099.exe
  c:\windows\94744hacztool2a85.dll
  c:\windows\system32\9995sp519z.cpl
  c:\windows\5d3t9ief780z.exe
  c:\windows\system32\4a25bzckdoo593.exe
  c:\windows\1b5z59r2854.cpl
  c:\windows\3210nzt-a-virus2b95.ocx
  c:\windows\1c5bdownloa9ez2459.exe
  c:\windows\74f7a9dwar52635z.bin
  c:\windows\9f9tzie51126.ocx
  c:\windows\system32\657azhreat65999.bin
  c:\windows\system32\26141tr9jz25.bin
  c:\windows\11996not-5-viruz956.exe
  c:\windows\5518zn9t-a-virus725.bin
  c:\windows\965zstea51603.cpl
  c:\windows\217zv59.cpl
  c:\windows\147fadd5aze9489.ocx
  c:\windows\system32\5z592worm29d.bin
  c:\windows\system32\5c519teal3z3.bin
  c:\windows\4969zpywar5987.exe
  c:\windows\system32\2f9ev59120z.bin
  c:\windows\system32\29991spy2z5.ocx
  c:\windows\system32\28488worm599z.exe
  c:\windows\system32\320z6h5cktoo996.dll
  c:\windows\system32\z075ha9k5ool65f.exe
  c:\windows\794ddown5o9dzr864.cpl
  c:\windows\system32\6525threzt29995.exe
  c:\windows\system32\6ed35iz6909.dll
  c:\windows\2b35viz1998.dll
  c:\windows\52b9addw5ze3085.bin
  c:\windows\system32\65e2sza9se1384.exe
  c:\windows\70e5downloa9e52z56.bin
  c:\windows\system32\5177virus9z.bin
  c:\windows\system32\25089spyz22.dll
  c:\windows\77dfsp9wa5z256.cpl
  c:\windows\365ddware12z59.cpl
  c:\windows\system32\2279vi5us52cz.ocx
  c:\windows\8923v5rus6az.cpl
  c:\windows\system32\40zcadd95re2008.dll
  c:\windows\32631spam5o96z6.ocx
  c:\windows\system32\56zirus59.cpl
  c:\windows\3548t5ief9z93.ocx
  c:\windows\z7557sp93fc.bin
  c:\windows\19959hacktozl4da.ocx
  c:\windows\39c7sp5ware15z9.dll
  c:\windows\75c6tzre599482.bin
  c:\windows\system32\19676vi9zs85.exe
  c:\windows\19558zr9j7a9.cpl
  c:\windows\68025pzrs91480.dll
  c:\windows\system32\298235zrm3599.dll
  c:\windows\system32\6z6f5hreat99877.dll
  c:\windows\7d41addwar5z359.dll
  c:\windows\system32\9b8espyware6z5.exe
  c:\windows\4zc95ir25559.bin
  c:\windows\4b91spywa5e1z04.dll
  c:\windows\592adoz9lo5der2469.dll
  c:\windows\33f1vi527z09.bin
  c:\windows\system32\3b95spyzare2328.exe
  c:\windows\28z47t95j3f9.dll
  c:\windows\7565vir3259z.dll
  c:\windows\17z625irus6f29.bin
  c:\windows\16884zor9525.exe
  c:\windows\system32\62z9tro9795.bin
  c:\windows\system32\94a5zddware609.bin
  c:\windows\15902not-a-zir9s457.dll
  c:\windows\system32\243zst5al6429.dll
  c:\windows\system32\9z9fs5arse880.exe
  c:\windows\system32\e529hief31z0.dll
  c:\windows\4zf5vir4049.dll
  c:\windows\1z518hack59ol507.exe
  c:\windows\system32\7cbz5py9are3112.bin
  c:\windows\system32\5de9spywarez3245.dll
  c:\windows\15531troj593z.exe
  c:\windows\system32\71z9v5rus469.exe
  c:\windows\system32\7ed5t5re9t27z58.dll
  c:\windows\50z95parse2009.exe
  c:\windows\192b5ozn9oader2873.bin
  c:\windows\system32\2055zackdoor17295.bin
  
  Folder:: 
  c:\program files\Azureus
  c:\documents and settings\Randy\Application Data\Azureus
  
  DirLook::
  c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
  

  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Post back

Files scan results
Combifix Log
New HiJackThis Log

[podbay]

Good morning. All instructions followed successfully. Details on two files, ComboFix and HijackThis logs posted below. I'll be off to work in 20 minutes, and will return again in the early evening. Thank you again for your continued help. ComboFix did report it was submitting malware after it ran its program.

File ieencode.dll received on 04.21.2009 15:27:19 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.21 -
AhnLab-V3 5.0.0.2 2009.04.21 -
AntiVir 7.9.0.148 2009.04.21 -
Antiy-AVL 2.0.3.1 2009.04.21 -
Authentium 5.1.2.4 2009.04.20 -
Avast 4.8.1335.0 2009.04.20 -
AVG 8.5.0.287 2009.04.21 -
BitDefender 7.2 2009.04.21 -
CAT-QuickHeal 10.00 2009.04.21 -
ClamAV 0.94.1 2009.04.21 -
Comodo 1124 2009.04.21 -
DrWeb 4.44.0.09170 2009.04.21 -
eSafe 7.0.17.0 2009.04.20 -
eTrust-Vet 31.6.6440 2009.04.20 -
F-Prot 4.4.4.56 2009.04.20 -
F-Secure 8.0.14470.0 2009.04.21 -
Fortinet 3.117.0.0 2009.04.21 -
GData 19 2009.04.21 -
Ikarus T3.1.1.49.0 2009.04.21 -
K7AntiVirus 7.10.709 2009.04.20 -
Kaspersky 7.0.0.125 2009.04.21 -
McAfee 5590 2009.04.20 -
McAfee+Artemis 5590 2009.04.20 -
McAfee-GW-Edition 6.7.6 2009.04.21 -
Microsoft 1.4602 2009.04.21 -
NOD32 4024 2009.04.21 -
Norman 6.00.06 2009.04.20 -
nProtect 2009.1.8.0 2009.04.21 -
Panda 10.0.0.14 2009.04.20 -
PCTools 4.4.2.0 2009.04.21 -
Prevx1 V2 2009.04.21 -
Rising 21.26.14.00 2009.04.21 -
Sophos 4.40.0 2009.04.21 -
Sunbelt 3.2.1858.2 2009.04.21 -
Symantec 1.4.4.12 2009.04.21 -
TheHacker 6.3.4.0.312 2009.04.21 -
TrendMicro 8.700.0.1004 2009.04.21 -
VBA32 3.12.10.2 2009.04.21 -
ViRobot 2009.4.21.1702 2009.04.21 -
VirusBuster 4.6.5.0 2009.04.20 -

Additional information
File size: 81920 bytes
MD5...: 9e45d535fac69d4e500041cbbf700d94
SHA1..: 68b4d0fa9d311115d79c0275c7d53a44ef883943
SHA256: 63421653746b01a7ccd980087ee28691f28d4e093aa9a985f8070c2e93d0ffae
SHA512: 699ed112ac45485f61227d58799e8a702143c91a0a1d76ebed3d6610fca512ba
713a954b5e98e59aba55eb9d04dce08ff42b06af55da312fd6ac24aca886fa3c
ssdeep: 1536:f7matnWLraP1jj939Owr3WOs+kzZStvl83tUiVNz0:VhDPtR3AwaOEtcNot
UM1
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5524
timedatestamp.....: 0x499e6591 (Fri Feb 20 08:10:57 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4a31 0x4c00 6.59 d6c9fd8f6d7b18af6078b1e92cd2feab
.data 0x6000 0xe5c1 0xe000 7.41 a7695baed68bf49004bbdc6af6e584ec
.rsrc 0x15000 0x528 0x600 2.96 e195f24fd7f78ae6ee677a1adcc564da
.reloc 0x16000 0x824 0xa00 3.13 daa44d7610417275f4e8cf97e6289903

( 2 imports )
> KERNEL32.dll: WideCharToMultiByte, GetLastError, MultiByteToWideChar, GetACP, IsValidCodePage, DisableThreadLibraryCalls, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter
> msvcrt.dll: qsort

( 9 exports )
CceDetectInputCode, CceGetAvailableEncodings, CceIsAvailableEncoding, CceStreamMultiByteToUnicode, CceStreamUnicodeToMultiByte, CceStringMultiByteToUnicode, CceStringUnicodeToMultiByte, DllMain, FetchMsEncodeDllVersion
PDFiD.: -
RDS...: NSRL Reference Data Set

----------------------------------------------------------

File GDIPFONTCACHEV1.DAT received on 04.21.2009 15:32:37 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 57 and 81 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.21 -
AhnLab-V3 5.0.0.2 2009.04.21 -
AntiVir 7.9.0.148 2009.04.21 -
Antiy-AVL 2.0.3.1 2009.04.21 -
Authentium 5.1.2.4 2009.04.20 -
Avast 4.8.1335.0 2009.04.20 -
AVG 8.5.0.287 2009.04.21 -
BitDefender 7.2 2009.04.21 -
CAT-QuickHeal 10.00 2009.04.21 -
ClamAV 0.94.1 2009.04.21 -
Comodo 1124 2009.04.21 -
DrWeb 4.44.0.09170 2009.04.21 -
eSafe 7.0.17.0 2009.04.20 -
eTrust-Vet 31.6.6440 2009.04.20 -
F-Prot 4.4.4.56 2009.04.20 -
F-Secure 8.0.14470.0 2009.04.21 -
Fortinet 3.117.0.0 2009.04.21 -
GData 19 2009.04.21 -
Ikarus T3.1.1.49.0 2009.04.21 -
K7AntiVirus 7.10.709 2009.04.20 -
Kaspersky 7.0.0.125 2009.04.21 -
McAfee 5590 2009.04.20 -
McAfee+Artemis 5590 2009.04.20 -
McAfee-GW-Edition 6.7.6 2009.04.21 -
Microsoft 1.4602 2009.04.21 -
NOD32 4024 2009.04.21 -
Norman 6.00.06 2009.04.20 -
nProtect 2009.1.8.0 2009.04.21 -
Panda 10.0.0.14 2009.04.20 -
PCTools 4.4.2.0 2009.04.21 -
Prevx1 V2 2009.04.21 -
Rising 21.26.14.00 2009.04.21 -
Sophos 4.40.0 2009.04.21 -
Sunbelt 3.2.1858.2 2009.04.21 -
Symantec 1.4.4.12 2009.04.21 -
TheHacker 6.3.4.0.312 2009.04.21 -
TrendMicro 8.700.0.1004 2009.04.21 -
VBA32 3.12.10.2 2009.04.21 -
ViRobot 2009.4.21.1702 2009.04.21 -
VirusBuster 4.6.5.0 2009.04.20 -
Additional information
File size: 101744 bytes
MD5...: 00c9223a0242b844ceebc6fffbc88bdd
SHA1..: cf0a8a99e6b7054ed2cbb8611486936a8b30a814
SHA256: ba032a3f76e64e3099efde9a00d8ac5cc790beb00e80964f82f374fe0000d472
SHA512: 065ebfacae4c0d12c91276910fcb7c11490bfcfc1ac87c1d095b8c12003f7842
4b82e0d018b4ac34c4322deaec593e7766ac0f678bb318289d67643d35e93c9a
ssdeep: 1536:Gfst/cHgTYsda5MgfxrLqywzBhWYct6XPL:D
PEiD..: -
TrID..: File type identification
Corel Photo Paint (100.0%)
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set

-----------------------------------------

ComboFix 09-04-21.A2 - Randy 2009-04-21 7:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2579 [GMT -6:00]
Running from: c:\documents and settings\Randy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Randy\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090420-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Randy\Application Data\Azureus
c:\documents and settings\Randy\Application Data\Azureus\.certs
c:\documents and settings\Randy\Application Data\Azureus\.keystore
c:\documents and settings\Randy\Application Data\Azureus\.lock
c:\documents and settings\Randy\Application Data\Azureus\active\026D0407BAAEEEACE06B3D92ED9613DA97CD38AC.dat
c:\documents and settings\Randy\Application Data\Azureus\active\026D0407BAAEEEACE06B3D92ED9613DA97CD38AC.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\12FE62BBAE4A4C3D8A2731D395EC590B5941EEAD.dat
c:\documents and settings\Randy\Application Data\Azureus\active\12FE62BBAE4A4C3D8A2731D395EC590B5941EEAD.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\156F983F42175E5EDB7E50D09F3CCBE97669C39F.dat
c:\documents and settings\Randy\Application Data\Azureus\active\156F983F42175E5EDB7E50D09F3CCBE97669C39F.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\1E4CEED1FCB72A0846C428A8A1C7A4607511E209.dat
c:\documents and settings\Randy\Application Data\Azureus\active\1E4CEED1FCB72A0846C428A8A1C7A4607511E209.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\1F767D1937269B554296DB79A2A736F9EE6D4C33.dat
c:\documents and settings\Randy\Application Data\Azureus\active\1F767D1937269B554296DB79A2A736F9EE6D4C33.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\56F9369C94E887613DFF7D00B6F030A466A74F93.dat
c:\documents and settings\Randy\Application Data\Azureus\active\56F9369C94E887613DFF7D00B6F030A466A74F93.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\58E466E5BB7F175971AEFD9097078E4085194ADB.dat
c:\documents and settings\Randy\Application Data\Azureus\active\58E466E5BB7F175971AEFD9097078E4085194ADB.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\619A49C1530DFCC513ACBE92EA25C20C4499D855.dat
c:\documents and settings\Randy\Application Data\Azureus\active\619A49C1530DFCC513ACBE92EA25C20C4499D855.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\66FE5D8942A5AE214B911816B32E6E78266246C9.dat
c:\documents and settings\Randy\Application Data\Azureus\active\66FE5D8942A5AE214B911816B32E6E78266246C9.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\6D0C7102C4CFD452C9D4731B4258F670C87BE472.dat
c:\documents and settings\Randy\Application Data\Azureus\active\6D0C7102C4CFD452C9D4731B4258F670C87BE472.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\7834F3DE7479D960E53C9930506A5D35C81DE15F.dat
c:\documents and settings\Randy\Application Data\Azureus\active\7834F3DE7479D960E53C9930506A5D35C81DE15F.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\7E870F360897B902A1CB5176E9C02244F83E5332.dat
c:\documents and settings\Randy\Application Data\Azureus\active\7E870F360897B902A1CB5176E9C02244F83E5332.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\82B27AD75F04E2325DFDA2D9F729D293EE846522.dat
c:\documents and settings\Randy\Application Data\Azureus\active\82B27AD75F04E2325DFDA2D9F729D293EE846522.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\87BE3D7199AEB997B6981233F62D4A42F847D96D.dat
c:\documents and settings\Randy\Application Data\Azureus\active\87BE3D7199AEB997B6981233F62D4A42F847D96D.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\8CEC41E67CA7EEFCD0F3ED045385B567F005B612.dat
c:\documents and settings\Randy\Application Data\Azureus\active\8CEC41E67CA7EEFCD0F3ED045385B567F005B612.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\8F378674F17272FD4FEE82FBFB6F7306E3BF338B.dat
c:\documents and settings\Randy\Application Data\Azureus\active\8F378674F17272FD4FEE82FBFB6F7306E3BF338B.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\92582FD68C1DF3FF580F992AEA6E80D4123BE044.dat
c:\documents and settings\Randy\Application Data\Azureus\active\92582FD68C1DF3FF580F992AEA6E80D4123BE044.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\98A4E2625071E8DFB717EC7AE48376A01F96C3C9.dat
c:\documents and settings\Randy\Application Data\Azureus\active\98A4E2625071E8DFB717EC7AE48376A01F96C3C9.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\A14B9FF7DF384141BAB6BFE9CF0DF05AEB532B0C.dat
c:\documents and settings\Randy\Application Data\Azureus\active\A14B9FF7DF384141BAB6BFE9CF0DF05AEB532B0C.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\cache.dat
c:\documents and settings\Randy\Application Data\Azureus\active\D107C7D42EF9A7EABA221BBE558285387379EA96.dat
c:\documents and settings\Randy\Application Data\Azureus\active\D107C7D42EF9A7EABA221BBE558285387379EA96.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\D2D596B08370152C5CAA3F074E5949056C7304CF.dat
c:\documents and settings\Randy\Application Data\Azureus\active\D2D596B08370152C5CAA3F074E5949056C7304CF.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\D95873DB722BB5415B81F356EA6E1C7FB5294B43.dat
c:\documents and settings\Randy\Application Data\Azureus\active\D95873DB722BB5415B81F356EA6E1C7FB5294B43.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\F4AEF8E7A51D6AE6CAE9844A8B06F8F943DB4D13.dat
c:\documents and settings\Randy\Application Data\Azureus\active\F4AEF8E7A51D6AE6CAE9844A8B06F8F943DB4D13.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\active\F88EC44ABEB94659FEB9BB21FC2AF8F065859C15.dat
c:\documents and settings\Randy\Application Data\Azureus\active\F88EC44ABEB94659FEB9BB21FC2AF8F065859C15.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\azureus.config
c:\documents and settings\Randy\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Randy\Application Data\Azureus\azureus.statistics
c:\documents and settings\Randy\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Randy\Application Data\Azureus\banips.config
c:\documents and settings\Randy\Application Data\Azureus\banips.config.bak
c:\documents and settings\Randy\Application Data\Azureus\cnetworks.config
c:\documents and settings\Randy\Application Data\Azureus\devices.config
c:\documents and settings\Randy\Application Data\Azureus\devices.config.bak
c:\documents and settings\Randy\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Randy\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Randy\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Randy\Application Data\Azureus\dht\general.dat
c:\documents and settings\Randy\Application Data\Azureus\dht\version.dat
c:\documents and settings\Randy\Application Data\Azureus\downloads.config
c:\documents and settings\Randy\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Randy\Application Data\Azureus\friends.config
c:\documents and settings\Randy\Application Data\Azureus\friends.config.bak
c:\documents and settings\Randy\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Randy\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\AutoSpeed_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\clientid_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\CNetworks_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\Devices_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\Friends_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\MetaSearch_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Randy\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\Randy\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\Randy\Application Data\Azureus\logs\MetaSearch_Engine_6.txt
c:\documents and settings\Randy\Application Data\Azureus\logs\MetaSearch_Engine_9.txt
c:\documents and settings\Randy\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\seltrace_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\SpeedMan_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\Subscriptions_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.CMsgr_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.emp_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.emp_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.MD_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.PMsgr_2.log
c:\documents and settings\Randy\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Randy\Application Data\Azureus\logs\WP_xsearch_1.log
c:\documents and settings\Randy\Application Data\Azureus\metasearch.config
c:\documents and settings\Randy\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Randy\Application Data\Azureus\net\pm_852.dat
c:\documents and settings\Randy\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Randy\Application Data\Azureus\plugins\azump\azump_1.2.jar
c:\documents and settings\Randy\Application Data\Azureus\plugins\azump\azump_1.2.zip
c:\documents and settings\Randy\Application Data\Azureus\plugins\azump\azump_1.3.jar
c:\documents and settings\Randy\Application Data\Azureus\plugins\azump\azump_1.3.zip
c:\documents and settings\Randy\Application Data\Azureus\plugins\azump\mplayer.exe
c:\documents and settings\Randy\Application Data\Azureus\plugins\azump\mplayer.exe.bak
c:\documents and settings\Randy\Application Data\Azureus\plugins\azump\mplayer\config
c:\documents and settings\Randy\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Randy\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Randy\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Randy\Application Data\Azureus\subs\00C60E73A94959D3C5D4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\01D7FB72F0883670E7C6.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\01FE0E4954FEEB299706.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\020DB5D26F41DB7F4F70.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\022D7B322120A7C4689F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\0273424FB60BDF21387A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\02C7804F2ABBB5517EE0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\0329DAFBA148221A022D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\03D2C3D8FA017B2E46B5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\042FBE4AAC5ECAD2A20C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\047969C2F30A401262F9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\049E5BDB116D6C3C0840.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\04A06217927C5E486F5A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\04AAB51722762F815231.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\05ABE798CDC3C380647B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\06752EC3BAA2C28BAD58.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\079309D716EBB036BF0E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\08619712FF8B017738DB.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\088F3BEA4F43F57B87DD.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\092FF182DC8E6E3329C2.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\09A4EF071DB008D2F8DB.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\09B584381E122A0F9A8F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\0B335774B15DCD131FB0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\0C867F67DE3EF2F54ECA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\0D079DFE8F2A57873067.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\0EB594415AC9798BD99D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\0F193C9F601B15C4EFFE.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\0FE2857420B40A53BB77.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\102FBCB85B3D2924EF7E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\110BDC74C3FD504AB9F1.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\120A95561B31F4CF46EE.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\12533BF9649105ABA27A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\12EB691EA1FE313441A3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\1373114CD8AB18064477.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\139A8300ABC5040DC23A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\13CCCA643B4D4185F7D8.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\143BF79E58920F51E644.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\1570804F6146E4886B0D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\1588D0048D6B7DD79B1B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\15A68CF4DAD5E4776C6A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\16AE3511C3AA70157546.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\179A1B1052710806A964.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\186D0E57232DEE8DC2FD.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\18BDE0FFAED090440F58.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\19D197C718E86D5B1B15.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\19E94E9B501CB8B21D6F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\1AC609388358758C741B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\1B75D45B5492385B29F1.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\1BC08A46252C513885B6.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\20234D4EFE994A01337D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\205CEDDD9891E1423B83.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\208AA03209FE7B12D93B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\21041CE588F62F2367D9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\21097717FF5F0D5F5CB5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\21B6F154E1FA75E4DF0A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\2200D27DC7DB3FD2C21D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\220F1CEB5FE7C23C3D0F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\22487DA0738B999AA78E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\22DF38C22CFDAAC543FA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\23341E3BE889BCAC318D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\23A559C2098EDE12BB35.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\23C07FC046663EDB38E5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\23D8B67F2D18772D41FE.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\24916A26657351AD0B01.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\24EE09357166B5AEF35D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\250880C21E662B1968A9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\253875355A4DEF3FD906.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\25F048924054A1C79872.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\26C8F621C3E491D0CB7D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\285774D716FC0051185D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\28CF14B604BFE173EEFF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\2908A79FE59C831AEE19.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\2A233C727E6172C57301.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\2A885A399A8D1AB2C78A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\2B236964F01FC51307D1.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\2DD34BCB85CDDCB979F0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\2F121CE5351CB0F26EA2.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\2F958A7A3C7B19922A3E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\2FC177173244776D208D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\30898224E78681FD106E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\311E10B6B4C70297181A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\312FF702C3CDE3565FB4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\327F4762CCB7C9C5102D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\32D1BDF377F73465E5C6.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3348A70059736758E70F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3376CE3BEAE9C1B59302.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3899974FA488B341844A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\38D5182D71F34F8B96FF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\38E357A4970DAB48EF67.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\38F14939A1ADE522383C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3972B11D11796FDC60AA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\397BF49A357E17BE0AE2.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\39D66249EB7D8CD89041.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3A6BA92EC4131C50047F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3A81D718BEA702F0FF22.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3C11AAB9ED7A54F9334F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3C1C33756A83CC05D595.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3C752F0CC45446C66D5A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3CE1DE1CE7E9DE480F06.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3E1E3C16D075895286EC.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3E4AA2BC5D36DFA06603.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\3FF7396A3EDA6F0469FD.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\400B09C6BFC041C77125.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\400E3CE19FBA5AB990A7.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4011F79CB87A022E2DF1.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\402E169FCE43E348FC5C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\40AF6EDF215E5445A951.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4119474A22C76397240E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\41B5BA8E964DADE2D58B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\420FE0D3E7B430F9D68D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\428870FB845DFB86BDFF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\439E8C2D3CEAD6682EAB.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\445FC91CE26750C88C1F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\44ED8CF4605744CBB7E5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\46AE990B53E8D00D2028.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4757DBA171EB6FD80AC7.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\475A6FF4074864929368.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\47B6C9B058D0AB3DE916.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\47D01B51E6FACC969E1D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\481C7B142EBA8C9090C0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\488205C7691AFEABA1D4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\489376B10B9949867B96.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\48CB5CFEB578B72349B6.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\49763EDAD2EA61A7A26B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4B30D871825830634EA0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4B454A0012C0506BAAC3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4CD6D96573CE7093FB98.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4CE1D58CBB25E9069A68.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4D08513FB5578C4BAD70.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4D8576683B91DB3DF2E1.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4D8F314B44E7274DC3F9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4DF12F5FC58F16214140.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4E52720D295BF1A3277A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4E88AE04D5626C3C9BB4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4F2AA8C2D919E9835A62.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4F3F92E98BE8E4C00295.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\4FE8C4FA62D410DF299F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5006C76DD2492CFB2617.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\508DE7D270983F7A2458.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\50EB1E95A1DA29055B81.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\51A8F55AEF05B3317433.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\524E65016F481500FAFC.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\52C6D09A02BBB590C252.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\52D303ECE26BC1B69B63.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\52FED2229F474AED166F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\54004C0B7ADCCE4069C9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\547F3E44588AC640951F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\55FCCD37E0963B3733FF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\56F6C7C1E285BA7BA015.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\57E2BE39D25FE36CC254.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\580197E6E223B7A1880F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\581765478D3517627C73.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5878E830E0EF9F3C85FE.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\590CEF409E3D6382A5DF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5921A7EDD0414D667279.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\593A7F149F431FC3864F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\59A6E5D794A9DFCD6CDF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5A4946D476CB61EF9301.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5AD579BA3D2535C45939.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5CBA0BA6AAA42E09B126.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5D068537484E4A09C773.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5D5273D7B1D9FC6F5DB0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5E254B48215C8ABCEF2C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5F14FDA716FC44ACF5BA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5F4872803369DD6A40FC.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5F49A60E23CC43C85151.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5F50FAED00365D35ED63.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\5F5F8F085B177B805385.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\62EE46E553E63D4B2BE0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\62FE6A1CAD12849F5889.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\632A20E73961F1C133F2.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\63E8731E43778B2A9021.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\64D5DAF6140584F868DA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\652295769F010C05B030.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\65387BEC7987671BE61A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\659E360DA4C7A78064E4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\65CE3C46ACE1B29F7AF8.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\66A311BA1CCDB68A008A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\66E0B910104B377EF066.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\672A4A23AA2C3FA811E7.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\67412B8D680C449AA183.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\6824755C86CF5244EBB4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\68461FFBE2AB011691AE.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\687B5D8D87F188977E5D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\68C904C0D6B912012667.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\69A0AED74E86B87A51C8.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\6B1F53039DA74CFAB2E2.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\6B71330FA1EC33AEC7F0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\6CE4CD4B41EB765CCBCF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\6DC923D86BDF474F5654.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\6E343DEAF18CF9921DC2.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\6F30D9DE4175284D0FED.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\700728EBC484EA3BB411.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\70568375D069D9506E60.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7076DB20A5F225DDB82C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\708C5D9333EC9E54E297.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7177DCE13730FAABA944.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\722FEC9BA057A883FE52.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\723BA36259640B96B9B3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\733A09C3D19D781EA663.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\73B8B5989519443D9292.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\743517466E51A760F1BF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7472680B49ACBCFA19D9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\74F7267F1BCBC66CB79C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\757A05C4CE7B06DB956B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\75E26922E1B9B3AF7A1C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\75E7C685442E0B9CF0A2.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\773DE54D6730F1BBBC4C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\796249FB72C45E9FD9CB.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\79CD6938A1F7B17750F3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\79D0146B15851A703E92.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\79D82923B992917F8430.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\79E766BACEC15D14BEA9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7A8C7430204C090C0816.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7B6AB623442B76B6E133.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7C3AC4FB12A85578FCB4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7C4691F85F418211CE89.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7D59D3C34746C573AD67.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7EB198584F3721914E9D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7EFA9C86225EF600EF1D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\7FC33959E026951B4B1E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\8058D6BCE902E9F794DE.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\812AAEB6926EE6D8B63D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\829E59C40EFFE22EB406.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\831554DFAF70469BC76A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\836C1A4881FE25A1201F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\83E942CD74E5F15FE40A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\83F9D7CFBA5E7496ACC5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\853F48E435813E211432.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\85CC0526E5089ABC68DA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\862ED94A0D650F0528FB.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\87E23B1872099785E348.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\88CCD0CE8AC46B680007.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\88E0659ED27843F8EA85.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\8952161FDC9064232783.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\8A8138032CEB4BAFDDBC.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\8B2D8F01655F4948C421.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\8B9A427971C2CE1EADDB.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\8D4D7A716C06C0215F0B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\8DE6E5753F5ADF094F49.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\8E2B614F13973CA024C4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\8F99CBA67E6A5F57CCAF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\90798C7589A6EE060C53.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\909DA4CC561DFEEEA518.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9198973B650EF010651B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9254940660E4E3494FFF.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\933C7EB38EC088364F0C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\93B716386602D52C6EB7.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\95B34C1A1F40931D0972.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\96A8F3C8D6CBF1E8659A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\977B3EA04CF30CDAADA0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\97CA929FC76389BAC85E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\98CEE3C54F5899C25DE3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9978D9332B097FD79BAA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9AD4168D87927778D6A1.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9AEFCE7D60200136FF79.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9B500F771BCE0E4B3021.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9BC7C6C163A35FCECA22.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9CD09673AB58EFA6A36E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9CDF05AF3B141145BD88.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9D6677453567866C1BC9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\9EBC0C6AF34E6ADE1684.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A00350D45037D65DACA7.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A29966E02733D9A9C3FA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A36AB2DCB4226BA0F649.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A3E9EADE61318A110EE8.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A6875C9905F5F324D605.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A6B6B26EC433E9330442.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A6FB3E3A502BF7E49CF5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A7B3C0AD56D06FA13165.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A844F2F2284053EAD65A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A8C1F452C6DA7C51AA2B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A8C7FD175D58CF5E22ED.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\A94855252BC828596530.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AA18A55630A89D766D85.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AAC530BEEC76AA276E5C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AB4948B77D9DC5F80176.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AD055F12654655C70A4D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AD24B5020C5322BEBDAD.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AD34C2DA25EC163D1AFB.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AE238A40E189FF666A5E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AE9CAAE06B83CBA73D7F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AF734186BA1B192A332E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\AF7E8AAAACB3566A137E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B06D3EA2370C8CFCD14A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B105F2C8E758059AFF41.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B139A37975BDBF3F07E5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B1484E5B01F70706D7A3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B2195A8B3CCD8864E771.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B23FF1607C78876627F3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B24CA87F32C5C5D1D013.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B29BD07C692B8CD27FE1.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B54C6D92E721AE1439E6.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B57DFD9A055D02BA9CAC.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B5A81529F8BA072CAAD2.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B6A8A5DC007469B73D47.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B6CEB5BFFDDC613A43FA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B78B1B29F88C53F2BC87.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B7DBB427AF1E5D29B174.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B838F5D871039A5EF5B3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B921F0EC124A0E21506A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B94A1B43BE1B40A3AF0F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\B9F9824CB0A991DE3AC4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\BAD9AC808DA5DC699651.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\BBA708018991E48BD0CC.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\BBEE590CA47713320490.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\BC77E7E9A1A00BFA23E9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\BE5A8003C23B3B3CD271.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\BF438D19192180BC3D4D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C01364D470924F796460.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C117D1D4B77025F89B60.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C148D2585F9821F8983B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C1A9F200147EAE6DB839.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C1BF09937AAE971DD0D6.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C200D642D3CEC46C704F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C3BB97DB488C5BA9F6B1.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C5F15868F395BC4F2425.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C666339469E562BC4B94.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C6CF5B82995260E98360.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C72B65EE9283EBBD372E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C868FF325124E3D0D58F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C960662B40D5D900D2C9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\C990C25FB60AF4EA8B76.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\CBBF65A388C0DCEC827C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\CD49449BCD9A8C1C0F88.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\CDA98B2488EEF66B2033.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\CE275B7D9043458D6329.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\CE7DBE843CC16559F02C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D119896F97F07F1836E9.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D123086F202451E6921F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D15C2BE2497D47C38215.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D2883BE7F177D7FE4E25.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D3745008F782C9CB4883.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D39695503C9613A40A8F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D44784B7433BB66BE6CB.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D4CD938FF664DA008C12.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D4E73C242489EBACA1F5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D54CE6A906D757426A02.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D7D8B3A047B62BC2C10B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\D8BC8E0CDB0CE3CED27A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\DB0A2E93BF872231ABAA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\DB0A6203CC830E7FFBC5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\DB3CCAB55CB0A9CD0FA6.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\DB8EBA0A8243FAC1DD16.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\DBE52F089C3FF809050C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\DBF3E5CA57D2C6174DE0.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\DCD20AB6684A16AA1475.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E1489C562D865C7951F6.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E2581199D77C0782080A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E2EA3C29770B1D9EB098.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E2F3D368F2164BB25AD5.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E3FAFADD4E7B350EBFCD.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E45EC07471F6EC578813.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E654210DFE7D28A37541.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E6925ADD353B0CC4752A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E6A810C0D7599C2A37F4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E6AC5022A8D2E871D934.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E6AEACFA5544EAB6E688.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E7005511ADFB5A2ED37E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E7416063544DA1B70CDD.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E7FC562D771FD2FAE674.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E8CB9DDFE8782A1715B2.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\E9E217C612244BB30A07.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\EB6ADF4BE038D291FE2D.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\EB6C4BB847ABD88153F4.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\EEC6ABCF4F1AF1D68F81.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\EFBCFDD325EF447273DC.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\EFD42DBF2687E5E4BCCA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F08604206FD68C1AB3C8.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F0C718FCBD0D60570C18.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F139789903AEA233F570.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F1AD24883F68DA52ED5E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F301B6CCC4BE4765D49E.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F6F1B71ECE6411E36FDA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F7486CB941CD72221E5B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F75304C309A19E03547C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F79A95D8437CEAFDD4BA.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F7C08964DAE0F6246322.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F7FC51D6B59874BB8BA3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F830E53E8621D6E40594.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F8F138C320B80291DD87.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\F99403B37A6329A411C3.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FB35CB1F287DED759C1A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FB842F38FBD17B46F780.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FB99F6440B470722C73C.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FC3A8DCD49B069BC8D8F.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FC94B0B0066179D5D586.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FD529B1C9ACF2A18DF30.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FD57795E1E531E7A63E8.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FDA6C9DF3B7E1F2FABB6.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FE0F06C0AB30D1A86A39.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FF35C2C43AD22E5C501A.vuze
c:\documents and settings\Randy\Application Data\Azureus\subs\FFA35F49772ACAC6B10B.vuze
c:\documents and settings\Randy\Application Data\Azureus\subscriptions.config
c:\documents and settings\Randy\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Randy\Application Data\Azureus\tables.config
c:\documents and settings\Randy\Application Data\Azureus\tables.config.bak
c:\documents and settings\Randy\Application Data\Azureus\timingstats.dat
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60864.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60865.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60866.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60867.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60868.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60869.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60870.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60871.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60872.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60873.tmp
c:\documents and settings\Randy\Application Data\Azureus\tmp\AZU60874.tmp
c:\documents and settings\Randy\Application Data\Azureus\tracker.config
c:\documents and settings\Randy\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Randy\Application Data\Azureus\unsentdata.config
c:\documents and settings\Randy\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Randy\Application Data\Azureus\update.log
c:\documents and settings\Randy\Application Data\Azureus\update.properties
c:\documents and settings\Randy\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Randy\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Randy\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Randy\Application Data\Azureus\VuzeActivities.config.bak
c:\program files\Azureus
c:\program files\Azureus\plugins\azemp\azemp_2.0.16.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.16.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.28.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.28.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.30.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.30.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.32.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.32.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.34.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.34.zip
c:\program files\Azureus\plugins\azemp\azemp_2.1.02.jar
c:\program files\Azureus\plugins\azemp\azemp_2.1.02.zip
c:\program files\Azureus\plugins\azemp\azmplay.exe.bak
c:\program files\Azureus\plugins\azemp\cp1250-a.raw.bak
c:\program files\Azureus\plugins\azemp\cp1250-b.raw.bak
c:\program files\Azureus\plugins\azemp\font.desc.bak
c:\program files\Azureus\plugins\azemp\mplayer\config
c:\program files\Azureus\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Azureus\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.16
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.28
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.30
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.32
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.34
c:\program files\Azureus\plugins\azemp\plugin.properties_2.1.02
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.17.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.17.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.5.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.5.zip
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.17
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.5
c:\windows\10945wzrm534.dll
c:\windows\11996not-5-viruz956.exe
c:\windows\11z59wor95e5.bin
c:\windows\147fadd5aze9489.ocx
c:\windows\15308not-a9vzrusfd.ocx
c:\windows\15531troj593z.exe
c:\windows\15902not-a-zir9s457.dll
c:\windows\16884zor9525.exe
c:\windows\17z625irus6f29.bin
c:\windows\185939ozm149.ocx
c:\windows\18907vizu51c8.dll
c:\windows\18zethi5f1959.bin
c:\windows\1916st5al185z.ocx
c:\windows\192b5ozn9oader2873.bin
c:\windows\19558zr9j7a9.cpl
c:\windows\19959hacktozl4da.ocx
c:\windows\1b5z59r2854.cpl
c:\windows\1c5bdownloa9ez2459.exe
c:\windows\1ez2thre9t186005.ocx
c:\windows\1z518hack59ol507.exe
c:\windows\217zv59.cpl
c:\windows\25579vi9us2a1z.dll
c:\windows\28z47t95j3f9.dll
c:\windows\29c3t5ief1477z.bin
c:\windows\2b35viz1998.dll
c:\windows\3095addware18z0.bin
c:\windows\3210nzt-a-virus2b95.ocx
c:\windows\32631spam5o96z6.ocx
c:\windows\33f1vi527z09.bin
c:\windows\3548t5ief9z93.ocx
c:\windows\365ddware12z59.cpl
c:\windows\39c7sp5ware15z9.dll
c:\windows\3z9faddwar53239.exe
c:\windows\4755z9yware3156.bin
c:\windows\4969zpywar5987.exe
c:\windows\4b91spywa5e1z04.dll
c:\windows\4faebaz9door1528.bin
c:\windows\4zc95ir25559.bin
c:\windows\4zf5vir4049.dll
c:\windows\50z95parse2009.exe
c:\windows\51d95ir243z.dll
c:\windows\52b9addw5ze3085.bin
c:\windows\52zdspyw5re2798.cpl
c:\windows\53a9ste5l2z799.cpl
c:\windows\542z9ddware2258.exe
c:\windows\5497wz9m1b1.cpl
c:\windows\5518zn9t-a-virus725.bin
c:\windows\569fzir16.cpl
c:\windows\592adoz9lo5der2469.dll
c:\windows\592hacktzol15e.cpl
c:\windows\5b99zparse1441.ocx
c:\windows\5d3t9ief780z.exe
c:\windows\5e5backdoo91667z.ocx
c:\windows\5fa6spywar92z68.ocx
c:\windows\68025pzrs91480.dll
c:\windows\70e5downloa9e52z56.bin
c:\windows\74f7a9dwar52635z.bin
c:\windows\7565vir3259z.dll
c:\windows\75c6tzre599482.bin
c:\windows\75z1spy479.ocx
c:\windows\77dfsp9wa5z256.cpl
c:\windows\77z4t5oj6749.ocx
c:\windows\794ddown5o9dzr864.cpl
c:\windows\7d41addwar5z359.dll
c:\windows\7ez6sp9ware5474.ocx
c:\windows\8923v5rus6az.cpl
c:\windows\94744hacztool2a85.dll
c:\windows\965zstea51603.cpl
c:\windows\98509spamz5t182.bin
c:\windows\9965hzc5tool7dd.bin
c:\windows\9eathizf13805.dll
c:\windows\9f9tzie51126.ocx
c:\windows\system32\1069s5arsz23289.cpl
c:\windows\system32\164115pyza9.bin
c:\windows\system32\17b3vir5z099.exe
c:\windows\system32\19676vi9zs85.exe
c:\windows\system32\197319ro55bz.ocx
c:\windows\system32\1a9z9pyw5re1580.exe
c:\windows\system32\1aa2sp5rse9z7.ocx
c:\windows\system32\1f9baddwzre858.exe
c:\windows\system32\2055zackdoor17295.bin
c:\windows\system32\22457spz9bot2fb5.bin
c:\windows\system32\2279vi5us52cz.ocx
c:\windows\system32\23175ha9ztool419.bin
c:\windows\system32\235spywzre9235.dll
c:\windows\system32\243zst5al6429.dll
c:\windows\system32\24895viru56z39.dll
c:\windows\system32\25089spyz22.dll
c:\windows\system32\2612vz5us6399.cpl
c:\windows\system32\26141tr9jz25.bin
c:\windows\system32\2619down5zader2478.exe
c:\windows\system32\27c5b9zkdoor3267.ocx
c:\windows\system32\28488worm599z.exe
c:\windows\system32\29004zot-9-v5rus52e.exe
c:\windows\system32\298235zrm3599.dll
c:\windows\system32\29991spy2z5.ocx
c:\windows\system32\29zfvir1155.exe
c:\windows\system32\2ee9zi52009.ocx
c:\windows\system32\2f9ev59120z.bin
c:\windows\system32\3034znot-a-viru94b5.exe
c:\windows\system32\320z6h5cktoo996.dll
c:\windows\system32\35390not-a-vzrus599.ocx
c:\windows\system32\355zbackdoor2959.bin
c:\windows\system32\35c89ir64z.bin
c:\windows\system32\3719a5dwaze1401.bin
c:\windows\system32\37zvir58329.ocx
c:\windows\system32\3b95spyzare2328.exe
c:\windows\system32\3e7szar951778.ocx
c:\windows\system32\40zcadd95re2008.dll
c:\windows\system32\45f9dzwnl5ade91867.bin
c:\windows\system32\4a25bzckdoo593.exe
c:\windows\system32\4a29dowzload591037.ocx
c:\windows\system32\4f555te9lz242.exe
c:\windows\system32\5177virus9z.bin
c:\windows\system32\56zirus59.cpl
c:\windows\system32\5889downloader3136z.bin
c:\windows\system32\5992s5y5ze.ocx
c:\windows\system32\5c519teal3z3.bin
c:\windows\system32\5de9spywarez3245.dll
c:\windows\system32\5z592worm29d.bin
c:\windows\system32\62z9tro9795.bin
c:\windows\system32\6525threzt29995.exe
c:\windows\system32\657azhreat65999.bin
c:\windows\system32\65e2sza9se1384.exe
c:\windows\system32\6c9bba9k5oor213z.ocx
c:\windows\system32\6ed35iz6909.dll
c:\windows\system32\6z6f5hreat99877.dll
c:\windows\system32\71z9v5rus469.exe
c:\windows\system32\731azown9oa5er2599.bin
c:\windows\system32\735dba9kdoor10z3.dll
c:\windows\system32\795cbackdoorz701.ocx
c:\windows\system32\7cbz5py9are3112.bin
c:\windows\system32\7ed5t5re9t27z58.dll
c:\windows\system32\7z95steal38.bin
c:\windows\system32\94a5zddware609.bin
c:\windows\system32\98585wormz2.ocx
c:\windows\system32\9995sp519z.cpl
c:\windows\system32\9b8espyware6z5.exe
c:\windows\system32\9z9fs5arse880.exe
c:\windows\system32\e529hief31z0.dll
c:\windows\system32\z075ha9k5ool65f.exe
c:\windows\system32\z4995troj321.bin
c:\windows\system32\z9296spy656.exe
c:\windows\z2900vi5us59f.bin
c:\windows\z3a05parse961.exe
c:\windows\z4659ac5door1027.ocx
c:\windows\z57949orm5.bin
c:\windows\z7557sp93fc.bin
c:\windows\z879sp5473.cpl
c:\windows\zc90thre5t169179.bin

.
((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-08-02 03:13 . 2009-08-02 03:13 11260 ----a-w c:\windows\system32\50zspambot98d.exe
2009-07-28 21:40 . 2009-07-28 21:40 7276 ----a-w c:\windows\system32\6c3zspy9are5315.bin
2009-07-28 14:01 . 2009-07-28 14:01 8457 ----a-w c:\windows\7z50troj984.ocx
2009-07-26 08:56 . 2009-07-26 08:56 16823 ----a-w c:\windows\97540hazk5ool568.dll
2009-07-25 11:40 . 2009-07-25 11:40 9564 ----a-w c:\windows\system32\2545spam9zt55f.ocx
2009-07-20 09:42 . 2009-07-20 09:42 16379 ----a-w c:\windows\system32\5edddownload9r29z.bin
2009-07-19 14:04 . 2009-07-19 14:04 10000 ----a-w c:\windows\system32\56f9thr5at8579z.dll
2009-07-19 10:34 . 2009-07-19 10:34 8348 ----a-w c:\windows\system32\2955stealz066.ocx
2009-07-18 22:14 . 2009-07-18 22:14 16936 ----a-w c:\windows\system32\452fthie91z49.bin
2009-07-18 08:38 . 2009-07-18 08:38 7713 ----a-w c:\windows\system32\z34fbackdo5r11159.exe
2009-07-17 20:13 . 2009-07-17 20:13 8288 ----a-w c:\windows\4f7zspars510189.cpl
2009-07-17 14:34 . 2009-07-17 14:34 13330 ----a-w c:\windows\5d9aspy9arez504.cpl
2009-07-15 07:41 . 2009-07-15 07:41 12928 ----a-w c:\windows\system32\6b9fthrez598953.bin
2009-07-13 06:09 . 2009-07-13 06:09 16467 ----a-w c:\windows\system32\11fvz52952.cpl
2009-07-12 19:17 . 2009-07-12 19:17 11672 ----a-w c:\windows\8z27s5ambot239.cpl
2009-07-12 01:38 . 2009-07-12 01:38 8955 ----a-w c:\windows\7555steaz199.cpl
2009-07-10 13:49 . 2009-07-10 13:49 9358 ----a-w c:\windows\310csz59are1284.ocx
2009-07-09 22:09 . 2009-07-09 22:09 11165 ----a-w c:\windows\5b265ir96z.bin
2009-07-07 09:53 . 2009-07-07 09:53 10789 ----a-w c:\windows\71c8zhre9516513.dll
2009-07-06 19:47 . 2009-07-06 19:47 13188 ----a-w c:\windows\25939troj55z.cpl
2009-07-05 00:25 . 2009-07-05 00:25 7371 ----a-w c:\windows\system32\552spazbot449.dll
2009-07-03 22:11 . 2009-07-03 22:11 11235 ----a-w c:\windows\system32\4559dwarz988.bin
2009-07-02 14:25 . 2009-07-02 14:25 11020 ----a-w c:\windows\system32\14758spamb9z285.cpl
2009-07-02 02:03 . 2009-07-02 02:03 9892 ----a-w c:\windows\5e70spy9arz465.bin
2009-07-01 16:53 . 2009-07-01 16:53 16525 ----a-w c:\windows\system32\96c9tzief509.bin
2009-06-28 00:24 . 2009-06-28 00:24 17632 ----a-w c:\windows\z5591spy59e.cpl
2009-06-26 16:51 . 2009-06-26 16:51 9166 ----a-w c:\windows\system32\6fa5viz10209.cpl
2009-06-24 19:04 . 2009-06-24 19:04 11229 ----a-w c:\windows\29z96hacktool559.exe
2009-06-24 15:42 . 2009-06-24 15:42 9701 ----a-w c:\windows\25zd9hief1505.ocx
2009-06-23 14:23 . 2009-06-23 14:23 3441 ----a-w c:\windows\3705bac9door1z11.cpl
2009-06-22 01:47 . 2009-06-22 01:47 16043 ----a-w c:\windows\29999worm2bz5.dll
2009-06-21 05:15 . 2009-06-21 05:15 2825 ----a-w c:\windows\2z77spambot95.cpl
2009-06-20 13:51 . 2009-06-20 13:51 10052 ----a-w c:\windows\85399ormz785.exe
2009-06-19 19:08 . 2009-06-19 19:08 9281 ----a-w c:\windows\29175sp9mbot1z3.cpl
2009-06-16 09:55 . 2009-06-16 09:55 8815 ----a-w c:\windows\3150not-a-vir9sz5f.ocx
2009-06-15 23:37 . 2009-06-15 23:37 6418 ----a-w c:\windows\55ba5h9ef1933z.bin
2009-06-15 10:53 . 2009-06-15 10:53 2619 ----a-w c:\windows\52d6threaz94586.bin
2009-06-13 20:39 . 2009-06-13 20:39 6152 ----a-w c:\windows\z15cvir9181.cpl
2009-06-12 23:20 . 2009-06-12 23:20 13225 ----a-w c:\windows\12952h5cktool74ez.exe
2009-06-11 13:25 . 2009-06-11 13:25 4886 ----a-w c:\windows\85765ack9ool2z2.dll
2009-06-11 09:28 . 2009-06-11 09:28 10724 ----a-w c:\windows\system32\28157sp5m9ot4z0.dll
2009-06-10 16:24 . 2009-06-10 16:24 6236 ----a-w c:\windows\system32\16z85vi9us5b0.dll
2009-06-08 21:28 . 2009-06-08 21:28 5970 ----a-w c:\windows\14dzdownload9r9875.cpl
2009-06-08 13:34 . 2009-06-08 13:34 13242 ----a-w c:\windows\3059troz568.dll
2009-06-08 12:55 . 2009-06-08 12:55 16872 ----a-w c:\windows\757395zmbot190.cpl
2009-06-08 01:05 . 2009-06-08 01:05 5493 ----a-w c:\windows\5e7bzckd9or1088.ocx
2009-06-07 14:22 . 2009-06-07 14:22 9425 ----a-w c:\windows\59c8virz56.exe
2009-06-06 21:15 . 2009-06-06 21:15 5303 ----a-w c:\windows\47z1hac5tool5c09.ocx
2009-06-05 22:59 . 2009-06-05 22:59 15875 ----a-w c:\windows\14608hz9k5ool5b5.bin
2009-06-04 16:44 . 2009-06-04 16:44 9683 ----a-w c:\windows\system32\2297zvi95s260.bin
2009-06-04 03:59 . 2009-06-04 03:59 8651 ----a-w c:\windows\50739zacktoo92d8.cpl
2009-06-03 11:53 . 2009-06-03 11:53 7625 ----a-w c:\windows\system32\3e69do9nloade555z.exe
2009-06-02 22:10 . 2009-06-02 22:10 8978 ----a-w c:\windows\system32\15596sp5mbo9ze2.exe
2009-06-01 05:15 . 2009-06-01 05:15 17084 ----a-w c:\windows\29257spazbot132.bin
2009-05-28 15:44 . 2009-05-28 15:44 10464 ----a-w c:\windows\183bzhrea522439.cpl
2009-05-27 17:14 . 2009-05-27 17:14 3384 ----a-w c:\windows\19240vi5usz80.exe
2009-05-26 19:20 . 2009-05-26 19:20 12710 ----a-w c:\windows\69229zy45a.exe
2009-05-25 22:53 . 2009-05-25 22:53 17707 ----a-w c:\windows\511aspyzare792.ocx
2009-05-24 05:27 . 2009-05-24 05:27 6706 ----a-w c:\windows\ze59backdoo915235.exe
2009-05-21 06:40 . 2009-05-21 06:40 4400 ----a-w c:\windows\system32\1d88threatz5795.dll
2009-05-20 08:05 . 2009-05-20 08:05 2831 ----a-w c:\windows\3z3bspy5a9e322.dll
2009-05-18 19:01 . 2009-05-18 19:01 9805 ----a-w c:\windows\system32\81935rz9559.dll
2009-05-18 12:19 . 2009-05-18 12:19 17543 ----a-w c:\windows\system32\z4b5backdoor1029.exe
2009-05-17 23:58 . 2009-05-17 23:58 7487 ----a-w c:\windows\11108sza9bot4505.bin
2009-05-17 00:36 . 2009-05-17 00:36 17783 ----a-w c:\windows\591fsteal1z59.exe
2009-05-16 13:44 . 2009-05-16 13:44 3569 ----a-w c:\windows\28808not-5-9izus7a0.dll
2009-05-15 14:49 . 2009-05-15 14:49 3184 ----a-w c:\windows\system32\1352zh9cktool1d6.ocx
2009-05-14 19:34 . 2009-05-14 19:34 5576 ----a-w c:\windows\6f22down5oadez951.ocx
2009-05-14 13:22 . 2009-05-14 13:22 8884 ----a-w c:\windows\system32\4751sz9396.bin
2009-05-12 08:10 . 2009-05-12 08:10 3881 ----a-w c:\windows\10997spyz4b5.bin
2009-05-08 21:16 . 2009-05-08 21:16 11982 ----a-w c:\windows\system32\792cs5eal24z5.cpl
2009-05-08 11:31 . 2009-05-08 11:31 4762 ----a-w c:\windows\90aeaddwaze5707.ocx
2009-05-08 07:55 . 2009-05-08 07:55 17335 ----a-w c:\windows\system32\2568w5z9577.dll
2009-05-07 20:15 . 2009-05-07 20:15 16237 ----a-w c:\windows\system32\6291st9alz75.cpl
2009-05-07 17:21 . 2009-05-07 17:21 15191 ----a-w c:\windows\9239vi9u5z59.ocx
2009-05-07 06:35 . 2009-05-07 06:35 15287 ----a-w c:\windows\system32\91657trojz.dll
2009-05-07 06:05 . 2009-05-07 06:05 3701 ----a-w c:\windows\7aa9t5reatz273.exe
2009-05-05 21:00 . 2009-05-05 21:00 7970 ----a-w c:\windows\61cbzhrea915560.exe
2009-05-05 05:55 . 2009-05-05 05:55 9376 ----a-w c:\windows\5782zpyw9re5260.dll
2009-05-04 01:24 . 2009-05-04 01:24 18284 ----a-w c:\windows\system32\9238zt5oj163.ocx
2009-05-03 22:21 . 2009-05-03 22:21 16860 ----a-w c:\windows\system32\15790hzcktool592.dll
2009-05-02 06:08 . 2009-05-02 06:08 12449 ----a-w c:\windows\52595zoj379.cpl
2009-04-28 06:13 . 2009-04-28 06:13 6380 ----a-w c:\windows\3z519not-a-viru9b2.dll
2009-04-27 04:38 . 2009-04-27 04:38 17882 ----a-w c:\windows\system32\165z2hacktool549.exe
2009-04-26 19:11 . 2009-04-26 19:11 10718 ----a-w c:\windows\16248not-a95irus28z.dll
2009-04-26 06:27 . 2009-04-26 06:27 4282 ----a-w c:\windows\system32\zc695hreat877.dll
2009-04-25 10:07 . 2009-04-25 10:07 6547 ----a-w c:\windows\ca9zir5918.bin
2009-04-24 13:22 . 2009-04-24 13:22 6506 ----a-w c:\windows\system32\5c45dzwnloader1398.bin
2009-04-22 20:06 . 2009-04-22 20:06 4607 ----a-w c:\windows\system32\95f5azdware3048.ocx
2009-04-22 13:26 . 2009-04-22 13:26 15859 ----a-w c:\windows\system32\3639z591cb.bin
2009-04-21 13:13 . 2009-04-21 13:13 11043 ----a-w c:\windows\system32\95b5zddware2125.ocx
2009-04-21 08:29 . 2009-04-21 08:29 9479 ----a-w c:\windows\system32\5zaes5ea9172.cpl
2009-04-20 19:25 . 2009-04-20 19:25 17608 ----a-w c:\windows\4d4zdownl5a9er899.dll
2009-04-19 14:36 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-19 14:36 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-19 14:36 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 14:36 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-19 14:36 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-19 14:36 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 14:36 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 14:36 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-19 14:36 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-19 14:35 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 14:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 14:35 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-18 23:57 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 23:57 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 23:57 . 2009-04-18 23:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 23:56 . 2009-04-18 23:56 -------- d-----w C:\8311
2009-04-18 23:52 . 2009-04-18 23:52 -------- d-----w c:\documents and settings\Randy\Application Data\Malwarebytes
2009-04-18 23:52 . 2009-04-18 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-18 23:50 . 2009-04-18 23:50 -------- d-----w C:\7060
2009-04-18 09:56 . 2009-04-18 09:56 15851 ----a-w c:\windows\system32\28656worm9z.ocx
2009-04-18 05:25 . 2009-04-18 05:25 3351 ----a-w c:\windows\system32\656as5eaz894.exe
2009-04-18 03:17 . 2009-04-18 03:41 -------- d-----w c:\program files\QuickTax 2008
2009-04-15 20:10 . 2009-04-15 20:10 16708 ----a-w c:\windows\5d52st9alz913.exe
2009-04-15 06:29 . 2009-04-15 06:29 10124 ----a-w c:\windows\system32\90698zpy645.exe
2009-04-14 06:10 . 2009-04-14 06:10 12642 ----a-w c:\windows\9z716hacktool35c.ocx
2009-04-13 22:33 . 2009-04-13 22:33 12346 ----a-w c:\windows\system32\11e4b5ckdoor28z9.exe
2009-04-13 05:37 . 2009-04-13 05:37 18345 ----a-w c:\windows\system32\29980not-azvir592cc.dll
2009-04-12 16:26 . 2009-04-12 16:26 12117 ----a-w c:\windows\system32\273z6vir5s39a9.cpl
2009-04-11 19:06 . 2009-04-11 19:06 4862 ----a-w c:\windows\system32\1z59ief186.exe
2009-04-11 04:01 . 2009-04-11 04:01 8199 ----a-w c:\windows\system32\554ddownload5r2599z.dll
2009-04-10 13:41 . 2009-04-10 13:41 7622 ----a-w c:\windows\63d2d5znloader2469.bin
2009-04-10 01:54 . 2009-04-10 01:54 15278 ----a-w c:\windows\796dzir599.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 16:39 . 2009-04-19 14:07 1867 ----a-w C:\rapport.txt
2009-04-18 17:01 . 2008-05-03 20:03 101744 ----a-w c:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 03:17 . 2008-05-24 21:13 -------- d-----w c:\documents and settings\Randy\Application Data\Intuit Canada
2009-04-18 03:16 . 2008-05-24 21:13 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit Canada
2009-04-04 18:18 . 2008-05-06 03:36 -------- d-----w c:\program files\DivX
2009-03-31 19:07 . 2009-01-01 09:44 -------- d-----w c:\program files\Flickr Uploadr
2009-03-30 22:06 . 2009-03-30 22:06 1120 ----a-w C:\INSTALL.LOG
2009-03-22 04:00 . 2009-03-22 04:00 8095 ----a-w c:\windows\1657zh9eat11221.bin
2009-03-15 02:15 . 2009-03-15 02:14 -------- d-----w c:\program files\iTunes
2009-03-15 02:15 . 2009-03-15 02:14 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 02:14 . 2008-05-06 03:47 -------- d-----w c:\program files\iPod
2009-03-15 02:14 . 2008-05-06 03:46 -------- d-----w c:\program files\Common Files\Apple
2009-03-15 02:13 . 2009-03-15 02:13 -------- d-----w c:\program files\QuickTime
2009-03-15 02:05 . 2008-05-09 02:42 -------- d-----w c:\program files\Safari
2009-03-15 02:03 . 2009-03-15 02:03 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-15 00:18 . 2008-05-06 03:40 -------- d-----w c:\program files\Opera
2009-03-15 00:13 . 2009-01-11 01:21 -------- d-----w c:\program files\Common Files\Adobe
2009-03-08 00:00 . 2008-05-06 03:38 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-07 21:50 . 2008-11-16 05:14 -------- d-----w c:\program files\Replay Media Catcher
2009-03-07 19:54 . 2008-11-16 05:15 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-06 14:22 . 2008-08-27 06:14 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-27 00:46 . 2008-05-05 03:08 -------- d-----w c:\documents and settings\Randy\Application Data\Ahead
2009-02-27 00:38 . 2009-01-24 19:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 08:10 . 2008-08-27 06:14 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2008-08-27 06:15 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-11 13:53 . 2009-02-11 13:53 10034 ----a-w c:\windows\system32\7517wozm6e9.bin
2009-02-09 12:10 . 2008-08-27 06:14 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-08-27 06:14 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-08-27 06:14 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-08-27 06:14 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-08-27 06:14 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-08-27 06:14 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-08-27 06:14 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2007-07-27 12:00 35328 ------w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-08-27 06:14 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-08-27 06:14 56832 ----a-w c:\windows\system32\secur32.dll
2008-05-03 21:38 . 2008-05-03 21:27 64200 ------w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\ssldivx.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-05 05:2008-05-03 21:57 56:21 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-05 05:2008-05-03 21:57 56:21 . c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} ----

2009-03-15 02:15 . 2009-03-15 02:15 3654 ----a-w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}\x86\DIFxInstallLog.txt
2009-02-04 19:56 . 2009-02-04 19:56 75112 ----a-w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}\x86\DifXInstall32.exe
2009-01-27 15:19 . 2009-01-27 15:19 7919 ----a-w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}\x86\gearaspiwdmx86.cat
2009-01-15 18:19 . 2009-01-15 18:19 23848 ----a-w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}\x86\x86\GEARAspiWDM.sys
2009-01-15 17:24 . 2009-01-15 17:24 2763 ----a-w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}\x86\GEARAspiWDM.inf
2008-04-17 18:12 . 2008-04-17 18:12 107368 ----a-w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}\x86\x86\GEARAspi.dll
2006-11-02 12:21 . 2006-11-02 12:21 319456 ----a-w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}\x86\DIFxAPI.dll


((((((((((((((((((((((((((((( SnapShot@2009-04-20_22.51.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 00:30 . 2009-04-21 00:30 16384 c:\windows\Temp\Perflib_Perfdata_6a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-24 185896]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-10 16861184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-02-19 106496]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2008-02-24 37376]

.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\xt71wgkt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://podbaydoor.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 07:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-21 7:42
ComboFix-quarantined-files.txt 2009-04-21 13:42
ComboFix2.txt 2009-04-21 00:51

Pre-Run: 42,893,377,536 bytes free
Post-Run: 42,915,033,088 bytes free

1017 --- E O F --- 2009-04-19 16:33

----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:44:31, on 2009-04-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9847349328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2824299296
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://libcirc.library.ualberta.ca/tsweb/msrdp.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 7076 bytes

[DFW]

Very Important!, before running Combofix Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

• Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Code: Select all

   http://malwareremoval.com/forum/viewtopic.php?p=429188#p429188
  
  Collect::
  c:\windows\system32\50zspambot98d.exe
  c:\windows\system32\6c3zspy9are5315.bin
  c:\windows\7z50troj984.ocx
  c:\windows\97540hazk5ool568.dll
  c:\windows\system32\2545spam9zt55f.ocx
  c:\windows\system32\5edddownload9r29z.bin
  c:\windows\system32\56f9thr5at8579z.dll
  c:\windows\system32\2955stealz066.ocx
  c:\windows\system32\452fthie91z49.bin
  c:\windows\system32\z34fbackdo5r11159.exe
  c:\windows\4f7zspars510189.cpl
  c:\windows\5d9aspy9arez504.cpl
  c:\windows\system32\6b9fthrez598953.bin
  c:\windows\system32\11fvz52952.cpl
  c:\windows\8z27s5ambot239.cpl
  c:\windows\7555steaz199.cpl
  c:\windows\310csz59are1284.ocx
  c:\windows\5b265ir96z.bin
  c:\windows\71c8zhre9516513.dll
  c:\windows\25939troj55z.cpl
  c:\windows\system32\552spazbot449.dll
  c:\windows\system32\4559dwarz988.bin
  c:\windows\system32\14758spamb9z285.cpl
  c:\windows\5e70spy9arz465.bin
  c:\windows\system32\96c9tzief509.bin
  c:\windows\z5591spy59e.cpl
  c:\windows\system32\6fa5viz10209.cpl
  c:\windows\29z96hacktool559.exe
  c:\windows\25zd9hief1505.ocx
  c:\windows\3705bac9door1z11.cpl
  c:\windows\29999worm2bz5.dll
  c:\windows\2z77spambot95.cpl
  c:\windows\85399ormz785.exe
  c:\windows\29175sp9mbot1z3.cpl
  c:\windows\3150not-a-vir9sz5f.ocx
  c:\windows\55ba5h9ef1933z.bin
  c:\windows\52d6threaz94586.bin
  c:\windows\z15cvir9181.cpl
  c:\windows\12952h5cktool74ez.exe
  c:\windows\85765ack9ool2z2.dll
  c:\windows\system32\28157sp5m9ot4z0.dll
  c:\windows\system32\16z85vi9us5b0.dll
  c:\windows\14dzdownload9r9875.cpl
  c:\windows\3059troz568.dll
  c:\windows\757395zmbot190.cpl
  c:\windows\5e7bzckd9or1088.ocx
  c:\windows\59c8virz56.exe
  c:\windows\47z1hac5tool5c09.ocx
  c:\windows\14608hz9k5ool5b5.bin
  c:\windows\system32\2297zvi95s260.bin
  c:\windows\50739zacktoo92d8.cpl
  c:\windows\system32\3e69do9nloade555z.exe
  c:\windows\system32\15596sp5mbo9ze2.exe
  c:\windows\29257spazbot132.bin
  c:\windows\183bzhrea522439.cpl
  c:\windows\19240vi5usz80.exe
  c:\windows\69229zy45a.exe
  c:\windows\511aspyzare792.ocx
  c:\windows\ze59backdoo915235.exe
  c:\windows\system32\1d88threatz5795.dll
  c:\windows\3z3bspy5a9e322.dll
  c:\windows\system32\81935rz9559.dll
  c:\windows\system32\z4b5backdoor1029.exe
  c:\windows\11108sza9bot4505.bin
  c:\windows\591fsteal1z59.exe
  c:\windows\28808not-5-9izus7a0.dll
  c:\windows\system32\1352zh9cktool1d6.ocx
  c:\windows\6f22down5oadez951.ocx
  c:\windows\system32\4751sz9396.bin
  c:\windows\10997spyz4b5.bin
  c:\windows\system32\792cs5eal24z5.cpl
  c:\windows\90aeaddwaze5707.ocx
  c:\windows\system32\2568w5z9577.dll
  c:\windows\system32\6291st9alz75.cpl
  c:\windows\9239vi9u5z59.ocx
  c:\windows\system32\91657trojz.dll
  c:\windows\7aa9t5reatz273.exe
  c:\windows\61cbzhrea915560.exe
  c:\windows\5782zpyw9re5260.dll
  c:\windows\system32\9238zt5oj163.ocx
  c:\windows\system32\15790hzcktool592.dll
  c:\windows\52595zoj379.cpl
  c:\windows\3z519not-a-viru9b2.dll
  c:\windows\system32\165z2hacktool549.exe
  c:\windows\16248not-a95irus28z.dll
  c:\windows\system32\zc695hreat877.dll
  c:\windows\ca9zir5918.bin
  c:\windows\system32\5c45dzwnloader1398.bin
  c:\windows\system32\95f5azdware3048.ocx
  c:\windows\system32\3639z591cb.bin
  c:\windows\system32\95b5zddware2125.ocx
  c:\windows\system32\5zaes5ea9172.cpl
  c:\windows\4d4zdownl5a9er899.dll
  c:\windows\system32\28656worm9z.ocx
  c:\windows\system32\656as5eaz894.exe
  c:\windows\5d52st9alz913.exe
  c:\windows\system32\90698zpy645.exe
  c:\windows\9z716hacktool35c.ocx
  c:\windows\system32\11e4b5ckdoor28z9.ex
  c:\windows\system32\29980not-azvir592cc.dll
  c:\windows\system32\273z6vir5s39a9.cpl
  c:\windows\system32\1z59ief186.exe
  c:\windows\system32\554ddownload5r2599z.dll
  c:\windows\63d2d5znloader2469.bin
  c:\windows\796dzir599.ocx
  c:\windows\1657zh9eat11221.bin
  c:\windows\system32\7517wozm6e9.bi
  
  
  DirLook::
  C:\8311
  C:\7060
  
  

  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Post back

Combifix Log
New HiJackThis Log

[podbay]

Hello DFW. Your instructions were followed and worked. As requested, here are the latest ComboFix.txt and HijackThis.log files:

ComboFix 09-04-22.02 - Randy 2009-04-21 19:36.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2360 [GMT -6:00]
Running from: c:\documents and settings\Randy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Randy\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090421-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\10997spyz4b5.bin
c:\windows\11108sza9bot4505.bin
c:\windows\12952h5cktool74ez.exe
c:\windows\14608hz9k5ool5b5.bin
c:\windows\14dzdownload9r9875.cpl
c:\windows\16248not-a95irus28z.dll
c:\windows\1657zh9eat11221.bin
c:\windows\183bzhrea522439.cpl
c:\windows\19240vi5usz80.exe
c:\windows\25939troj55z.cpl
c:\windows\25zd9hief1505.ocx
c:\windows\28808not-5-9izus7a0.dll
c:\windows\29175sp9mbot1z3.cpl
c:\windows\29257spazbot132.bin
c:\windows\29999worm2bz5.dll
c:\windows\29z96hacktool559.exe
c:\windows\2z77spambot95.cpl
c:\windows\3059troz568.dll
c:\windows\310csz59are1284.ocx
c:\windows\3150not-a-vir9sz5f.ocx
c:\windows\3705bac9door1z11.cpl
c:\windows\3z3bspy5a9e322.dll
c:\windows\3z519not-a-viru9b2.dll
c:\windows\47z1hac5tool5c09.ocx
c:\windows\4d4zdownl5a9er899.dll
c:\windows\4f7zspars510189.cpl
c:\windows\50739zacktoo92d8.cpl
c:\windows\511aspyzare792.ocx
c:\windows\52595zoj379.cpl
c:\windows\52d6threaz94586.bin
c:\windows\55ba5h9ef1933z.bin
c:\windows\5782zpyw9re5260.dll
c:\windows\591fsteal1z59.exe
c:\windows\59c8virz56.exe
c:\windows\5b265ir96z.bin
c:\windows\5d52st9alz913.exe
c:\windows\5d9aspy9arez504.cpl
c:\windows\5e70spy9arz465.bin
c:\windows\5e7bzckd9or1088.ocx
c:\windows\61cbzhrea915560.exe
c:\windows\63d2d5znloader2469.bin
c:\windows\69229zy45a.exe
c:\windows\6f22down5oadez951.ocx
c:\windows\71c8zhre9516513.dll
c:\windows\7555steaz199.cpl
c:\windows\757395zmbot190.cpl
c:\windows\796dzir599.ocx
c:\windows\7aa9t5reatz273.exe
c:\windows\7z50troj984.ocx
c:\windows\85399ormz785.exe
c:\windows\85765ack9ool2z2.dll
c:\windows\8z27s5ambot239.cpl
c:\windows\90aeaddwaze5707.ocx
c:\windows\9239vi9u5z59.ocx
c:\windows\97540hazk5ool568.dll
c:\windows\9z716hacktool35c.ocx
c:\windows\ca9zir5918.bin
c:\windows\system32\11fvz52952.cpl
c:\windows\system32\1352zh9cktool1d6.ocx
c:\windows\system32\14758spamb9z285.cpl
c:\windows\system32\15596sp5mbo9ze2.exe
c:\windows\system32\15790hzcktool592.dll
c:\windows\system32\165z2hacktool549.exe
c:\windows\system32\16z85vi9us5b0.dll
c:\windows\system32\1d88threatz5795.dll
c:\windows\system32\1z59ief186.exe
c:\windows\system32\2297zvi95s260.bin
c:\windows\system32\2545spam9zt55f.ocx
c:\windows\system32\2568w5z9577.dll
c:\windows\system32\273z6vir5s39a9.cpl
c:\windows\system32\28157sp5m9ot4z0.dll
c:\windows\system32\28656worm9z.ocx
c:\windows\system32\2955stealz066.ocx
c:\windows\system32\29980not-azvir592cc.dll
c:\windows\system32\3639z591cb.bin
c:\windows\system32\3e69do9nloade555z.exe
c:\windows\system32\452fthie91z49.bin
c:\windows\system32\4559dwarz988.bin
c:\windows\system32\4751sz9396.bin
c:\windows\system32\50zspambot98d.exe
c:\windows\system32\552spazbot449.dll
c:\windows\system32\554ddownload5r2599z.dll
c:\windows\system32\56f9thr5at8579z.dll
c:\windows\system32\5c45dzwnloader1398.bin
c:\windows\system32\5edddownload9r29z.bin
c:\windows\system32\5zaes5ea9172.cpl
c:\windows\system32\6291st9alz75.cpl
c:\windows\system32\656as5eaz894.exe
c:\windows\system32\6b9fthrez598953.bin
c:\windows\system32\6c3zspy9are5315.bin
c:\windows\system32\6fa5viz10209.cpl
c:\windows\system32\792cs5eal24z5.cpl
c:\windows\system32\81935rz9559.dll
c:\windows\system32\90698zpy645.exe
c:\windows\system32\91657trojz.dll
c:\windows\system32\9238zt5oj163.ocx
c:\windows\system32\95b5zddware2125.ocx
c:\windows\system32\95f5azdware3048.ocx
c:\windows\system32\96c9tzief509.bin
c:\windows\system32\z34fbackdo5r11159.exe
c:\windows\system32\z4b5backdoor1029.exe
c:\windows\system32\zc695hreat877.dll
c:\windows\z15cvir9181.cpl
c:\windows\z5591spy59e.cpl
c:\windows\ze59backdoo915235.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-19 14:36 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-19 14:36 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-19 14:36 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 14:36 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-19 14:36 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-19 14:36 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 14:36 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 14:36 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-19 14:36 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-19 14:35 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 14:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 14:35 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-18 23:57 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 23:57 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 23:57 . 2009-04-18 23:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 23:56 . 2009-04-18 23:56 -------- d-----w C:\8311
2009-04-18 23:52 . 2009-04-18 23:52 -------- d-----w c:\documents and settings\Randy\Application Data\Malwarebytes
2009-04-18 23:52 . 2009-04-18 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-18 23:50 . 2009-04-18 23:50 -------- d-----w C:\7060
2009-04-18 03:17 . 2009-04-18 03:41 -------- d-----w c:\program files\QuickTax 2008
2009-04-13 22:33 . 2009-04-13 22:33 12346 ----a-w c:\windows\system32\11e4b5ckdoor28z9.exe
2009-04-06 14:57 . 2009-04-06 14:57 9212 ----a-w c:\windows\system32\21279not-a-v5rus39z.exe
2009-04-05 10:22 . 2009-04-05 10:22 3045 ----a-w c:\windows\402fspyzare29175.exe
2009-04-04 18:17 . 2009-04-04 18:17 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-03 23:07 . 2009-04-03 23:07 2706 ----a-w c:\windows\3ze9add5are1971.exe
2009-04-03 04:41 . 2009-04-03 04:41 9188 ----a-w c:\windows\system32\5938spa9z52921.dll
2009-04-02 15:02 . 2009-04-02 15:02 18369 ----a-w c:\windows\12c0sp9ware525z.dll
2009-03-30 22:06 . 2002-01-19 00:12 112 ----a-w c:\windows\ActiveSkin.INI
2009-03-30 22:06 . 2001-10-01 01:10 246784 ----a-w c:\windows\system32\ActiveSkin.ocx
2009-03-30 06:20 . 2009-03-30 06:20 -------- d-----w c:\program files\Trend Micro
2009-03-28 07:38 . 2009-03-28 07:38 7437 ----a-w c:\windows\system32\292bazkdo5r465.dll
2009-03-27 15:04 . 2009-03-27 15:04 11935 ----a-w c:\windows\system32\57z2tr9j2825.exe
2009-03-27 10:58 . 2009-03-27 10:58 12816 ----a-w c:\windows\770a9parse552z.exe
2009-03-26 11:30 . 2009-03-26 11:30 14262 ----a-w c:\windows\11563szy69a.cpl
2009-03-24 16:57 . 2009-03-24 16:57 17860 ----a-w c:\windows\z20backdoo53229.cpl
2009-03-24 00:16 . 2009-03-24 00:16 18048 ----a-w c:\windows\22za9pyware2593.cpl
2009-03-23 23:52 . 2009-03-23 23:52 2947 ----a-w c:\windows\4z8sp9rse852.ocx
2009-03-23 17:30 . 2009-03-23 17:30 15526 ----a-w c:\windows\32323zroj195.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 16:39 . 2009-04-19 14:07 1867 ----a-w C:\rapport.txt
2009-04-18 17:01 . 2008-05-03 20:03 101744 ----a-w c:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 03:17 . 2008-05-24 21:13 -------- d-----w c:\documents and settings\Randy\Application Data\Intuit Canada
2009-04-18 03:16 . 2008-05-24 21:13 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit Canada
2009-04-04 18:18 . 2008-05-06 03:36 -------- d-----w c:\program files\DivX
2009-03-31 19:07 . 2009-01-01 09:44 -------- d-----w c:\program files\Flickr Uploadr
2009-03-30 22:06 . 2009-03-30 22:06 1120 ----a-w C:\INSTALL.LOG
2009-03-15 02:15 . 2009-03-15 02:14 -------- d-----w c:\program files\iTunes
2009-03-15 02:15 . 2009-03-15 02:14 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 02:14 . 2008-05-06 03:47 -------- d-----w c:\program files\iPod
2009-03-15 02:14 . 2008-05-06 03:46 -------- d-----w c:\program files\Common Files\Apple
2009-03-15 02:13 . 2009-03-15 02:13 -------- d-----w c:\program files\QuickTime
2009-03-15 02:05 . 2008-05-09 02:42 -------- d-----w c:\program files\Safari
2009-03-15 02:03 . 2009-03-15 02:03 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-15 00:18 . 2008-05-06 03:40 -------- d-----w c:\program files\Opera
2009-03-15 00:13 . 2009-01-11 01:21 -------- d-----w c:\program files\Common Files\Adobe
2009-03-08 00:00 . 2008-05-06 03:38 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-07 21:50 . 2008-11-16 05:14 -------- d-----w c:\program files\Replay Media Catcher
2009-03-07 19:54 . 2008-11-16 05:15 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-06 14:22 . 2008-08-27 06:14 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-27 00:46 . 2008-05-05 03:08 -------- d-----w c:\documents and settings\Randy\Application Data\Ahead
2009-02-27 00:38 . 2009-01-24 19:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 08:10 . 2008-08-27 06:14 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2008-08-27 06:15 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-11 13:53 . 2009-02-11 13:53 10034 ----a-w c:\windows\system32\7517wozm6e9.bin
2009-02-09 12:10 . 2008-08-27 06:14 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-08-27 06:14 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-08-27 06:14 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-08-27 06:14 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-08-27 06:14 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-08-27 06:14 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-08-27 06:14 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2007-07-27 12:00 35328 ------w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-08-27 06:14 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-08-27 06:14 56832 ----a-w c:\windows\system32\secur32.dll
2008-05-03 21:38 . 2008-05-03 21:27 64200 ------w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\ssldivx.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-05 05:2008-05-03 21:57 56:21 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-05 05:2008-05-03 21:57 56:21 . c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\7060 ----

2009-04-18 23:50 . 2009-04-18 23:50 2967800 ----a-w c:\7060\7060.exe

---- Directory of C:\8311 ----

2009-04-18 23:56 . 2009-04-18 23:57 2967800 ----a-w c:\8311\8311.exe


((((((((((((((((((((((((((((( SnapShot@2009-04-20_22.51.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 00:30 . 2009-04-21 00:30 16384 c:\windows\Temp\Perflib_Perfdata_6a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-24 185896]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-10 16861184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-02-19 106496]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2008-02-24 37376]

.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\xt71wgkt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://podbaydoor.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 19:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\combofix\swreg.exe [2868] 0x89439DA0
c:\32788r22fwjfw\gsar.cfexe [2876] 0x89FD6610
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-22 19:38
ComboFix-quarantined-files.txt 2009-04-22 01:38
ComboFix2.txt 2009-04-21 13:42
ComboFix3.txt 2009-04-21 00:51

Pre-Run: 42,890,543,104 bytes free
Post-Run: 42,875,092,992 bytes free

303 --- E O F --- 2009-04-19 16:33

-----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:24, on 2009-04-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9847349328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2824299296
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://libcirc.library.ualberta.ca/tsweb/msrdp.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 6911 bytes


Awaiting further instructions, thank you.

[DFW]

Hi podbay



I'd like you to check (a file/some files) for Viruses.

• Go to VirusTotal or Jotti's

c:\7060\7060.exe
c:\8311\8311.exe

• Copy/Paste the first file on the list into the white Upload a file box.
• Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Note details of any viruses found.
• Repeat for all files on the list, and post me the details please.

Very Important!, before running Combofix Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

• Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Code: Select all

   http://malwareremoval.com/forum/viewtopic.php?p=429388#p429388
  
  Collect::
  c:\windows\system32\11e4b5ckdoor28z9.exe
  c:\windows\system32\21279not-a-v5rus39z.exe
  c:\windows\402fspyzare29175.exe
  c:\windows\3ze9add5are1971.exe
  c:\windows\system32\5938spa9z52921.dll
  c:\windows\12c0sp9ware525z.dll
  c:\windows\system32\292bazkdo5r465.dll
  c:\windows\system32\57z2tr9j2825.exe
  c:\windows\770a9parse552z.exe
  c:\windows\11563szy69a.cpl
  c:\windows\z20backdoo53229.cpl
  c:\windows\22za9pyware2593.cpl
  c:\windows\4z8sp9rse852.ocx
  c:\windows\32323zroj195.exe
  

  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Post back

Files scan results
Combifix Log
New HiJackThis Log

[podbay]

Greetings DFW. Your instructions were followed and worked.

First file checked for viruses was c:\7060\7060.exe. VirusTotal's response was that the file had already been analyzed, so I asked it to
reanalyze.
Results:

File 7060.exe received on 04.22.2009 15:06:55 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.22 -
AhnLab-V3 5.0.0.2 2009.04.22 -
AntiVir 7.9.0.148 2009.04.22 -
Antiy-AVL 2.0.3.1 2009.04.22 -
Authentium 5.1.2.4 2009.04.22 -
Avast 4.8.1335.0 2009.04.21 -
AVG 8.5.0.287 2009.04.22 -
BitDefender 7.2 2009.04.22 -
CAT-QuickHeal 10.00 2009.04.22 -
ClamAV 0.94.1 2009.04.22 -
Comodo 1124 2009.04.21 -
DrWeb 4.44.0.09170 2009.04.22 -
eSafe 7.0.17.0 2009.04.21 -
eTrust-Vet 31.6.6440 2009.04.20 -
F-Prot 4.4.4.56 2009.04.22 -
F-Secure 8.0.14470.0 2009.04.22 -
Fortinet 3.117.0.0 2009.04.22 -
GData 19 2009.04.22 -
Ikarus T3.1.1.49.0 2009.04.22 -
K7AntiVirus 7.10.710 2009.04.21 -
Kaspersky 7.0.0.125 2009.04.22 -
McAfee 5591 2009.04.21 -
McAfee+Artemis 5591 2009.04.21 -
McAfee-GW-Edition 6.7.6 2009.04.22 -
Microsoft 1.4602 2009.04.22 -
NOD32 4027 2009.04.22 -
Norman 6.00.06 2009.04.22 -
nProtect 2009.1.8.0 2009.04.22 -
Panda 10.0.0.14 2009.04.21 -
PCTools 4.4.2.0 2009.04.21 -
Prevx1 V2 2009.04.22 -
Rising 21.26.24.00 2009.04.22 -
Sophos 4.40.0 2009.04.22 -
Sunbelt 3.2.1858.2 2009.04.21 -
Symantec 1.4.4.12 2009.04.22 -
TheHacker 6.3.4.0.312 2009.04.22 -
TrendMicro 8.700.0.1004 2009.04.22 -
VBA32 3.12.10.2 2009.04.21 -
ViRobot 2009.4.22.1704 2009.04.22 -
VirusBuster 4.6.5.0 2009.04.21 -

Additional information
File size: 2967800 bytes
MD5...: 9f606477d7fb45dc14fdcc4de81ef3e9
SHA1..: 120f16a5acd98932530f380ac88c1ec1a7f58fc3
SHA256: fe10dd388a9830979ccb68634dcd2f7aba81e050fb15ffd39a87ce45bf53204e
SHA512: 4c1751cc1de669ef7ca30f65b4f24b16111c8f1ca72e4a7e539382fc8c655bc0
f6ead5761b908b25b289add633c1c099c566563995ad9a816508ffc32e321453
ssdeep: 49152:62Ut+RPUFpUnrmMEa0uhThAwkoIuRj/K1anfxC86JbqQNdTZZFvuUKQNyX
3+QoaH:bU4hr7jKwkyMafxCJkQnZLWUKQ8HnH
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x9a94
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x91b0 0x9200 6.57 0480920c89cdcb6ba631bc723feca2d6
DATA 0xb000 0x24c 0x400 2.73 063a9c1bd334f148bdc8a0648882a3a7
BSS 0xc000 0xe48 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xd000 0x950 0xa00 4.43 bb5485bf968b970e5ea81292af2acdba
.tls 0xe000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xf000 0x18 0x200 0.20 9ba824905bf9c7922b6fc87a38b74366
.reloc 0x10000 0x8b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x11000 0x2a00 0x2a00 4.50 c0afb87cfa47c9de0f903bfde0ae5e9d

( 8 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
> kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
> user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
> comctl32.dll: InitCommonControls
> advapi32.dll: AdjustTokenPrivileges

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
---------------------------------------------------------------
Next file: c:\8311\8311.exe

VirusTotal's Response was also, "File has already been analysed". I asked it to reanalyse:

File 8311.exe received on 04.22.2009 15:13:07 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 50 and 72 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.22 -
AhnLab-V3 5.0.0.2 2009.04.22 -
AntiVir 7.9.0.148 2009.04.22 -
Antiy-AVL 2.0.3.1 2009.04.22 -
Authentium 5.1.2.4 2009.04.22 -
Avast 4.8.1335.0 2009.04.21 -
AVG 8.5.0.287 2009.04.22 -
BitDefender 7.2 2009.04.22 -
CAT-QuickHeal 10.00 2009.04.22 -
ClamAV 0.94.1 2009.04.22 -
Comodo 1124 2009.04.21 -
DrWeb 4.44.0.09170 2009.04.22 -
eSafe 7.0.17.0 2009.04.21 -
eTrust-Vet 31.6.6440 2009.04.20 -
F-Prot 4.4.4.56 2009.04.22 -
F-Secure 8.0.14470.0 2009.04.22 -
Fortinet 3.117.0.0 2009.04.22 -
GData 19 2009.04.22 -
Ikarus T3.1.1.49.0 2009.04.22 -
K7AntiVirus 7.10.710 2009.04.21 -
Kaspersky 7.0.0.125 2009.04.22 -
McAfee 5591 2009.04.21 -
McAfee+Artemis 5591 2009.04.21 -
McAfee-GW-Edition 6.7.6 2009.04.22 -
Microsoft 1.4602 2009.04.22 -
NOD32 4027 2009.04.22 -
Norman 6.00.06 2009.04.22 -
nProtect 2009.1.8.0 2009.04.22 -
Panda 10.0.0.14 2009.04.21 -
Prevx1 V2 2009.04.22 -
Rising 21.26.24.00 2009.04.22 -
Sophos 4.40.0 2009.04.22 -
Sunbelt 3.2.1858.2 2009.04.21 -
Symantec 1.4.4.12 2009.04.22 -
TheHacker 6.3.4.0.312 2009.04.22 -
TrendMicro 8.700.0.1004 2009.04.22 -
VBA32 3.12.10.2 2009.04.21 -
ViRobot 2009.4.22.1704 2009.04.22 -
VirusBuster 4.6.5.0 2009.04.21 -
Additional information
File size: 2967800 bytes
MD5...: 9f606477d7fb45dc14fdcc4de81ef3e9
SHA1..: 120f16a5acd98932530f380ac88c1ec1a7f58fc3
SHA256: fe10dd388a9830979ccb68634dcd2f7aba81e050fb15ffd39a87ce45bf53204e
SHA512: 4c1751cc1de669ef7ca30f65b4f24b16111c8f1ca72e4a7e539382fc8c655bc0
f6ead5761b908b25b289add633c1c099c566563995ad9a816508ffc32e321453
ssdeep: 49152:62Ut+RPUFpUnrmMEa0uhThAwkoIuRj/K1anfxC86JbqQNdTZZFvuUKQNyX
3+QoaH:bU4hr7jKwkyMafxCJkQnZLWUKQ8HnH
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x9a94
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x91b0 0x9200 6.57 0480920c89cdcb6ba631bc723feca2d6
DATA 0xb000 0x24c 0x400 2.73 063a9c1bd334f148bdc8a0648882a3a7
BSS 0xc000 0xe48 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xd000 0x950 0xa00 4.43 bb5485bf968b970e5ea81292af2acdba
.tls 0xe000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xf000 0x18 0x200 0.20 9ba824905bf9c7922b6fc87a38b74366
.reloc 0x10000 0x8b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x11000 0x2a00 0x2a00 4.50 c0afb87cfa47c9de0f903bfde0ae5e9d

( 8 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
> kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
> user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
> comctl32.dll: InitCommonControls
> advapi32.dll: AdjustTokenPrivileges

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
-------------------------------------------------------------------------------

ComboFix 09-04-22.A23 - Randy 2009-04-22 7:21.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2174 [GMT -6:00]
Running from: c:\documents and settings\Randy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Randy\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090421-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\11563szy69a.cpl
c:\windows\12c0sp9ware525z.dll
c:\windows\22za9pyware2593.cpl
c:\windows\32323zroj195.exe
c:\windows\3ze9add5are1971.exe
c:\windows\402fspyzare29175.exe
c:\windows\4z8sp9rse852.ocx
c:\windows\770a9parse552z.exe
c:\windows\system32\11e4b5ckdoor28z9.exe
c:\windows\system32\21279not-a-v5rus39z.exe
c:\windows\system32\292bazkdo5r465.dll
c:\windows\system32\57z2tr9j2825.exe
c:\windows\system32\5938spa9z52921.dll
c:\windows\z20backdoo53229.cpl

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-22 09:00 . 2009-04-22 09:00 -------- d-----w c:\windows\system32\KB905474
2009-04-22 09:00 . 2009-03-11 04:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-22 09:00 . 2009-03-11 04:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-22 09:00 . 2009-02-10 00:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-22 03:53 . 2009-04-22 03:53 -------- d-----w c:\windows\LastGood
2009-04-22 03:53 . 2009-04-22 03:53 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-19 14:36 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-19 14:36 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-19 14:36 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 14:36 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-19 14:36 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-19 14:36 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 14:36 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 14:36 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-19 14:36 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-19 14:35 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 14:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 14:35 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-18 23:57 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 23:57 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 23:57 . 2009-04-18 23:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 23:56 . 2009-04-18 23:56 -------- d-----w C:\8311
2009-04-18 23:52 . 2009-04-18 23:52 -------- d-----w c:\documents and settings\Randy\Application Data\Malwarebytes
2009-04-18 23:52 . 2009-04-18 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-18 23:50 . 2009-04-18 23:50 -------- d-----w C:\7060
2009-04-18 03:17 . 2009-04-18 03:41 -------- d-----w c:\program files\QuickTax 2008
2009-04-04 18:17 . 2009-04-04 18:17 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-30 22:06 . 2002-01-19 00:12 112 ----a-w c:\windows\ActiveSkin.INI
2009-03-30 22:06 . 2001-10-01 01:10 246784 ----a-w c:\windows\system32\ActiveSkin.ocx
2009-03-30 06:20 . 2009-03-30 06:20 -------- d-----w c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 03:53 . 2009-03-15 02:14 -------- d-----w c:\program files\iTunes
2009-04-22 03:53 . 2008-05-06 03:47 -------- d-----w c:\program files\iPod
2009-04-22 03:53 . 2008-05-06 03:46 -------- d-----w c:\program files\Common Files\Apple
2009-04-19 16:39 . 2009-04-19 14:07 1867 ----a-w C:\rapport.txt
2009-04-18 17:01 . 2008-05-03 20:03 101744 ----a-w c:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 03:17 . 2008-05-24 21:13 -------- d-----w c:\documents and settings\Randy\Application Data\Intuit Canada
2009-04-18 03:16 . 2008-05-24 21:13 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit Canada
2009-04-04 18:18 . 2008-05-06 03:36 -------- d-----w c:\program files\DivX
2009-03-31 19:07 . 2009-01-01 09:44 -------- d-----w c:\program files\Flickr Uploadr
2009-03-30 22:06 . 2009-03-30 22:06 1120 ----a-w C:\INSTALL.LOG
2009-03-19 22:32 . 2008-01-29 18:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 02:15 . 2009-03-15 02:14 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 02:13 . 2009-03-15 02:13 -------- d-----w c:\program files\QuickTime
2009-03-15 02:05 . 2008-05-09 02:42 -------- d-----w c:\program files\Safari
2009-03-15 02:03 . 2009-03-15 02:03 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-15 00:18 . 2008-05-06 03:40 -------- d-----w c:\program files\Opera
2009-03-15 00:13 . 2009-01-11 01:21 -------- d-----w c:\program files\Common Files\Adobe
2009-03-08 00:00 . 2008-05-06 03:38 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-07 21:50 . 2008-11-16 05:14 -------- d-----w c:\program files\Replay Media Catcher
2009-03-07 19:54 . 2008-11-16 05:15 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-06 14:22 . 2008-08-27 06:14 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-27 00:46 . 2008-05-05 03:08 -------- d-----w c:\documents and settings\Randy\Application Data\Ahead
2009-02-27 00:38 . 2009-01-24 19:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 08:10 . 2008-08-27 06:14 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2008-08-27 06:15 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-11 13:53 . 2009-02-11 13:53 10034 ----a-w c:\windows\system32\7517wozm6e9.bin
2009-02-09 12:10 . 2008-08-27 06:14 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-08-27 06:14 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-08-27 06:14 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-08-27 06:14 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-08-27 06:14 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-08-27 06:14 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-08-27 06:14 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2007-07-27 12:00 35328 ------w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-08-27 06:14 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-08-27 06:14 56832 ----a-w c:\windows\system32\secur32.dll
2008-05-03 21:38 . 2008-05-03 21:27 64200 ------w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\ssldivx.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-05 05:2008-05-03 21:57 56:20 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-05 05:2008-05-03 21:57 56:21 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-05 05:2008-05-03 21:57 56:21 . c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-20_22.51.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 00:30 . 2009-04-21 00:30 16384 c:\windows\Temp\Perflib_Perfdata_6a4.dat
+ 2009-04-22 03:53 . 2009-03-19 22:32 23400 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys
+ 2009-04-22 03:53 . 2009-01-15 18:19 23848 c:\windows\LastGood\system32\DRIVERS\GEARAspiWDM.sys
+ 2009-04-22 03:53 . 2008-04-17 18:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll
+ 2009-04-22 03:53 . 2008-04-17 18:12 107368 c:\windows\LastGood\system32\GEARAspi.dll
+ 2009-04-22 03:53 . 2009-04-22 03:53 102400 c:\windows\Installer\{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}\iTunesIco.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-24 185896]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-10 16861184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-02-19 106496]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2008-02-24 37376]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPOD_SERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 04:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\xt71wgkt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://podbaydoor.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 07:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\system32\verclsid.exe [2932] 0x8A6D2898
c:\combofix\grep.cfexe [3356] 0x8A7B98F8
c:\combofix\sed.cfexe [2576] 0x89EE28A0
? [3908]
c:\combofix\pv.cfexe [3052] 0x89F215E0
c:\windows\system32\route.exe [2708] 0x89A91020
c:\combofix\pev.cfexe [5352] 0x89EC4DA0
c:\windows\system32\CF12745.exe [17436] 0x89D35DA0
c:\combofix\grep.cfexe [17444] 0x89E85020

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-22 7:23
ComboFix-quarantined-files.txt 2009-04-22 13:23
ComboFix2.txt 2009-04-22 01:38
ComboFix3.txt 2009-04-21 13:42
ComboFix4.txt 2009-04-21 00:51

Pre-Run: 42,602,008,576 bytes free
Post-Run: 42,672,513,024 bytes free

216 --- E O F --- 2009-04-22 09:00

-----------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:25:08, on 2009-04-22
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9847349328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2824299296
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://libcirc.library.ualberta.ca/tsweb/msrdp.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 6879 bytes

Awaiting further instructions. Will be off to work in about 30 minutes. Thank you.

[DFW]

Hi Again

How are things running now??

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) .
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment JRE 6 Update 13 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.




I'd like you to check these files for Viruses again, do you know what they are??..

• Go to Jotti's

c:\7060\7060.exe
c:\8311\8311.exe

• Copy/Paste the first file on the list into the white Upload a file box.
• Click Send/Submit, and the file will upload to Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Note details of any viruses found.
• Repeat for all files on the list, and post me the details please.

Please post back

Files scan results
New HiJackThis Log

[podbay]

Hello DFW. First, my apologies, I had posted this reply before leaving for work this morning, only to discover upon returning home just now (16 hours later) that "the submitted form was invalid. Please try again"!! So here is my original reply from this morning:

Hello DFW. Things are generally much better, thank you. The MiniBlueSoft malware hasn't been visible for a couple days, and my Security Center is showing as ON, and recognizing that Avast is working. The one squirrelly thing is the behaviour of IE. Previously my default browser was FF, and still is. I have HTA, HTM, and HTML Extension/File Types in "Folder Options" set to FF. In Outlook, if I clicked on a link in a message, it would open up in FF. Now if I click on a link in an email message, it opens up IE in a blank page. And if I save an web page to my desktop as a shortcut from FF, when I click on some of them (not all), some try opening in IE with an error message. It's very strange. If I open up FF first, from the system tray, and then click on an HTML desktop shortcut, it will open in FF in another tab w/o any problem. I am running an older version of IE (6.0.2900.5512.xpsp_sp3_gdr.090206-1234) - could that be contributing to the problem. (I never wanted to upgrade to IE 7, which I detest.) Any idea why this might be happening?

Anyway, as requested, I installed the latest JRE w/o a problem.

I scanned the two files on Jotti. I apologize for not knowing what they are.

First file:

File: 7060.exe
Status: OK
(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 9f606477d7fb45dc14fdcc4de81ef3e9
Packers detected: -

Scan taken on 23 Apr 2009 04:17:22 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

File: 8311.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 9f606477d7fb45dc14fdcc4de81ef3e9
Packers detected: -

Scan taken on 23 Apr 2009 04:12:56 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

---------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:19:38, on 2009-04-22
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://podbaydoor.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9847349328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2824299296
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://libcirc.library.ualberta.ca/tsweb/msrdp.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 7237 bytes

- Awaiting further instructions.

Thank you - podbay

[DFW]

Hi podbay,

Code: Select all

Hello DFW. First, my apologies, I had posted this reply before leaving for work this morning, only to discover upon returning home just now (16 hours later) that "the submitted form was invalid. Please try again"!! So here is my original reply from this morning:

No worries, take your time, no need to rush.



In your Uninstall list you have a program called Safari, is this a screen saver program?????


I would now like you to run a few more scans.

Please run ATF cleaner on each user account before doing the online scan, this cuts down on
scan time and log size.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


(1)

Please go to Kaspersky website and perform an online antivirus scan.
This could take some time, depending on how much data is on your harddrives

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

(2)

• Download GMER by GMER from one of the links below:
  Link1
  Link2
• Unzip it to a folder on your desktop
• Double click on gmer.exe to launch GMER
• If asked, allow the gmer.sys driver load
• If it warns you about rootkit activity and asks if you want to run scan, click OK
• If you don't get a warning then
  
  
  
  • Click the rootkit tab
  • Click Scan
• Once the scan has finished, click copy
• Paste the log into notepad using Ctrl+V
• Save it to your desktop as gmerrk.txt
• Click on the >>> tab
• This will open up the rest of the tabs for you
• Click on the Autostart tab
• Click on Scan
• Once the scan has finished, click copy
• Paste the log into notepad using Ctrl+V
• Save it to your desktop as gmerautos.txt
• Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic

The problems with firefox may be that it is no longer set to your default browser, here is some instructions
how to set Firefox to your default browser, once you have set it to default reboot and try again.

http://support.mozilla.com/en-US/kb/How ... lt+Browser

Let me know if this helps





Please post back

GMER Log
kaspersky Log
New HJT Log

[podbay]

Hello DFW. The "Safari" listed in my Uninstall list is the browser itself. I have four browsers on my machine: FF, IE, Opera, and Safari. I checked my Safari preferences, and noticed that it had as a setting that the default browser on my machine was IE. I changed that to FF, and now when I click on a link in an email in Outlook, it opens up FF instead of IE. Also when I click on a saved link from my desktop, it opens FF as well. So that problem seems to have solved itself.

The Kapersky scan is running right now, and looks like it will take some time to complete. I turned off Avast while it is running, as it says, “Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have another antivirus program installed, please turn off its antivirus protection before running Kaspersky Online Scanner 7.0.”

Will report back shortly with the results.