Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyware...? Not sure.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spyware...? Not sure.

Unread postby DDrea83 » June 4th, 2008, 5:50 pm

About two months ago I started getting a random white pop-up screen. It seemed like it was going to direct me to a website, but it did nothing. From time to time, a little gray box will pop up asking me if I want to Save the program up.php. I decline every time but I am scared that somehow my information will be stolen. Also, when I shut down my computer and start it back up, an ERROR BOX pops up saying "~A.exe encountered a problem and must be closed." The next time, it changes to ~B.exe, then ~C.exe, etc. Should I do a system restore? My "Hijackthis" notepad log is below. Thanks so much for your help.

Andrea

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:42:51 p.m., on 04/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\winlogon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\Memoria.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\smss.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... B&M=MX6453
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ohiou.edu/students/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... B&M=MX6453
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=MX6453
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... B&M=MX6453
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Log Agent] C:\Program Files\Common Files\winlogon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [T2W] C:\WINDOWS\system32\Memoria.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7308 bytes
DDrea83
Active Member
 
Posts: 7
Joined: June 4th, 2008, 5:38 pm
Advertisement
Register to Remove

Re: Spyware...? Not sure.

Unread postby Rodav » June 5th, 2008, 8:20 am

Hello! :hello2: and welcome to the Malware Removal forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
As I am still training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Spyware...? Not sure.

Unread postby DDrea83 » June 5th, 2008, 12:08 pm

Thank you for responding. :) I really appreciate your help with this problem!
DDrea83
Active Member
 
Posts: 7
Joined: June 4th, 2008, 5:38 pm

Re: Spyware...? Not sure.

Unread postby Rodav » June 6th, 2008, 4:08 am

I'm afraid I have unpleasant news for you. You have evidence of several Very Dangerous infections on this machine.
One or more is a Password Stealer

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine,

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection :(


VIEWPOINT-OPTIONAL
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.


Step 1:
We will begin with ComboFix.exe, which can be downloaded from one of the following links.
Link 1
Link 2
Link 3

Please visit this webpage for instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt


Step 2:
Run HijackThis, do a system scan and in your next reply please post:
  • The ComboFix report (C:\ComboFix.txt)
  • The new HijackThis log
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Spyware...? Not sure.

Unread postby DDrea83 » June 6th, 2008, 1:31 pm

I followed the steps. Below is the COMBOFIX LOG and HIJACK THIS LOG.... Thank You Thank You Thank YOU!

COMBO FIX LOG:
ComboFix 08-06-05.3 - Owner 2008-06-06 12:23:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1112 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.YOUR-9781572241\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.YOUR-9781572241\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-04 16:34 . 2008-06-04 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-31 04:31 . 2008-05-09 21:24 104,415 -r-hs---- C:\jdwx.exe
2008-05-29 03:24 . 2008-05-09 21:24 104,415 -r-hs---- C:\vy.cmd
2008-05-19 23:48 . 2008-05-19 23:48 <DIR> d-------- C:\Program Files\REA
2008-05-19 00:07 . 2008-05-19 00:07 0 --a------ C:\WINDOWS\pcfriend.INI
2008-05-14 12:28 . 2008-06-02 23:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 12:28 . 2008-05-14 12:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-06 13:23 . 2007-09-05 20:55 550,425 ---hs---- C:\WINDOWS\system32\Memoria.exe
2008-05-06 13:13 . 2008-05-06 13:13 103,832 -r-hs---- C:\xlu8a8sy.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 17:03 --------- d-----w C:\Program Files\Viewpoint
2008-06-06 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-03 04:39 --------- d-----w C:\Program Files\iTunes
2008-05-20 19:14 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\U3
2008-05-15 21:30 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Skype
2008-05-15 14:46 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\skypePM
2008-05-12 05:31 --------- d-----w C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility
2008-05-05 14:18 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Printer Info Cache
2008-05-05 14:18 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Image Zone Express
2008-05-04 17:54 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\HP
2008-05-04 17:53 --------- d-----w C:\Program Files\HP
2008-05-04 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-05-04 17:52 --------- d-----w C:\Program Files\Common Files\HP
2008-05-04 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-04 17:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-04 17:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-04 17:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-01 02:38 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Lavasoft
2008-05-01 02:37 --------- d-----w C:\Program Files\Lavasoft
2008-04-28 19:14 104,269 --sh--r C:\jfvkcsy.bat
2008-04-26 17:15 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\LimeWire
2008-04-25 15:55 104,161 --sh--r C:\1dg.exe
2008-04-24 06:21 --------- d-----w C:\Program Files\MySpace
2008-04-18 17:37 103,885 --sh--r C:\mug0sd.cmd
2008-04-07 17:45 103,343 --sh--r C:\2.bat
2008-04-03 17:50 102,407 --sh--r C:\gy.cmd
2008-04-02 17:30 103,810 --sh--r C:\qwc.exe
2008-04-01 21:04 103,084 --sh--r C:\6l6w8.com
2008-03-29 14:51 103,951 --sh--r C:\cl.bat
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-21 04:09 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-06-03 14:27 112,008 --sh--r C:\Program Files\Common Files\winlogon.exe
2007-06-03 14:27 112,008 --sh--r C:\Program Files\Common Files\smss.exe
2007-06-03 14:27 112,008 --sh--r C:\Program Files\Common Files\fzx9823.exe
2007-09-06 01:55 550,425 --sh--w C:\WINDOWS\system32\Memoria.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 20:41 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 13:20 413696 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-12 00:40 1236992]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 07:59 311296]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Windows Log Agent"="C:\Program Files\Common Files\winlogon.exe" [2007-06-03 09:27 112008]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"T2W"="C:\WINDOWS\system32\Memoria.exe" [2007-09-05 20:55 550425]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
REALTEK RTL8187 Wireless LAN Utility.lnk - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe [2006-11-03 09:03:46 749568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2311adaa-66de-11dc-b7af-0014a5d0c0f8}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35087164-8a58-11db-b63d-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f20946c-6adb-11dc-b7b7-0014a5d0c0f8}]
\Shell\Auto\command - F:\MSOCache\doWTP_RESTORE.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MSOCache\doWTP_RESTORE.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64b5d833-7929-11dc-b7c7-0014a5d0c0f8}]
\Shell\Auto\command - F:\MSOCache\doWTP_RESTORE.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MSOCache\doWTP_RESTORE.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76486f5d-897d-11db-b63c-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\jfvkcsy.bat
\Shell\explore\Command - F:\jfvkcsy.bat
\Shell\open\Command - F:\jfvkcsy.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{770f186c-818b-11dc-b7d6-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\cl.bat
\Shell\explore\Command - F:\cl.bat
\Shell\open\Command - F:\cl.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88e00c56-843b-11dc-b7e2-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88e00c57-843b-11dc-b7e2-0014a5d0c0f8}]
\Shell\1\Command - crsvc.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL crsvc.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a008f5f8-6700-11dc-b7b1-0014a5d0c0f8}]
\Shell\1\Command - crsvc.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL crsvc.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0f74b46-7fea-11dc-b7d3-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\vy.cmd
\Shell\explore\Command - F:\vy.cmd
\Shell\open\Command - F:\vy.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddd8bb27-05bf-11dd-b86e-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff637bb0-4f75-11dc-b781-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 13:30:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2006-12-11 17:51:27 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-12-11 17:51:27 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 12:24:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-06 12:25:32
ComboFix-quarantined-files.txt 2008-06-06 17:25:11

Pre-Run: 124,428,369,920 bytes free
Post-Run: 124,525,613,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

194 --- E O F --- 2008-05-19 14:55:20





HIJACK THIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:30 p.m., on 06/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\winlogon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\Memoria.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\smss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\fzx9823.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ohiou.edu/students/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=MX6453
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Log Agent] C:\Program Files\Common Files\winlogon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [T2W] C:\WINDOWS\system32\Memoria.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6654 bytes
DDrea83
Active Member
 
Posts: 7
Joined: June 4th, 2008, 5:38 pm

Re: Spyware...? Not sure.

Unread postby Rodav » June 7th, 2008, 5:23 am

Hi Andrea,

You have a number of infections that can infect other drives on your machine, please make sure that every device that you connect to this computer (eg. any USB drives, external hardrives, ipod, phone.... etc) is connected to it before running the following steps. There is a good chance if you have used any of these on this machine that they are infected and if they are not cleaned now, you will probably get reinfected.

P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Limewire

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you wish to keep them, please do not use them until your computer is cleaned.


Step 1:
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\Memoria.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

If Jotti is busy try the same procedure at Virustotal


Step 2:
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.


Step 3:
1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\jdwx.exe
C:\vy.cmd
C:\WINDOWS\pcfriend.INI
C:\xlu8a8sy.exe
C:\jfvkcsy.bat
C:\1dg.exe
C:\mug0sd.cmd
C:\2.bat
C:\gy.cmd
C:\qwc.exe
C:\6l6w8.com
C:\cl.bat
C:\Program Files\Common Files\winlogon.exe
C:\Program Files\Common Files\smss.exe
C:\Program Files\Common Files\fzx9823.exe
F:\MSOCache\doWTP_RESTORE.exe
F:\jfvkcsy.bat
F:\cl.bat
F:\crsvc.exe
C:\crsvc.exe
F:\vy.cmd

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f20946c-6adb-11dc-b7b7-0014a5d0c0f8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64b5d833-7929-11dc-b7c7-0014a5d0c0f8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76486f5d-897d-11db-b63c-0014a5d0c0f8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{770f186c-818b-11dc-b7d6-0014a5d0c0f8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88e00c57-843b-11dc-b7e2-0014a5d0c0f8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a008f5f8-6700-11dc-b7b1-0014a5d0c0f8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0f74b46-7fea-11dc-b7d3-0014a5d0c0f8}]

DirLook::
C:\Program Files\REA


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Step 4:
Run HijackThis, do a system scan and in your next reply please post:
  • The Jotti/Virustotal results
  • The ComboFix report (C:\ComboFix.txt)
  • The new HijackThis log
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Spyware...? Not sure.

Unread postby DDrea83 » June 9th, 2008, 12:52 pm

Wow. Such a process... !? You know, to speak another language is to have another soul. And THIS code is DEFINITELY another language! :) Thanks so much...

VirusTotalScan Log:

Antivirus Version Last Update Result
AhnLab-V3 2008.5.30.1 2008.06.09 -
AntiVir 7.8.0.55 2008.06.09 BDS/Poison.AI
Authentium 5.1.0.4 2008.06.08 W32/Backdoor.CDNH
Avast 4.8.1195.0 2008.06.09 Win32:Delf-GGS
AVG 7.5.0.516 2008.06.09 BackDoor.Generic9.EVM
BitDefender 7.2 2008.06.09 -
CAT-QuickHeal 9.50 2008.06.09 -
ClamAV 0.92.1 2008.06.09 -
DrWeb 4.44.0.09170 2008.06.09 FDOS.Atomix
eSafe 7.0.15.0 2008.06.09 -
eTrust-Vet 31.6.5858 2008.06.08 -
Ewido 4.0 2008.06.09 Backdoor.Poison.ai
F-Prot 4.4.4.56 2008.06.08 W32/Backdoor.CDNH
F-Secure 6.70.13260.0 2008.06.09 Backdoor.Win32.Poison.ai
Fortinet 3.14.0.0 2008.06.09 -
GData 2.0.7306.1023 2008.06.09 Backdoor.Win32.Poison.ai
Ikarus T3.1.1.26.0 2008.06.09 Virus.Win32.Delf.GGS
Kaspersky 7.0.0.125 2008.06.09 Backdoor.Win32.Poison.ai
McAfee 5312 2008.06.06 -
Microsoft 1.3604 2008.06.09 -
NOD32v2 3168 2008.06.09 Win32/AutoRun.CT
Norman 5.80.02 2008.06.09 W32/Smalldoor.BISC
Panda 9.0.0.4 2008.06.08 W32/Virutas.G.drp
Prevx1 V2 2008.06.09 -
Rising 20.47.42.00 2008.06.06 -
Sophos 4.30.0 2008.06.09 Mal/Behav-081
Sunbelt 3.0.1145.1 2008.06.05 -
Symantec 10 2008.06.09 W32.SillyFDC
TheHacker 6.2.92.339 2008.06.07 -
VBA32 3.12.6.7 2008.06.09 Backdoor.Win32.Poison.ai
VirusBuster 4.3.26:9 2008.06.09 -
Webwasher-Gateway 6.6.2 2008.06.09 Trojan.Backdoor.Poison.AI
Additional information
File size: 550425 bytes
MD5...: de6d62dc98c080843a250c2316702c04
SHA1..: cf2d2b881ed7dcab4a04f91e3540ec9d795018af
SHA256: b27152ccf5fa05179bf7ec5e110de992bf594945ea0f47154edecb8b1716c9ed
SHA512: 6468eddf2c7530e01437de8739e3c1d6eeb93ae9beb21a7735264678b6f079a9
d0714150f88e1c016ab08d67e28a69dfe63c49f134bcb89844ff493bdee728bc
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401240
timedatestamp.....: 0x46b8f177 (Tue Aug 07 22:25:59 2007)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1ea4 0x2000 5.25 1d03956e2008e4ae56dc80978ea0a6f9
.data 0x3000 0x77f20 0x78000 7.40 ae696cb5366e608f318c9ae208c4f2c8
.rdata 0x7b000 0x400 0x400 5.26 b6814c33a86b14852dc2506bb086ae22
.bss 0x7c000 0x4f0 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x7d000 0x838 0xa00 4.31 3271809012ff75f5794cc63b303ca907
.rsrc 0x7e000 0x5960 0x5a00 4.31 d102fa9306a3c5432075e3118a305b48

( 7 imports )
> ADVAPI32.DLL: RegCloseKey, RegDeleteValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
> KERNEL32.dll: AddAtomA, CloseHandle, CopyFileA, CreateFileA, CreateToolhelp32Snapshot, ExitProcess, FindAtomA, GetAtomNameA, GetCommandLineA, GetDriveTypeA, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetStartupInfoA, GetSystemDirectoryA, GetTempFileNameA, GetTempPathA, GetWindowsDirectoryA, OpenProcess, Process32First, Process32Next, SetFileAttributesA, SetUnhandledExceptionFilter, TerminateProcess, WriteFile
> msvcrt.dll: _sleep, _strrev
> msvcrt.dll: __getmainargs, __p__environ, __p__fmode, __set_app_type, _cexit, _iob, _onexit, _setmode, abort, atexit, calloc, fclose, fflush, fopen, fprintf, free, fseek, ftell, malloc, signal, strcat, strcmp, strcpy, strlen, strncat
> SHELL32.DLL: ShellExecuteA
> USER32.dll: PeekMessageA, ShowWindow
> WININET.DLL: InternetOpenA, InternetOpenUrlA, InternetReadFile

( 0 exports )

ComboFix Scan Log:

ComboFix 08-06-05.3 - Owner 2008-06-09 11:42:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1261 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.YOUR-9781572241\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.YOUR-9781572241\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\1dg.exe
C:\2.bat
C:\6l6w8.com
C:\cl.bat
C:\crsvc.exe
C:\gy.cmd
C:\jdwx.exe
C:\jfvkcsy.bat
C:\mug0sd.cmd
C:\Program Files\Common Files\fzx9823.exe
C:\Program Files\Common Files\smss.exe
C:\Program Files\Common Files\winlogon.exe
C:\qwc.exe
C:\vy.cmd
C:\WINDOWS\pcfriend.INI
C:\xlu8a8sy.exe
F:\cl.bat
F:\crsvc.exe
F:\jfvkcsy.bat
F:\MSOCache\doWTP_RESTORE.exe
F:\vy.cmd
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1dg.exe
C:\2.bat
C:\6l6w8.com
C:\cl.bat
C:\gy.cmd
C:\jdwx.exe
C:\jfvkcsy.bat
C:\mug0sd.cmd
C:\Program Files\Common Files\fzx9823.exe
C:\Program Files\Common Files\smss.exe
C:\Program Files\Common Files\winlogon.exe
C:\qwc.exe
C:\vy.cmd
C:\WINDOWS\pcfriend.INI
C:\xlu8a8sy.exe
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-04 16:34 . 2008-06-04 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 23:48 . 2008-05-19 23:48 <DIR> d-------- C:\Program Files\REA
2008-05-14 12:28 . 2008-06-09 11:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 12:28 . 2008-05-14 12:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 17:03 --------- d-----w C:\Program Files\Viewpoint
2008-06-06 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-03 04:39 --------- d-----w C:\Program Files\iTunes
2008-05-20 19:14 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\U3
2008-05-15 21:30 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Skype
2008-05-15 14:46 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\skypePM
2008-05-12 05:31 --------- d-----w C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility
2008-05-05 14:18 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Printer Info Cache
2008-05-05 14:18 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Image Zone Express
2008-05-04 17:54 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\HP
2008-05-04 17:53 --------- d-----w C:\Program Files\HP
2008-05-04 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-05-04 17:52 --------- d-----w C:\Program Files\Common Files\HP
2008-05-04 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-04 17:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-04 17:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-04 17:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-01 02:38 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Lavasoft
2008-05-01 02:37 --------- d-----w C:\Program Files\Lavasoft
2008-04-26 17:15 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\LimeWire
2008-04-24 06:21 --------- d-----w C:\Program Files\MySpace
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-21 04:09 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-09-06 01:55 550,425 --sh--w C:\WINDOWS\system32\Memoria.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\REA ----

2008-05-20 00:02 94886 --a------ C:\Program Files\REA\PLT_712\trace.log
2008-05-20 00:02 362496 --a------ C:\Program Files\REA\PLT_712\Data.mdb
2006-01-27 11:23 846 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q001essay.htm
2006-01-27 11:22 5175 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e006essay.htm
2006-01-27 11:05 80939 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\scoresanalysis.jpg
2006-01-27 11:02 172716 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\scoresdetail.jpg
2006-01-27 10:59 89334 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\scoreschart.jpg
2006-01-27 10:51 100040 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\explwindow.jpg
2006-01-27 10:38 165173 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\scoreessaywindow.jpg
2006-01-27 10:34 77727 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\Qslistp6.jpg
2006-01-27 10:32 78313 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\mctoolbar.jpg
2006-01-25 12:21 591 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e024.htm
2006-01-25 12:20 4719 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e012essay.htm
2006-01-25 12:19 7734 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e008essay.htm
2006-01-25 12:18 982 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q036.htm
2006-01-25 12:17 6426 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q004_pass.htm
2006-01-25 12:15 5333 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q002_pass.htm
2006-01-25 12:13 5379 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q001_pass.htm
2006-01-25 12:12 941 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e036.htm
2006-01-25 12:12 684 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e033.htm
2006-01-25 12:11 839 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e031.htm
2006-01-25 12:11 691 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e027.htm
2006-01-25 12:11 546 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e028.htm
2006-01-25 12:10 606 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e013.htm
2006-01-25 12:10 4219 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e009essay.htm
2006-01-25 12:09 7314 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e008essay.htm
2006-01-25 12:09 4758 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e007essay.htm
2006-01-25 12:08 6266 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e005essay.htm
2006-01-25 12:08 5979 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e003essay.htm
2006-01-25 12:08 5807 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e004essay.htm
2006-01-25 12:07 7857 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e001essay.htm
2006-01-25 12:07 6414 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e002essay.htm
2006-01-25 11:55 927 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q015.htm
2006-01-25 11:55 6099 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q002_pass.htm
2006-01-25 11:53 717 --a------ C:\Program Files\REA\PLT_712\Source\MultipleChoice_directions_next.htm
2006-01-25 11:52 676 --a------ C:\Program Files\REA\PLT_712\Source\MultipleChoice_directions.htm
2006-01-25 11:52 564 --a------ C:\Program Files\REA\PLT_712\Source\exam2_exit.htm
2006-01-25 11:51 708 --a------ C:\Program Files\REA\PLT_712\Source\exam2_intro.htm
2006-01-25 11:51 706 --a------ C:\Program Files\REA\PLT_712\Source\exam1_intro.htm
2006-01-25 11:51 564 --a------ C:\Program Files\REA\PLT_712\Source\exam1_exit.htm
2006-01-20 12:30 158469 --a------ C:\Program Files\REA\PLT_712\Source\TOC.jpg
2006-01-20 12:03 2710 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp3.htm
2006-01-20 11:59 59986 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\exit.jpg
2006-01-20 11:57 58678 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialabout.jpg
2006-01-20 11:56 63972 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\scores.jpg
2006-01-20 11:54 62200 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorial.jpg
2006-01-20 11:53 72279 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\starttest.jpg
2006-01-20 11:08 123817 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\toc.jpg
2006-01-20 11:00 142804 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp10.jpg
2006-01-20 10:59 121871 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp1.jpg
2006-01-20 10:02 46943 --a------ C:\Program Files\REA\PLT_712\Source\about.jpg
2006-01-13 16:03 799 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp10.htm
2006-01-13 16:01 1441 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp2.htm
2006-01-13 16:01 1006 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp1.htm
2006-01-12 16:17 479 --a------ C:\Program Files\REA\PLT_712\Source\s2exit.htm
2006-01-12 16:17 428 --a------ C:\Program Files\REA\PLT_712\Source\s2intro.htm
2006-01-12 16:16 418 --a------ C:\Program Files\REA\PLT_712\Source\s1intro.htm
2006-01-12 16:15 463 --a------ C:\Program Files\REA\PLT_712\Source\s1exit.htm
2006-01-12 15:33 718 --a------ C:\Program Files\REA\PLT_712\Source\essay_directions_next.htm
2006-01-12 15:32 675 --a------ C:\Program Files\REA\PLT_712\Source\essay_directions.htm
2006-01-12 08:52 5412 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q003_pass.htm
2006-01-11 17:08 1178 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q012essay.htm
2006-01-11 17:07 774 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q011essay.htm
2006-01-11 17:06 620 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q010essay.htm
2006-01-11 17:05 491 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q009essay.htm
2006-01-11 17:04 668 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q008essay.htm
2006-01-11 17:04 514 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q007essay.htm
2006-01-11 17:03 631 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q005essay.htm
2006-01-11 17:03 1077 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q006essay.htm
2006-01-11 17:02 977 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q004essay.htm
2006-01-11 17:01 686 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q003essay.htm
2006-01-11 17:01 604 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q002essay.htm
2006-01-11 16:51 4875 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e011essay.htm
2006-01-11 16:45 6582 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e010essay.htm
2006-01-11 16:41 3625 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e009essay.htm
2006-01-11 16:36 7757 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e007essay.htm
2006-01-11 16:32 4563 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e006essay.htm
2006-01-11 16:29 10560 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e005essay.htm
2006-01-11 16:23 7667 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e004essay.htm
2006-01-11 16:18 5302 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e003essay.htm
2006-01-11 16:12 8602 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e002essay.htm
2006-01-11 16:03 7109 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e001essay.htm
2006-01-11 15:57 4849 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q004_pass.htm
2006-01-11 15:54 5618 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q003_pass.htm
2006-01-11 15:48 5532 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q001_pass.htm
2006-01-11 15:06 551 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q012essay.htm
2006-01-11 15:04 525 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q011essay.htm
2006-01-11 15:03 604 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q010essay.htm
2006-01-11 15:02 469 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q009essay.htm
2006-01-11 15:01 583 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q007essay.htm
2006-01-11 15:01 489 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q008essay.htm
2006-01-11 15:00 614 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q006essay.htm
2006-01-11 14:59 793 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q005essay.htm
2006-01-11 14:58 746 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q003essay.htm
2006-01-11 14:58 714 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q004essay.htm
2006-01-11 14:57 1066 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q002essay.htm
2006-01-11 14:56 988 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q001essay.htm
2006-01-11 14:52 4092 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e012essay.htm
2006-01-11 14:47 3996 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e011essay.htm
2006-01-11 14:44 4423 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e010essay.htm
2006-01-10 16:44 975 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q036d.htm
2006-01-10 16:44 975 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q036c.htm
2006-01-10 16:44 975 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q036b.htm
2006-01-10 16:44 975 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q036a.htm
2006-01-10 16:44 950 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q026.htm
2006-01-10 16:44 950 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q026d.htm
2006-01-10 16:44 950 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q026c.htm
2006-01-10 16:44 950 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q026b.htm
2006-01-10 16:44 950 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q026a.htm
2006-01-10 16:44 941 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q033.htm
2006-01-10 16:44 941 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q033d.htm
2006-01-10 16:44 941 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q033c.htm
2006-01-10 16:44 941 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q033b.htm
2006-01-10 16:44 941 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q033a.htm
2006-01-10 16:44 923 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q035.htm
2006-01-10 16:44 923 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q035d.htm
2006-01-10 16:44 923 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q035c.htm
2006-01-10 16:44 923 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q035b.htm
2006-01-10 16:44 923 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q035a.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q028.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q025.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q018.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q028d.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q028c.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q028b.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q028a.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q025d.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q025c.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q025b.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q025a.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q018d.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q018c.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q018b.htm
2006-01-10 16:44 907 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q018a.htm
2006-01-10 16:44 903 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q014.htm
2006-01-10 16:44 903 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q014d.htm
2006-01-10 16:44 903 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q014c.htm
2006-01-10 16:44 903 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q014b.htm
2006-01-10 16:44 903 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q014a.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q016.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q013.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q016d.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q016c.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q016b.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q016a.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q013d.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q013c.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q013b.htm
2006-01-10 16:44 881 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q013a.htm
2006-01-10 16:44 869 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q024.htm
2006-01-10 16:44 869 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q024d.htm
2006-01-10 16:44 869 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q024c.htm
2006-01-10 16:44 869 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q024b.htm
2006-01-10 16:44 869 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q024a.htm
2006-01-10 16:44 862 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q015.htm
2006-01-10 16:44 862 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q015d.htm
2006-01-10 16:44 862 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q015c.htm
2006-01-10 16:44 862 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q015b.htm
2006-01-10 16:44 862 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q015a.htm
2006-01-10 16:44 861 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q030.htm
2006-01-10 16:44 861 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q030d.htm
2006-01-10 16:44 861 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q030c.htm
2006-01-10 16:44 861 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q030b.htm
2006-01-10 16:44 861 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q030a.htm
2006-01-10 16:44 827 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q032.htm
2006-01-10 16:44 827 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q032d.htm
2006-01-10 16:44 827 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q032c.htm
2006-01-10 16:44 827 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q032b.htm
2006-01-10 16:44 827 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q032a.htm
2006-01-10 16:44 823 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q031.htm
2006-01-10 16:44 823 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q031d.htm
2006-01-10 16:44 823 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q031c.htm
2006-01-10 16:44 823 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q031b.htm
2006-01-10 16:44 823 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q031a.htm
2006-01-10 16:44 807 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q027.htm
2006-01-10 16:44 807 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q027d.htm
2006-01-10 16:44 807 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q027c.htm
2006-01-10 16:44 807 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q027b.htm
2006-01-10 16:44 807 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q027a.htm
2006-01-10 16:44 791 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q034.htm
2006-01-10 16:44 791 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q034d.htm
2006-01-10 16:44 791 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q034c.htm
2006-01-10 16:44 791 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q034b.htm
2006-01-10 16:44 791 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q034a.htm
2006-01-10 16:44 1471 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q017.htm
2006-01-10 16:44 1471 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q017d.htm
2006-01-10 16:44 1471 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q017c.htm
2006-01-10 16:44 1471 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q017b.htm
2006-01-10 16:44 1471 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q017a.htm
2006-01-10 16:44 1308 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q022.htm
2006-01-10 16:44 1308 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q022d.htm
2006-01-10 16:44 1308 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q022c.htm
2006-01-10 16:44 1308 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q022b.htm
2006-01-10 16:44 1308 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q022a.htm
2006-01-10 16:44 1253 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q029.htm
2006-01-10 16:44 1253 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q029d.htm
2006-01-10 16:44 1253 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q029c.htm
2006-01-10 16:44 1253 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q029b.htm
2006-01-10 16:44 1253 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q029a.htm
2006-01-10 16:44 1146 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q019.htm
2006-01-10 16:44 1146 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q019d.htm
2006-01-10 16:44 1146 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q019c.htm
2006-01-10 16:44 1146 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q019b.htm
2006-01-10 16:44 1146 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q019a.htm
2006-01-10 16:44 1058 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q020.htm
2006-01-10 16:44 1058 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q020d.htm
2006-01-10 16:44 1058 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q020c.htm
2006-01-10 16:44 1058 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q020b.htm
2006-01-10 16:44 1058 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q020a.htm
2006-01-10 16:44 1045 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q021.htm
2006-01-10 16:44 1045 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q021d.htm
2006-01-10 16:44 1045 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q021c.htm
2006-01-10 16:44 1045 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q021b.htm
2006-01-10 16:44 1045 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q021a.htm
2006-01-10 16:44 1006 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_q023.htm
2006-01-10 16:44 1006 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q023d.htm
2006-01-10 16:44 1006 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q023c.htm
2006-01-10 16:44 1006 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q023b.htm
2006-01-10 16:44 1006 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t2_q023a.htm
2006-01-10 16:42 945 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e017.htm
2006-01-10 16:42 819 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e013.htm
2006-01-10 16:42 792 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e021.htm
2006-01-10 16:42 787 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e016.htm
2006-01-10 16:42 767 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e014.htm
2006-01-10 16:42 763 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e033.htm
2006-01-10 16:42 762 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e022.htm
2006-01-10 16:42 748 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e034.htm
2006-01-10 16:42 723 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e030.htm
2006-01-10 16:42 722 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e036.htm
2006-01-10 16:42 696 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e029.htm
2006-01-10 16:42 681 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e026.htm
2006-01-10 16:42 641 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e027.htm
2006-01-10 16:42 632 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e032.htm
2006-01-10 16:42 604 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e028.htm
2006-01-10 16:42 592 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e031.htm
2006-01-10 16:42 571 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e015.htm
2006-01-10 16:42 538 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e023.htm
2006-01-10 16:42 520 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e035.htm
2006-01-10 16:42 460 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e019.htm
2006-01-10 16:42 441 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e020.htm
2006-01-10 16:42 439 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e025.htm
2006-01-10 16:42 1007 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t2_e018.htm
2006-01-10 16:35 921 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q036.htm
2006-01-10 16:35 921 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q036d.htm
2006-01-10 16:35 921 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q036c.htm
2006-01-10 16:35 921 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q036b.htm
2006-01-10 16:35 921 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q036a.htm
2006-01-10 16:35 897 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q035.htm
2006-01-10 16:35 897 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q035d.htm
2006-01-10 16:35 897 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q035c.htm
2006-01-10 16:35 897 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q035b.htm
2006-01-10 16:35 897 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q035a.htm
2006-01-10 16:35 889 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q032.htm
2006-01-10 16:35 889 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q032d.htm
2006-01-10 16:35 889 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q032c.htm
2006-01-10 16:35 889 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q032b.htm
2006-01-10 16:35 889 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q032a.htm
2006-01-10 16:35 862 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q030.htm
2006-01-10 16:35 862 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q030d.htm
2006-01-10 16:35 862 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q030c.htm
2006-01-10 16:35 862 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q030b.htm
2006-01-10 16:35 862 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q030a.htm
2006-01-10 16:35 835 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q031.htm
2006-01-10 16:35 835 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q031d.htm
2006-01-10 16:35 835 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q031c.htm
2006-01-10 16:35 835 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q031b.htm
2006-01-10 16:35 835 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q031a.htm
2006-01-10 16:35 809 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q033.htm
2006-01-10 16:35 809 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q033d.htm
2006-01-10 16:35 809 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q033c.htm
2006-01-10 16:35 809 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q033b.htm
2006-01-10 16:35 809 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q033a.htm
2006-01-10 16:35 804 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q034.htm
2006-01-10 16:35 804 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q034d.htm
2006-01-10 16:35 804 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q034c.htm
2006-01-10 16:35 804 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q034b.htm
2006-01-10 16:35 804 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q034a.htm
2006-01-10 16:34 833 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q029.htm
2006-01-10 16:34 833 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q029d.htm
2006-01-10 16:34 833 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q029c.htm
2006-01-10 16:34 833 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q029b.htm
2006-01-10 16:34 833 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q029a.htm
2006-01-10 16:33 921 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q023.htm
2006-01-10 16:33 921 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q023d.htm
2006-01-10 16:33 921 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q023c.htm
2006-01-10 16:33 921 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q023b.htm
2006-01-10 16:33 921 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q023a.htm
2006-01-10 16:33 920 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q015d.htm
2006-01-10 16:33 920 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q015c.htm
2006-01-10 16:33 920 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q015b.htm
2006-01-10 16:33 920 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q015a.htm
2006-01-10 16:33 919 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q021.htm
2006-01-10 16:33 919 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q021d.htm
2006-01-10 16:33 919 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q021c.htm
2006-01-10 16:33 919 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q021b.htm
2006-01-10 16:33 919 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q021a.htm
2006-01-10 16:33 911 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q024.htm
2006-01-10 16:33 911 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q024d.htm
2006-01-10 16:33 911 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q024c.htm
2006-01-10 16:33 911 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q024b.htm
2006-01-10 16:33 911 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q024a.htm
2006-01-10 16:33 906 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q020.htm
2006-01-10 16:33 906 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q020d.htm
2006-01-10 16:33 906 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q020c.htm
2006-01-10 16:33 906 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q020b.htm
2006-01-10 16:33 906 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q020a.htm
2006-01-10 16:33 895 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q014.htm
2006-01-10 16:33 895 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q014d.htm
2006-01-10 16:33 895 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q014c.htm
2006-01-10 16:33 895 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q014b.htm
2006-01-10 16:33 895 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q014a.htm
2006-01-10 16:33 892 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q017.htm
2006-01-10 16:33 892 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q017d.htm
2006-01-10 16:33 892 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q017c.htm
2006-01-10 16:33 892 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q017b.htm
2006-01-10 16:33 892 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q017a.htm
2006-01-10 16:33 884 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q016.htm
2006-01-10 16:33 884 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q016d.htm
2006-01-10 16:33 884 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q016c.htm
2006-01-10 16:33 884 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q016b.htm
2006-01-10 16:33 884 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q016a.htm
2006-01-10 16:33 859 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q026.htm
2006-01-10 16:33 859 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q026d.htm
2006-01-10 16:33 859 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q026c.htm
2006-01-10 16:33 859 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q026b.htm
2006-01-10 16:33 859 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q026a.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q022.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q018.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q022d.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q022c.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q022b.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q022a.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q018d.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q018c.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q018b.htm
2006-01-10 16:33 857 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q018a.htm
2006-01-10 16:33 853 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q028.htm
2006-01-10 16:33 853 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q028d.htm
2006-01-10 16:33 853 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q028c.htm
2006-01-10 16:33 853 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q028b.htm
2006-01-10 16:33 853 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q028a.htm
2006-01-10 16:33 852 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q013.htm
2006-01-10 16:33 852 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q013d.htm
2006-01-10 16:33 852 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q013c.htm
2006-01-10 16:33 852 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q013b.htm
2006-01-10 16:33 852 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q013a.htm
2006-01-10 16:33 835 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q019.htm
2006-01-10 16:33 835 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q019d.htm
2006-01-10 16:33 835 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q019c.htm
2006-01-10 16:33 835 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q019b.htm
2006-01-10 16:33 835 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q019a.htm
2006-01-10 16:33 1354 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q027.htm
2006-01-10 16:33 1354 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q027d.htm
2006-01-10 16:33 1354 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q027c.htm
2006-01-10 16:33 1354 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q027b.htm
2006-01-10 16:33 1354 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q027a.htm
2006-01-10 16:33 1001 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_q025.htm
2006-01-10 16:33 1001 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q025d.htm
2006-01-10 16:33 1001 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q025c.htm
2006-01-10 16:33 1001 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q025b.htm
2006-01-10 16:33 1001 --a------ C:\Program Files\REA\PLT_712\Source\Choices\tp_plt7_t1_q025a.htm
2006-01-10 16:12 946 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e022.htm
2006-01-10 16:12 856 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e035.htm
2006-01-10 16:12 829 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e015.htm
2006-01-10 16:12 828 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e018.htm
2006-01-10 16:12 765 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e019.htm
2006-01-10 16:12 757 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e020.htm
2006-01-10 16:12 736 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e026.htm
2006-01-10 16:12 733 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e025.htm
2006-01-10 16:12 720 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e034.htm
2006-01-10 16:12 710 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e024.htm
2006-01-10 16:12 696 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e021.htm
2006-01-10 16:12 685 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e030.htm
2006-01-10 16:12 679 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e014.htm
2006-01-10 16:12 672 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e016.htm
2006-01-10 16:12 605 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e032.htm
2006-01-10 16:12 603 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e023.htm
2006-01-10 16:12 588 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e017.htm
2006-01-10 16:12 540 --a------ C:\Program Files\REA\PLT_712\Source\tp_plt7_t1_e029.htm
2005-12-29 10:59 94312 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\scoresanalysistopic.jpg
2005-12-29 10:52 40743 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\calculator.jpg
2005-12-27 09:25 142747 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp9.jpg
2005-10-17 14:52 414 --a------ C:\Program Files\REA\PLT_712\Source\GRESTYLE.CSS
2005-10-17 11:57 427 --a------ C:\Program Files\REA\PLT_712\Source\grestyle_ISE.css
2005-10-13 10:13 8009 --a------ C:\Program Files\REA\PLT_712\Readme.rtf
2005-08-30 08:55 2786 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp4.htm
2005-06-07 20:07 28760 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\pause.jpg
2005-06-07 20:06 42804 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\stop.jpg
2005-06-07 20:04 37066 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\qslist.jpg
2005-06-07 20:03 43572 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\mark.jpg
2005-06-07 20:00 28870 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\changesection.jpg
2005-06-07 19:59 27195 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\examdirections.jpg
2005-06-07 19:59 25742 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\next.jpg
2005-06-07 19:59 25346 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\back.jpg
2005-06-07 19:57 24395 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\cancel.jpg
2005-06-07 19:56 28187 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\resumetest.jpg
2005-06-07 19:54 33657 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\viewscorereport.jpg
2005-06-07 19:54 27103 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\begintest.jpg
2005-06-07 19:52 33339 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\explanations.jpg
2005-05-10 13:51 1531904 --a------ C:\Program Files\REA\PLT_712\Testware.exe
2005-04-21 10:26 140800 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\Thumbs.db
2005-04-21 10:16 3462 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp5.htm
2005-04-04 11:25 909 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp7.htm
2005-03-17 16:59 79474 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\essaywindow.jpg
2004-12-17 10:29 5341 --a------ C:\Program Files\REA\PLT_712\Source\C0.JPG
2004-12-17 10:29 5341 --a------ C:\Program Files\REA\PLT_712\Source\A0.JPG
2004-12-17 10:29 5336 --a------ C:\Program Files\REA\PLT_712\Source\B0.JPG
2004-12-17 10:29 5299 --a------ C:\Program Files\REA\PLT_712\Source\E0.JPG
2004-12-17 10:29 5293 --a------ C:\Program Files\REA\PLT_712\Source\D0.JPG
2004-12-17 10:29 391 --a------ C:\Program Files\REA\PLT_712\Source\GRESTYLE_math.CSS
2004-01-08 15:54 1346 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp6.htm
2003-11-06 13:27 8855 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\calc.jpg
2003-09-25 13:37 107 --a------ C:\Program Files\REA\PLT_712\Source\dir_b0.gif
2003-09-25 13:37 104 --a------ C:\Program Files\REA\PLT_712\Source\dir_c0.gif
2003-09-25 13:37 104 --a------ C:\Program Files\REA\PLT_712\Source\dir_a0.gif
2003-09-25 13:37 103 --a------ C:\Program Files\REA\PLT_712\Source\dir_d0.gif
2003-09-25 13:37 100 --a------ C:\Program Files\REA\PLT_712\Source\dir_e0.gif
2003-03-20 07:52 44917 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\takeatest.jpg
2003-03-20 07:44 349 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\GRESTYLE.CSS
2003-03-20 07:44 11501 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\qandabutton.jpg
2003-03-20 07:44 11352 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\qslist_button.jpg
2003-03-20 07:44 11079 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\mark_button.jpg
2003-03-20 07:26 933 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp8.htm
2003-03-20 07:26 1154 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp9.htm
2003-03-20 07:26 1154 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\tutorialp81.htm
2002-10-24 09:19 11838 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\writeessay.jpg
2002-10-21 09:45 10346 --a------ C:\Program Files\REA\PLT_712\Source\Tutorial\scoreessay.jpg


((((((((((((((((((((((((((((( snapshot@2008-06-06_12.25.03.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-14 04:11:25 64,088 -c--a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2008-06-06 19:03:00 66,936 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
- 2006-12-14 04:11:25 223,800 -c--a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2008-06-06 19:02:55 226,656 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
- 2008-06-03 04:57:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 16:08:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2003-07-15 03:57:34 38,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL
+ 2003-07-15 03:53:06 94,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\AW.DLL
+ 2003-07-15 08:14:28 350,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\CDLMSO.DLL
+ 2003-07-15 08:18:12 47,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\DFUICOM.EXE
+ 2003-07-15 03:56:54 14,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\DSITF.DLL
+ 2003-07-15 03:57:14 98,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\DSSM.EXE
+ 2003-08-13 07:34:38 10,073,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\EXCEL.EXE
+ 2003-07-24 04:01:40 1,949,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\FPCUTL.DLL
+ 2003-07-15 04:36:14 186,424 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\FPDTC.DLL
+ 2003-07-15 03:40:12 179,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\FPERSON.DLL
+ 2003-07-15 03:40:12 165,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\FPLACE.DLL
+ 2003-07-15 04:11:42 2,139,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\GRAPH.EXE
+ 2003-07-15 03:57:44 87,096 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\IEAWSDC.DLL
+ 2003-06-18 22:31:44 758,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MDIGRAPH.DLL
+ 2003-06-18 22:31:10 252,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MDIINK.DLL
+ 2003-06-18 22:31:48 17,920 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MDIMON.DLL
+ 2003-06-18 22:31:48 18,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MDIPPR.DLL
+ 2003-06-18 22:31:46 35,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MDIUI.DLL
+ 2003-06-18 22:31:34 443,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MDIVWCTL.DLL
+ 2003-07-15 03:58:04 230,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSCDM.DLL
+ 2003-07-15 06:51:44 87,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL
+ 2003-07-15 03:52:52 17,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSMH.DLL
+ 2003-08-08 05:23:16 12,172,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSO.DLL
+ 2003-07-15 03:57:16 120,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL
+ 2003-07-15 08:14:18 106,552 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOCF.DLL
+ 2003-07-24 03:35:26 127,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOCFU.DLL
+ 2003-07-15 03:52:52 27,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSODCW.DLL
+ 2003-07-15 03:44:06 25,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOEURO.DLL
+ 2003-07-15 03:52:56 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE
+ 2003-07-11 10:15:48 1,292,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL
+ 2003-07-15 08:18:52 376,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSORUN.DLL
+ 2003-07-15 03:52:54 28,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL
+ 2003-07-15 03:52:52 35,896 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOSV.DLL
+ 2003-07-15 03:46:16 42,040 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL
+ 2003-07-15 03:45:12 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE
+ 2003-07-15 03:45:12 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL
+ 2003-06-18 22:31:24 1,033,216 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSPCORE.DLL
+ 2003-06-18 22:31:50 16,384 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL
+ 2003-07-28 17:24:40 5,677,112 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSPUB.EXE
+ 2003-06-19 21:05:50 364,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE
+ 2003-07-15 03:52:58 41,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSSH.DLL
+ 2003-07-15 04:02:14 627,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSTORDB.EXE
+ 2003-07-15 03:56:24 124,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSTORE.EXE
+ 2003-07-24 03:40:00 482,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSTORES.DLL
+ 2003-07-15 04:00:54 145,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL
+ 2003-07-15 03:57:10 56,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\NAME.DLL
+ 2003-07-15 03:56:52 13,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL
+ 2006-12-14 04:11:25 223,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\OFFICE.DLL
+ 2003-07-15 08:14:26 283,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\OIS.EXE
+ 2003-07-15 08:14:26 828,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\OISAPP.DLL
+ 2003-07-15 08:14:26 27,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\OISCTRL.DLL
+ 2003-07-15 08:14:26 242,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL
+ 2003-07-15 04:05:24 1,054,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\OMFC.DLL
+ 2003-08-01 20:09:04 8,086,072 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\OWC11.DLL
+ 2003-07-30 17:40:40 6,133,312 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\POWERPNT.EXE
+ 2003-07-15 08:18:54 430,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\PP4X322.DLL
+ 2003-07-15 08:18:44 93,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\PP7X32.DLL
+ 2003-07-31 20:21:08 1,782,840 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\PPTVIEW.EXE
+ 2003-07-15 03:40:26 130,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\PRTF9.DLL
+ 2003-07-15 03:51:12 604,728 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\PTXT9.DLL
+ 2003-07-15 03:50:26 551,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\PUBCONV.DLL
+ 2003-07-15 03:40:16 51,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\PUBTRAP.DLL
+ 2003-05-09 02:54:00 77,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL
+ 2003-07-15 03:57:08 40,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL
+ 2003-07-15 03:57:08 58,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL
+ 2003-07-15 03:53:14 11,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\SMARTTAGINSTALL.EXE
+ 2003-08-03 15:52:32 2,808,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\STSLIST.DLL
+ 2003-07-03 20:19:36 2,502,656 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\VBE6.DLL
+ 2006-12-14 04:11:25 64,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL
+ 2003-08-06 18:24:20 12,037,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\WINWORD.EXE
+ 2005-05-04 08:06:28 465,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\MSDMENG.DLL
+ 2005-05-04 08:06:32 1,411,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\MSDMINE.DLL
+ 2005-05-04 08:06:26 199,408 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\MSMDUN80.DLL
- 2008-05-15 14:49:28 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-06-06 19:03:30 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-05-15 14:49:28 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-06 19:03:30 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-05-15 14:49:27 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-06-06 19:03:29 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-05-15 14:49:28 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-06 19:03:30 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-05-15 14:49:28 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-06 19:03:31 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-05-15 14:49:28 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-06-06 19:03:31 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-05-15 14:49:28 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-06 19:03:31 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-05-15 14:49:28 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-06-06 19:03:30 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-05-15 14:49:27 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-06-06 19:03:30 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-05-15 14:49:28 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-06 19:03:31 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-05-15 14:49:27 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-06 19:03:29 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-05-15 14:49:27 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-06 19:03:29 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2005-03-17 22:39:58 1,146,320 -c--a-w C:\WINDOWS\system32\FM20.DLL
+ 2007-06-06 15:53:34 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2003-07-15 06:57:04 32,584 -c--a-w C:\WINDOWS\system32\FM20ENU.DLL
+ 2007-03-23 00:17:04 35,440 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
- 2008-04-09 15:47:29 206,512 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-09 16:08:01 206,512 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2003-06-18 22:31:48 17,920 ----a-w C:\WINDOWS\system32\mdimon.dll
+ 2007-04-09 18:23:54 28,040 ----a-w C:\WINDOWS\system32\mdimon.dll
- 2003-06-18 22:31:44 758,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2007-04-09 18:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
- 2003-06-18 22:31:46 35,328 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2007-04-09 18:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
- 2003-06-18 22:31:44 758,784 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
+ 2007-04-09 18:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
- 2003-06-18 22:31:46 35,328 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
+ 2007-04-09 18:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
- 2003-06-18 22:31:48 18,944 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
+ 2007-04-09 18:23:54 28,552 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 20:41 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 13:20 413696 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-12 00:40 1236992]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 07:59 311296]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Windows Log Agent"="C:\Program Files\Common Files\winlogon.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"T2W"="C:\WINDOWS\system32\Memoria.exe" [2007-09-05 20:55 550425]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
REALTEK RTL8187 Wireless LAN Utility.lnk - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe [2006-11-03 09:03:46 749568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2311adaa-66de-11dc-b7af-0014a5d0c0f8}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35087164-8a58-11db-b63d-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88e00c56-843b-11dc-b7e2-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddd8bb27-05bf-11dd-b86e-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff637bb0-4f75-11dc-b781-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 13:30:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2006-12-11 17:51:27 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-12-11 17:51:27 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 11:43:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-09 11:44:41
ComboFix-quarantined-files.txt 2008-06-09 16:44:32
ComboFix2.txt 2008-06-06 17:25:32

Pre-Run: 124,137,160,704 bytes free
Post-Run: 124,119,470,080 bytes free

735 --- E O F --- 2008-06-06 19:03:56


HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:27 a.m., on 09/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\Memoria.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ohiou.edu/students/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=MX6453
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Log Agent] C:\Program Files\Common Files\winlogon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [T2W] C:\WINDOWS\system32\Memoria.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6482 bytes
DDrea83
Active Member
 
Posts: 7
Joined: June 4th, 2008, 5:38 pm

Re: Spyware...? Not sure.

Unread postby Rodav » June 10th, 2008, 4:40 am

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by Backdoor.Win32.Poison.ai
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a Backdoor Trojan, the worst kind.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
  • Please read this for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.




If you do decide to continue to clean your computer, please do the following:

Step 1:
1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\Memoria.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Log Agent"=-
"T2W"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Step 2:
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply.


Step 3:
Run HijackThis, do a system scan and in your next reply please post:
  • The ComboFix report (C:\ComboFix.txt)
  • The online Kaspersky scan results
  • The new HijackThis log

Also please let me know how your computer is running,
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Spyware...? Not sure.

Unread postby DDrea83 » June 10th, 2008, 3:18 pm

COMBOFIX LOG:


ComboFix 08-06-05.3 - Owner 2008-06-10 11:56:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1237 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.YOUR-9781572241\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.YOUR-9781572241\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\Memoria.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Memoria.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-09 22:26 . 2008-06-09 22:26 0 --a------ C:\WINDOWS\RAVTC.TMP
2008-06-09 22:25 . 2008-06-09 22:25 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-04 16:34 . 2008-06-04 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 23:48 . 2008-05-19 23:48 <DIR> d-------- C:\Program Files\REA
2008-05-14 12:28 . 2008-06-09 16:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 12:28 . 2008-05-14 12:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 03:27 --------- d-----w C:\Program Files\MySpace
2008-06-09 21:46 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Lavasoft
2008-06-06 17:03 --------- d-----w C:\Program Files\Viewpoint
2008-06-06 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-03 04:39 --------- d-----w C:\Program Files\iTunes
2008-05-20 19:14 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\U3
2008-05-15 21:30 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Skype
2008-05-15 14:46 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\skypePM
2008-05-12 05:31 --------- d-----w C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility
2008-05-05 14:18 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Printer Info Cache
2008-05-05 14:18 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Image Zone Express
2008-05-04 17:54 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\HP
2008-05-04 17:53 --------- d-----w C:\Program Files\HP
2008-05-04 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-05-04 17:52 --------- d-----w C:\Program Files\Common Files\HP
2008-05-04 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-04 17:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-04 17:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-04 17:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-26 17:15 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\LimeWire
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-21 04:09 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-09_11.44.24.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 16:08:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 21:48:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-05-31 18:41:06 10,352,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\EXCEL.EXE
+ 2007-04-19 19:09:30 167,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\IETAG.DLL
+ 2007-06-18 22:16:32 12,259,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\MSO.DLL
+ 2007-05-10 18:35:04 6,747,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\MSPUB.EXE
+ 2007-05-31 18:35:46 133,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\PRTF9.DLL
+ 2007-05-31 18:36:08 612,184 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\PTXT9.DLL
+ 2007-05-10 18:34:48 562,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\PUBCONV.DLL
+ 2007-05-09 22:19:48 2,585,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\VBE6.DLL
+ 2007-05-31 18:37:40 12,310,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\WINWORD.EXE
- 2008-06-06 19:03:30 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-06-09 21:55:07 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-06-06 19:03:30 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-09 21:55:07 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-06-06 19:03:29 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-06-09 21:55:07 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-06-06 19:03:30 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-09 21:55:07 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-06-06 19:03:31 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-09 21:55:07 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-06-06 19:03:31 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-06-09 21:55:07 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-06-06 19:03:31 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-09 21:55:08 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-06-06 19:03:30 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-06-09 21:55:07 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-06-06 19:03:30 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-06-09 21:55:07 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-06-06 19:03:31 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-09 21:55:08 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-06-06 19:03:29 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-09 21:55:07 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-06-06 19:03:29 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-09 21:55:07 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-02-22 15:43:34 71,552 ----a-w C:\WINDOWS\LastGood\system32\DRIVERS\pavdrv51.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 20:41 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 13:20 413696 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-12 00:40 1236992]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
REALTEK RTL8187 Wireless LAN Utility.lnk - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe [2006-11-03 09:03:46 749568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2311adaa-66de-11dc-b7af-0014a5d0c0f8}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35087164-8a58-11db-b63d-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88e00c56-843b-11dc-b7e2-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddd8bb27-05bf-11dd-b86e-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff637bb0-4f75-11dc-b781-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 13:30:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2006-12-11 17:51:27 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-12-11 17:51:27 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 11:57:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-10 11:58:31
ComboFix-quarantined-files.txt 2008-06-10 16:58:14
ComboFix2.txt 2008-06-09 16:44:42
ComboFix3.txt 2008-06-06 17:25:32

Pre-Run: 124,069,457,920 bytes free
Post-Run: 124,057,182,208 bytes free

177 --- E O F --- 2008-06-09 21:55:15


KASPERSKY LOG:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 10, 2008 14:24:20
Records in database: 845734
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 69060
Threat name: 17
Infected objects: 302
Suspicious objects: 0
Duration of the scan: 01:19:15


File name / Threat name / Threats count
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\03 Track 3 (dance).wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\07 Track 7.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\gone ben folds.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Owner.YOUR-9781572241\Shared\gone ben folds.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\QooBox\Quarantine\C\1dg.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.acas 1
C:\QooBox\Quarantine\C\2.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.zos 1
C:\QooBox\Quarantine\C\6l6w8.com.vir Infected: Trojan-PSW.Win32.OnLineGames.ywy 1
C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.dla 1
C:\QooBox\Quarantine\C\cl.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.xky 1
C:\QooBox\Quarantine\C\gy.cmd.vir Infected: Trojan.Win32.Vaklik.yr 1
C:\QooBox\Quarantine\C\jdwx.exe.vir Infected: Worm.Win32.AutoRun.dla 1
C:\QooBox\Quarantine\C\jfvkcsy.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
C:\QooBox\Quarantine\C\mug0sd.cmd.vir Infected: Trojan-PSW.Win32.OnLineGames.abki 1
C:\QooBox\Quarantine\C\Program Files\Common Files\fzx9823.exe.vir Infected: Trojan.Win32.VB.avk 1
C:\QooBox\Quarantine\C\Program Files\Common Files\smss.exe.vir Infected: Trojan.Win32.VB.avk 1
C:\QooBox\Quarantine\C\Program Files\Common Files\winlogon.exe.vir Infected: Trojan.Win32.VB.avk 1
C:\QooBox\Quarantine\C\qwc.exe.vir Infected: Trojan-PSW.Win32.Magania.jag 1
C:\QooBox\Quarantine\C\vy.cmd.vir Infected: Worm.Win32.AutoRun.dla 1
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo.exe.vir Infected: Worm.Win32.AutoRun.dla 1
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir Infected: Worm.Win32.AutoRun.dla 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Memoria.exe.vir Infected: Backdoor.Win32.Poison.ai 1
C:\QooBox\Quarantine\C\xlu8a8sy.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.adub 1
C:\QooBox\Quarantine\D\Autorun.inf.vir Infected: Worm.Win32.AutoRun.dla 1
C:\QooBox\Quarantine\F\autorun.inf.vir Infected: Worm.Win32.AutoRun.dla 1
D:\cl.bat Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\6l6w8.com Infected: Trojan-PSW.Win32.OnLineGames.ywy 1
D:\qwc.exe Infected: Trojan-PSW.Win32.Magania.jag 1
D:\gy.cmd Infected: Trojan.Win32.Vaklik.yr 1
D:\2.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\mug0sd.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\1dg.exe Infected: Trojan-PSW.Win32.OnLineGames.acas 1
D:\jfvkcsy.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\xlu8a8sy.exe Infected: Trojan-PSW.Win32.OnLineGames.adub 1
D:\vy.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\jdwx.exe Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP355\A0131378.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP355\A0131379.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP359\A0134373.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP359\A0134374.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP359\A0135363.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP359\A0135364.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP361\A0136387.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP361\A0136388.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP361\A0136401.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP361\A0136402.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP361\A0137403.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP361\A0137404.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP317\A0113328.bat Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP317\A0113329.inf Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP317\A0113341.bat Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP317\A0113342.inf Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0113346.bat Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0113347.inf Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0113421.bat Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0113422.inf Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0114419.bat Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0114420.inf Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0114432.bat Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0114433.inf Infected: Trojan-PSW.Win32.OnLineGames.xky 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0115432.com Infected: Trojan-PSW.Win32.OnLineGames.ywy 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP318\A0115433.inf Infected: Trojan-PSW.Win32.OnLineGames.yuj 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP326\A0117769.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP326\A0117770.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP326\A0117781.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP326\A0117782.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP326\A0117815.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP326\A0117816.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP327\A0117835.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP327\A0117836.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP327\A0117934.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP327\A0117935.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP327\A0117961.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP327\A0117962.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP331\A0119103.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP331\A0119104.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP331\A0119116.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP331\A0119117.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP331\A0119132.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP331\A0119133.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP336\A0121258.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP336\A0121259.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP336\A0121299.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP336\A0121300.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP336\A0121324.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP336\A0121325.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP336\A0121337.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP336\A0121338.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP339\A0123502.exe Infected: Trojan-PSW.Win32.OnLineGames.acas 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP356\A0131394.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP356\A0131395.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP364\A0138407.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP364\A0138408.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP364\A0139402.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP364\A0139403.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP364\A0139419.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP364\A0139420.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP364\A0140418.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP364\A0140419.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP366\A0140590.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP366\A0140591.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP367\A0140602.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP367\A0140603.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP368\A0140617.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP368\A0140618.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP369\A0140713.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP369\A0140714.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP319\A0115443.com Infected: Trojan-PSW.Win32.OnLineGames.ywy 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP319\A0115444.inf Infected: Trojan-PSW.Win32.OnLineGames.yuj 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP319\A0115455.com Infected: Trojan-PSW.Win32.OnLineGames.ywy 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP319\A0115456.inf Infected: Trojan-PSW.Win32.OnLineGames.yuj 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP319\A0115471.com Infected: Trojan-PSW.Win32.OnLineGames.ywy 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP319\A0115472.inf Infected: Trojan-PSW.Win32.OnLineGames.yuj 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP319\A0115504.exe Infected: Trojan-PSW.Win32.Magania.jag 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP320\A0115509.exe Infected: Trojan-PSW.Win32.Magania.jag 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP320\A0116504.exe Infected: Trojan-PSW.Win32.Magania.jag 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP321\A0116555.exe Infected: Trojan-PSW.Win32.Magania.jag 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP322\A0116599.exe Infected: Trojan-PSW.Win32.Magania.jag 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP322\A0116628.exe Infected: Trojan-PSW.Win32.Magania.jag 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP322\A0116649.cmd Infected: Trojan.Win32.Vaklik.yr 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP323\A0116654.cmd Infected: Trojan.Win32.Vaklik.yr 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP323\A0116670.cmd Infected: Trojan.Win32.Vaklik.yr 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP323\A0117669.cmd Infected: Trojan.Win32.Vaklik.yr 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP324\A0117675.cmd Infected: Trojan.Win32.Vaklik.yr 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP324\A0117694.cmd Infected: Trojan.Win32.Vaklik.yr 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP325\A0117698.cmd Infected: Trojan.Win32.Vaklik.yr 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP325\A0117711.cmd Infected: Trojan.Win32.Vaklik.yr 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP325\A0117739.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP325\A0117740.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP325\A0117755.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP325\A0117756.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0117965.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0117966.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0117989.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0117990.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0118002.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0118003.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0118019.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0118020.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0119018.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP328\A0119019.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP329\A0119023.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP329\A0119024.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP329\A0119036.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP329\A0119037.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP329\A0119055.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP329\A0119056.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP330\A0119062.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP330\A0119063.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP330\A0119078.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP330\A0119079.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP330\A0119091.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP330\A0119092.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP332\A0119147.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP332\A0119148.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP332\A0119159.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP332\A0119160.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP332\A0119173.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP332\A0119174.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP333\A0119220.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP333\A0119221.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP333\A0120173.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP333\A0120174.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP333\A0121173.bat Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP333\A0121174.inf Infected: Trojan-PSW.Win32.OnLineGames.zos 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP333\A0121193.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP333\A0121194.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP334\A0121197.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP334\A0121198.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP334\A0121210.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP334\A0121211.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP335\A0121214.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP335\A0121215.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP337\A0121350.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP337\A0121351.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP337\A0121370.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP337\A0121371.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP337\A0121384.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP337\A0121385.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP337\A0121397.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP337\A0121398.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0121402.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0121403.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0121444.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0121445.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0121463.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0121464.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0122467.cmd Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0122468.inf Infected: Trojan-PSW.Win32.OnLineGames.abki 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0122483.exe Infected: Trojan-PSW.Win32.OnLineGames.acas 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0122497.exe Infected: Trojan-PSW.Win32.OnLineGames.acas 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP338\A0123497.exe Infected: Trojan-PSW.Win32.OnLineGames.acas 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP340\A0123506.exe Infected: Trojan-PSW.Win32.OnLineGames.acas 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP340\A0123530.exe Infected: Trojan-PSW.Win32.OnLineGames.acas 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0123547.bat Infected: Trojan-PSW.Win32.OnLineGames.acdy 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0123548.inf Infected: Trojan-PSW.Win32.OnLineGames.acdy 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0124530.bat Infected: Trojan-PSW.Win32.OnLineGames.acdy 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0124531.inf Infected: Trojan-PSW.Win32.OnLineGames.acdy 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125530.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125531.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125549.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125550.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125575.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125576.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125589.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125590.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125606.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP341\A0125607.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0125838.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0125839.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0125852.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0125853.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0125865.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0125866.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0126865.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0126866.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0127865.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0127866.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0128865.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0128866.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0128888.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0128889.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0128907.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP342\A0128908.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP343\A0128943.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP343\A0128944.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0128960.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0128961.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129004.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129005.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129020.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129021.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129035.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129036.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129057.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129058.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129071.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0129072.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0130071.bat Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP344\A0130072.inf Infected: Trojan-PSW.Win32.OnLineGames.acgu 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP345\A0130086.exe Infected: Trojan-PSW.Win32.OnLineGames.adub 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP345\A0130087.inf Infected: Worm.Win32.AutoRun.dio 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP345\A0130109.exe Infected: Trojan-PSW.Win32.OnLineGames.adub 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP345\A0130110.inf Infected: Worm.Win32.AutoRun.dio 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP346\A0130115.exe Infected: Trojan-PSW.Win32.OnLineGames.adub 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP346\A0130116.inf Infected: Worm.Win32.AutoRun.dio 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP346\A0130133.exe Infected: Trojan-PSW.Win32.OnLineGames.adub 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP346\A0130134.inf Infected: Worm.Win32.AutoRun.dio 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP346\A0130158.exe Infected: Trojan-PSW.Win32.OnLineGames.adub 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP346\A0130159.inf Infected: Worm.Win32.AutoRun.dio 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP347\A0130164.exe Infected: Trojan-PSW.Win32.OnLineGames.adub 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP347\A0130165.inf Infected: Worm.Win32.AutoRun.dio 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP348\A0130175.exe Infected: Trojan-PSW.Win32.OnLineGames.adub 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP348\A0130176.inf Infected: Worm.Win32.AutoRun.dio 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP348\A0130196.exe Infected: Trojan-PSW.Win32.OnLineGames.adub 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP348\A0130197.inf Infected: Worm.Win32.AutoRun.dio 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP348\A0130223.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP348\A0130224.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP349\A0130231.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP349\A0130232.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP349\A0130252.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP349\A0130253.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP349\A0130274.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP349\A0130275.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP350\A0130282.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP350\A0130283.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP351\A0130297.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP351\A0130298.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP352\A0130328.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP352\A0130329.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP352\A0131275.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP352\A0131276.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP353\A0131285.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP353\A0131286.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP353\A0131367.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP353\A0131368.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP354\A0131373.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP354\A0131374.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP357\A0131415.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP357\A0131416.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP357\A0132368.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP357\A0132369.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP358\A0132373.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP358\A0132374.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP358\A0133363.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP358\A0133364.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP358\A0134364.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP358\A0134365.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP360\A0135376.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP360\A0135377.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP360\A0136364.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP360\A0136365.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP362\A0137413.exe Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP363\A0137423.exe Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP363\A0138402.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP365\A0140429.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP365\A0140430.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP365\A0140492.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP365\A0140493.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP365\A0140562.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP365\A0140563.inf Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP365\A0140578.cmd Infected: Worm.Win32.AutoRun.dla 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP365\A0140579.inf Infected: Worm.Win32.AutoRun.dla 1

The selected area was scanned.


HIJACKTHIS LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:12:41 p.m., on 10/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ohiou.edu/students/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=MX6453
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6224 bytes


*My computer is already running better; the white pop-up screen no longer appears. And my internet seems to be running more smoothly now. If I WANTED to restore my computer, is it possible to do so without a disc? I left the disc at my house in the U.S.A; is there something I could possibly download from online?* :D Thanks.
DDrea83
Active Member
 
Posts: 7
Joined: June 4th, 2008, 5:38 pm

Re: Spyware...? Not sure.

Unread postby Rodav » June 11th, 2008, 3:45 am

Hi Andrea,

If I WANTED to restore my computer, is it possible to do so without a disc? I left the disc at my house in the U.S.A; is there something I could possibly download from online?
You would need your disk with your operating system on it to reinstall Windows. If you wanted you could download a version of Linux from here. If you decide to carry on using XP, I would encourage you to reformat and reinstall when you get home as you had some nasty infections on your computer. For now though you will probably be glad to know we are nearly finished.


Step 1:
1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\03 Track 3 (dance).wma
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\07 Track 7.wma
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\gone ben folds.mp3
C:\Documents and Settings\Owner.YOUR-9781572241\Shared\gone ben folds.mp3
D:\cl.bat
D:\6l6w8.com
D:\qwc.exe
D:\gy.cmd
D:\2.bat
D:\mug0sd.cmd
D:\1dg.exe
D:\jfvkcsy.bat
D:\xlu8a8sy.exe
D:\vy.cmd
D:\jdwx.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Step 2:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application and Restart your computer.


Step 3:
Run HijackThis, do a system scan and in your next reply please post:
  • The ComboFix report (C:\ComboFix.txt)
  • The new HijackThis log
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Spyware...? Not sure.

Unread postby DDrea83 » June 11th, 2008, 1:03 pm

WoW! Everything SEEMS fixed. No more pop-ups, no more white screens! I have an external hard drive with a bunch of music and pictures on it that I backed up before I started this process. I assume that there are viruses in these music files. How do I delete all the files on the hard drive without re-infecting my computer? I DID have the hard drive plugged in when I was instructed to do so (But I'm not sure what was happening with the hard drive... if it was just being SCANNED or actually CLEANED?)

HIJACKTHIS LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:44 a.m., on 11/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ohiou.edu/students/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=MX6453
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6196 bytes


COMBOFIX LOG:

ComboFix 08-06-05.3 - Owner 2008-06-11 10:57:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1304 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.YOUR-9781572241\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.YOUR-9781572241\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\03 Track 3 (dance).wma
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\07 Track 7.wma
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\gone ben folds.mp3
C:\Documents and Settings\Owner.YOUR-9781572241\Shared\gone ben folds.mp3
D:\1dg.exe
D:\2.bat
D:\6l6w8.com
D:\cl.bat
D:\gy.cmd
D:\jdwx.exe
D:\jfvkcsy.bat
D:\mug0sd.cmd
D:\qwc.exe
D:\vy.cmd
D:\xlu8a8sy.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\03 Track 3 (dance).wma
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\07 Track 7.wma
C:\Documents and Settings\Owner.YOUR-9781572241\My Documents\My Music\iTunes\iTunes Music\gone ben folds.mp3
C:\Documents and Settings\Owner.YOUR-9781572241\Shared\gone ben folds.mp3
D:\1dg.exe
D:\2.bat
D:\6l6w8.com
D:\cl.bat
D:\gy.cmd
D:\jdwx.exe
D:\jfvkcsy.bat
D:\mug0sd.cmd
D:\qwc.exe
D:\vy.cmd
D:\xlu8a8sy.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-10 12:06 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-04 16:34 . 2008-06-04 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 23:48 . 2008-05-19 23:48 <DIR> d-------- C:\Program Files\REA
2008-05-14 12:28 . 2008-06-10 16:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 12:28 . 2008-05-14 12:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 21:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-10 17:06 --------- d-----w C:\Program Files\Java
2008-06-10 03:27 --------- d-----w C:\Program Files\MySpace
2008-06-09 21:46 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Lavasoft
2008-06-06 17:03 --------- d-----w C:\Program Files\Viewpoint
2008-06-06 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-03 04:39 --------- d-----w C:\Program Files\iTunes
2008-05-20 19:14 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\U3
2008-05-15 21:30 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Skype
2008-05-15 14:46 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\skypePM
2008-05-12 05:31 --------- d-----w C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility
2008-05-05 14:18 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Printer Info Cache
2008-05-05 14:18 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\Image Zone Express
2008-05-04 17:54 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\HP
2008-05-04 17:53 --------- d-----w C:\Program Files\HP
2008-05-04 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-05-04 17:52 --------- d-----w C:\Program Files\Common Files\HP
2008-05-04 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-04 17:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-04 17:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-04 17:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-26 17:15 --------- d-----w C:\Documents and Settings\Owner.YOUR-9781572241\Application Data\LimeWire
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-21 04:09 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-10_11.58.07.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 21:48:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 21:25:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2005-03-04 10:06:58 49,248 -c--a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 06:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-03-04 10:07:06 49,250 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 06:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-03-04 11:36:48 127,078 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 07:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 20:41 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 13:20 413696 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-12 00:40 1236992]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
REALTEK RTL8187 Wireless LAN Utility.lnk - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe [2006-11-03 09:03:46 749568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2311adaa-66de-11dc-b7af-0014a5d0c0f8}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35087164-8a58-11db-b63d-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88e00c56-843b-11dc-b7e2-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddd8bb27-05bf-11dd-b86e-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff637bb0-4f75-11dc-b781-0014a5d0c0f8}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 13:30:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2006-12-11 17:51:27 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-12-11 17:51:27 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 10:59:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-11 10:59:56
ComboFix-quarantined-files.txt 2008-06-11 15:59:40
ComboFix2.txt 2008-06-10 16:58:31
ComboFix3.txt 2008-06-09 16:44:42
ComboFix4.txt 2008-06-06 17:25:32

Pre-Run: 123,945,791,488 bytes free
Post-Run: 123,968,737,280 bytes free

177 --- E O F --- 2008-06-09 21:55:15
DDrea83
Active Member
 
Posts: 7
Joined: June 4th, 2008, 5:38 pm

Re: Spyware...? Not sure.

Unread postby Rodav » June 12th, 2008, 5:05 am

As you had the hard drive plugged in during the fix, it would have been scanned and cleaned of whatever malware was found on it. You can scan it with your resident anti virus to double check but it should be OK. You had Panda Antivirus 2007 showing earlier but not in your last logs, you can turn it on now. If you have uninstalled it I will give you other alternatives later on in this post.


Step 1:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete Flash_Disinfectorfrom your desktop and any logs we have produced, and empty your Recycle bin.


Your logs are now clean. :D :D
If you still feel you are having any issues please let me know now, otherwise read through and proceed with the following:


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Two good paid for antivirus programs are NOD32 and Bitdefender
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection level. It may also impair the performance of your PC.
  • Install and use a firewall with outbound protection
    While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
    I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewallor Online armor
    See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date

Please reply to this topic one more time so I know you have read through it or with any questions you may have.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Spyware...? Not sure.

Unread postby DDrea83 » June 12th, 2008, 1:10 pm

:) No more questions. You're awesome.
Besitos de Mexico.
Andrea
DDrea83
Active Member
 
Posts: 7
Joined: June 4th, 2008, 5:38 pm

Re: Spyware...? Not sure.

Unread postby Rodav » June 12th, 2008, 1:21 pm

You're very welcome. :)
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Spyware...? Not sure.

Unread postby Shaba » June 13th, 2008, 1:14 am

DDrea83 this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware