Possible Trojan, Browser Redirects, & Popups

aberrant.minds · 12-27-2008, 09:25 PM

Recently my computer began generating popups to a variety of websites the most recurrent is mtn6.com-com.ws, I ran my virus scan software Trend Micro PC-cillin Internet Security 14 with the latest updates and received the message that it had detected a threat. The incident name was C:\WINDOWS\system32\rjmgcd.dll, the Detection name given was TROJ_VUNDO.EMY. The file cannot be quarantined and when I attempt to delete I receive a message "Cannot delete rjmgcd: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use." I also downloaded and ran the Vundofix, it found no infected files. I've also experienced issues when searching using google (not sure if this occurs with other search engines) the search will complete and the results page will display for about 5 seconds then the page refreshes to a blank page that shows a hyperlink with the top search result, the url says xpseek.com. Following the directions in the "NEW INSTRUCTIONS" thread I downloaded DDS and GMER. I was able to GMER to run properly, however I could not DDS to run. It opens and displays the informational message however it never generates any logs. I will upload the GMER log as described. I appreciate any assistance you can give me with this situation, thanks in advance.

tetonbob · 12-29-2008, 05:36 PM

Let's try this tool instead.

Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
Please attach info.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\rsit\info.txt
Click Upload.

---------------------------------------------------------------------------------------------

aberrant.minds · 12-30-2008, 02:04 PM

Here you go.

Logfile of random's system information tool 1.05 (written by random/random)
Run by Mine at 2008-12-30 15:00:57
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 48 GB (65%) free of 73 GB
Total RAM: 894 MB (30% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:07 PM, on 12/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\NetMotion Client\messerv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\NetMotion Client\nomtray.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Documents and Settings\Mine\Application Data\Twain\Twain.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mine\My Documents\Repair\RSIT.exe
C:\Program Files\trend micro\Mine.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0071211
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0071211
O2 - BHO: (no name) - {18b4f769-0aeb-4716-a1d2-d88ffa0f779e} - C:\WINDOWS\system32\ruzomivu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - C:\WINDOWS\system32\qkjbufhq.dll
O2 - BHO: (no name) - {9815817E-DD71-48D5-88AD-B7F411AE4B04} - C:\WINDOWS\system32\rqRJAQhE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [nomtray] C:\Program Files\NetMotion Client\nomtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [T-Mobile Connection Manager] "C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe" -a
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [ccc33b9c] rundll32.exe "C:\WINDOWS\system32\tehayela.dll",b
O4 - HKLM\..\Run: [namamuvuwa] Rundll32.exe "C:\WINDOWS\system32\vahoremo.dll",s
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Mine\Application Data\Twain\Twain.exe
O4 - HKUS\S-1-5-19\..\Run: [namamuvuwa] Rundll32.exe "C:\WINDOWS\system32\vahoremo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [namamuvuwa] Rundll32.exe "C:\WINDOWS\system32\vahoremo.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} (ICWMInstallObj Class) - https://unicel.on.intercall.com/conf...CWMInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1198900913656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1198900901031
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL rjmgcd.dll,C:\WINDOWS\system32\rakedega.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NetMotion Client (MESSERV) - NetMotion Wireless, Inc. - C:\Program Files\NetMotion Client\messerv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RDI Document Conversion Helper (RDIConverterPrintHelper) - Web Meeting - C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10462 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\bjfnnaqx.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18b4f769-0aeb-4716-a1d2-d88ffa0f779e}]
C:\WINDOWS\system32\ruzomivu.dll [2008-09-27 61639]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-01-28 1554256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 184423]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77AB5974-55A3-4737-9FD5-B93C64307F78}]
C:\WINDOWS\system32\qkjbufhq.dll [2008-12-30 116736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9815817E-DD71-48D5-88AD-B7F411AE4B04}]
C:\WINDOWS\system32\rqRJAQhE.dll [2008-12-22 293376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2007-12-18 2554944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-28 652784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2007-12-18 2554944]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [2006-05-10 90112]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-09-22 761947]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2005-12-19 1347584]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2006-09-22 282624]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-12-09 49152]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2006-10-03 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-10-03 81920]
""= []
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2006-11-05 221184]
"RoxioDragToDisc"=C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2006-08-17 1116920]
"pccguide.exe"=C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe [2006-11-21 1807960]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-02-07 29744]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-10-09 16384]
"nomtray"=C:\Program Files\NetMotion Client\nomtray.exe [2007-08-01 287376]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"LXSUPMON"=C:\WINDOWS\system32\LXSUPMON.EXE [2002-03-08 900096]
"T-Mobile Connection Manager"=C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe [2007-07-23 18968]
"prunnet"=C:\WINDOWS\system32\prunnet.exe [2008-12-22 70656]
"ccc33b9c"=C:\WINDOWS\system32\tehayela.dll [2008-12-27 85280]
"namamuvuwa"=C:\WINDOWS\system32\vahoremo.dll [2008-09-27 61639]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"=C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe [2006-08-04 321040]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-12-18 68856]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2007-03-15 454784]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe [2008-06-13 2752512]
"prunnet"=C:\WINDOWS\system32\prunnet.exe [2008-12-22 70656]
"Twain"=C:\Documents and Settings\Mine\Application Data\Twain\Twain.exe [2008-12-23 61952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
C:\PROGRA~1\KODAK\KODAKE~1\bin\EASYSH~1.EXE [2002-09-16 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL rjmgcd.dll,C:\WINDOWS\system32\rakedega.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-10-16 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\rqRJAQhE
"notification packages"=scecli
C:\WINDOWS\system32\rakedega.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d014bb32-af13-11dc-8254-001d09b582b4}]
shell\AutoRun\command - E:\Launch.exe

======File associations======

.js - open - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-12-30 14:58:38 ----A---- C:\WINDOWS\system32\qkjbufhq.dll
2008-12-28 20:00:37 ----SH---- C:\WINDOWS\system32\habodotu.exe
2008-12-27 21:55:34 ----D---- C:\rsit
2008-12-27 21:38:37 ----SH---- C:\WINDOWS\system32\aleyahet.ini
2008-12-26 22:13:01 ----A---- C:\WINDOWS\gmer.ini
2008-12-26 22:12:58 ----RA---- C:\WINDOWS\gmer.exe
2008-12-26 22:12:58 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-12-26 22:12:58 ----A---- C:\WINDOWS\gmer.dll
2008-12-26 21:25:28 ----SH---- C:\WINDOWS\system32\ivisozez.ini
2008-12-25 20:49:59 ----SH---- C:\WINDOWS\system32\ihijilur.ini
2008-12-23 22:09:29 ----SH---- C:\WINDOWS\system32\uvojiduz.ini
2008-12-23 22:05:00 ----D---- C:\VundoFix Backups
2008-12-23 22:05:00 ----A---- C:\VundoFix.txt
2008-12-23 21:39:24 ----D---- C:\Documents and Settings\Mine\Application Data\Twain
2008-12-23 21:29:28 ----D---- C:\Program Files\Mjcore
2008-12-22 20:29:21 ----A---- C:\WINDOWS\system32\rjmgcd.dll
2008-12-22 20:26:29 ----SH---- C:\WINDOWS\system32\rfnqifmd.ini
2008-12-22 20:19:45 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-12-22 20:17:21 ----A---- C:\WINDOWS\system32\c7e0ffe2-.txt
2008-12-22 20:15:31 ----ASH---- C:\WINDOWS\system32\EhQAJRqr.ini2
2008-12-22 20:15:29 ----ASH---- C:\WINDOWS\system32\EhQAJRqr.ini
2008-12-22 20:15:18 ----A---- C:\WINDOWS\system32\rqRJAQhE.dll
2008-12-22 20:10:33 ----D---- C:\Documents and Settings\Mine\Application Data\gadcom
2008-12-22 20:10:07 ----A---- C:\WINDOWS\system32\rqRKDWnL.dll
2008-12-22 20:09:46 ----A---- C:\WINDOWS\system32\prunnet.exe
2008-12-18 00:30:00 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2008-12-12 22:18:12 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 22:18:02 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 22:16:11 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-12 22:14:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 22:13:33 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 1 months======

2008-12-30 15:01:00 ----D---- C:\Program Files\Trend Micro
2008-12-30 15:00:39 ----D---- C:\WINDOWS\system32
2008-12-30 14:56:39 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-30 14:56:24 ----D---- C:\WINDOWS
2008-12-30 14:55:48 ----D---- C:\WINDOWS\Temp
2008-12-30 14:55:04 ----A---- C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt
2008-12-30 01:27:17 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-29 20:30:31 ----D---- C:\Program Files\EA GAMES
2008-12-29 20:27:03 ----D---- C:\WINDOWS\Prefetch
2008-12-27 21:38:32 ----ASH---- C:\WINDOWS\system32\tehayela.dll
2008-12-27 21:38:31 ----ASH---- C:\WINDOWS\system32\nurugapu.dll
2008-12-27 21:26:10 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-12-27 20:59:55 ----D---- C:\Program Files\LimeWire
2008-12-26 22:12:58 ----D---- C:\WINDOWS\system32\drivers
2008-12-25 20:49:10 ----ASH---- C:\WINDOWS\system32\tihuzuki.dll
2008-12-23 22:08:52 ----SHD---- C:\WINDOWS\Installer
2008-12-23 22:08:21 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-23 21:29:28 ----RD---- C:\Program Files
2008-12-22 20:10:12 ----SD---- C:\WINDOWS\Tasks
2008-12-22 19:55:20 ----D---- C:\WINDOWS\Registration
2008-12-18 00:30:11 ----HD---- C:\WINDOWS\inf
2008-12-18 00:30:04 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-12-18 00:29:27 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-15 14:03:37 ----SD---- C:\Documents and Settings\Mine\Application Data\Microsoft
2008-12-12 22:18:17 ----A---- C:\WINDOWS\imsins.BAK
2008-12-12 22:17:33 ----A---- C:\WINDOWS\win.ini
2008-12-12 22:16:22 ----D---- C:\Program Files\Internet Explorer
2008-12-12 11:27:54 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-10 22:07:54 ----D---- C:\WINDOWS\Minidump

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 DcCam;Kodak Camera Proxy; C:\WINDOWS\system32\DRIVERS\DcCam.sys [2002-09-04 34938]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2006-08-11 12920]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 fsclm;FIPS Driver; \??\C:\Program Files\NetMotion Client\fsclm.sys []
R1 NMDRV;NetMotion Client Driver; \??\C:\Program Files\NetMotion Client\nmdrv.sys []
R1 NMRoam;NetMotion Roaming Detection Daemon; C:\WINDOWS\system32\DRIVERS\nmroam.sys [2007-08-01 22160]
R1 NMutilnt;NetMotion Utility Driver; \??\C:\WINDOWS\system32\drivers\nmutilnt.sys []
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2006-11-09 73288]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 DCFS2K;DCFS2K; C:\WINDOWS\system32\drivers\dcfs2k.sys [2002-02-28 36885]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-08-18 35096]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-08-18 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-08-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-08-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2006-08-11 51768]
R2 elagopro;GoProto Protocol Driver for LELA; C:\WINDOWS\system32\DRIVERS\elagopro.sys [2007-03-22 28672]
R2 elaunidr;UniDriver for LELA; C:\WINDOWS\system32\DRIVERS\elaunidr.sys [2007-03-22 5376]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2008-08-16 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\drivers\TmXPFlt.sys [2008-08-16 205328]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2008-08-16 1195448]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-10-16 1777152]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-11-02 424320]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-08-17 44544]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-08-12 137728]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys [2005-12-01 936960]
R3 HSXHWAZL;HSXHWAZL; C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys [2005-12-01 192512]
R3 nmvnic;NMVNIC Network Adapter; C:\WINDOWS\system32\DRIVERS\nmvnic.sys [2007-08-01 44688]
R3 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2005-07-14 28544]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2007-05-03 78720]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-09-22 1171464]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-09-22 191872]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2006-11-09 280392]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-10-25 27264]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-01 669696]
S1 Exportit;Exportit; C:\WINDOWS\system32\DRIVERS\exportit.sys [2002-09-04 131509]
S3 DcFpoint;DcFpoint; C:\WINDOWS\system32\DRIVERS\DcFpoint.sys [2002-02-28 61568]
S3 DcLps;Legacy Polling Service; C:\WINDOWS\system32\DRIVERS\DcLps.sys [2002-02-28 8058]
S3 DcPTP;dcptp; C:\WINDOWS\system32\DRIVERS\DcPTP.sys [2002-02-28 55866]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-12-26 85969]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCTINDIS5.SYS []
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2007-05-03 12032]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2007-05-03 11008]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbser;Motorola A1000 USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2004-08-03 25600]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-03 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-03 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-03 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2004-08-03 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2004-08-03 5504]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-03 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-03 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-10-16 430080]
R2 Dcfssvc;Dcfssvc; C:\WINDOWS\system32\drivers\dcfssvc.exe [2002-02-28 188987]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-28 168432]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2002-03-08 300544]
R2 MESSERV;NetMotion Client; C:\Program Files\NetMotion Client\messerv.exe [2007-08-01 823952]
R2 PcCtlCom;Trend Micro Central Control Component; C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe [2008-05-19 1475936]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper; C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe [2008-10-01 64888]
R2 Tmntsrv;Trend Micro Real-time Service; C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-09 345696]
R2 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-11-09 923216]
R2 tmproxy;Trend Micro Proxy Service; C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-11-09 566872]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-12-19 18944]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-01-13 68096]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-02-07 29744]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2008-02-20 68096]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

tetonbob · 12-30-2008, 04:05 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

aberrant.minds · 12-30-2008, 06:17 PM

Here is the combofix log.

ComboFix 08-12-29.02 - Mine 2008-12-30 18:56:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.535 [GMT -6:00]
Running from: c:\documents and settings\Mine\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Mine\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Mine\Application Data\gadcom
c:\documents and settings\Mine\Application Data\twain\Twain.exe
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Mjcore
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\aleyahet.ini
c:\windows\system32\denekilo.dll
c:\windows\system32\EhQAJRqr.ini
c:\windows\system32\EhQAJRqr.ini2
c:\windows\system32\iafoor.dll
c:\windows\system32\ihijilur.ini
c:\windows\system32\ivisozez.ini
c:\windows\system32\iyftkcht.dll
c:\windows\system32\jevetedo.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\nurugapu.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\qkjbufhq.dll
c:\windows\system32\rfnqifmd.ini
c:\windows\system32\rjmgcd.dll
c:\windows\system32\rqRJAQhE.dll
c:\windows\system32\segudedu.dll
c:\windows\system32\tehayela.dll
c:\windows\system32\tihuzuki.dll
c:\windows\system32\uvojiduz.ini
c:\windows\system32\yovimuti.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-28 20:00 . 2008-12-28 20:00 2,098 --ahs---- c:\windows\system32\habodotu.exe
2008-12-27 21:55 . 2008-12-27 21:55 <DIR> d-------- C:\rsit
2008-12-26 22:13 . 2008-12-27 21:00 250 --a------ c:\windows\gmer.ini
2008-12-23 22:05 . 2008-12-23 22:05 <DIR> d-------- C:\VundoFix Backups
2008-12-23 21:39 . 2008-12-30 18:56 <DIR> d-------- c:\documents and settings\Mine\Application Data\Twain
2008-12-22 20:10 . 2008-12-22 20:10 45,056 --a------ c:\windows\system32\rqRKDWnL.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 21:01 --------- d-----w c:\program files\Trend Micro
2008-12-30 02:30 --------- d-----w c:\program files\EA GAMES
2008-12-28 03:26 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-28 02:59 --------- d-----w c:\program files\LimeWire
2008-03-12 20:22 61,224 ----a-w c:\documents and settings\Mine\GoToAssistDownloadHelper.exe
2007-12-29 19:23 92,064 ----a-w c:\documents and settings\Mine\mqdmmdm.sys
2007-12-29 19:23 9,232 ----a-w c:\documents and settings\Mine\mqdmmdfl.sys
2007-12-29 19:23 79,328 ----a-w c:\documents and settings\Mine\mqdmserd.sys
2007-12-29 19:23 66,656 ----a-w c:\documents and settings\Mine\mqdmbus.sys
2007-12-29 19:23 6,208 ----a-w c:\documents and settings\Mine\mqdmcmnt.sys
2007-12-29 19:23 5,936 ----a-w c:\documents and settings\Mine\mqdmwhnt.sys
2007-12-29 19:23 4,048 ----a-w c:\documents and settings\Mine\mqdmcr.sys
2007-12-29 19:23 25,600 ----a-w c:\documents and settings\Mine\usbsermptxp.sys
2007-12-29 19:23 22,768 ----a-w c:\documents and settings\Mine\usbsermpt.sys
2007-12-25 02:41 0 ----a-w c:\documents and settings\Mine\Application Data\wklnhst.dat
1601-01-01 00:12 61,648 --sha-w c:\windows\system32\lebenesa.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-18 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-07 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"nomtray"="c:\program files\NetMotion Client\nomtray.exe" [2007-08-01 287376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-03-08 900096]
"T-Mobile Connection Manager"="c:\program files\T-Mobile\Connection Manager\TMobileCM.exe" [2007-07-23 18968]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-13 110592]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\lebenesa.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\lebenesa.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\ComboFix\\nircmd.com"=
"c:\\WINDOWS\\system32\\cscript.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=

R1 fsclm;FIPS Driver;\??\c:\program files\NetMotion Client\fsclm.sys [2007-08-01 97760]
R1 NMDRV;NetMotion Client Driver;\??\c:\program files\NetMotion Client\nmdrv.sys [2007-08-01 629904]
R1 NMRoam;NetMotion Roaming Detection Daemon;c:\windows\system32\DRIVERS\nmroam.sys [2007-08-01 22160]
R1 NMutilnt;NetMotion Utility Driver;\??\c:\windows\system32\drivers\nmutilnt.sys [2007-08-01 19600]
R2 MESSERV;NetMotion Client;c:\program files\NetMotion Client\messerv.exe [2007-08-01 823952]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper;"c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe" [2008-10-01 64888]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-09 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-09 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2007-11-09 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-09 566872]
R3 nmvnic;NMVNIC Network Adapter;c:\windows\system32\DRIVERS\nmvnic.sys [2007-08-01 44688]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-11-09 280392]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 29744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d014bb32-af13-11dc-8254-001d09b582b4}]
\Shell\AutoRun\command - E:\Launch.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\bjfnnaqx.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{18b4f769-0aeb-4716-a1d2-d88ffa0f779e} - c:\windows\system32\jevetedo.dll
BHO-{77AB5974-55A3-4737-9FD5-B93C64307F78} - c:\windows\system32\qkjbufhq.dll
BHO-{9815817E-DD71-48D5-88AD-B7F411AE4B04} - c:\windows\system32\rqRJAQhE.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-namamuvuwa - c:\windows\system32\denekilo.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071211
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\ICWMInstall.dll - O16 -: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524}
hxxps://unicel.on.intercall.com/confmgr/installs/ICWMInstall.cab
c:\windows\Downloaded Program Files\ICWMInstall.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 19:07:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1464)
c:\program files\NetMotion Client\nmlogon.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1520)
c:\windows\system32\lebenesa.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\drivers\dcfssvc.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\TRENDM~1\INTERN~1\pccguide.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-12-30 19:10:43 - machine was rebooted [Mine]
ComboFix-quarantined-files.txt 2008-12-31 01:10:41

Pre-Run: 49,885,454,336 bytes free
Post-Run: 49,970,462,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

216 --- E O F --- 2008-12-18 06:30:12

tetonbob · 12-30-2008, 06:37 PM

Good job...

I need a bit more information before we continue.

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following into the File Name section of the File Upload window which opens:

c:\windows\system32\habodotu.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the results in your next reply.
Please repeat for the following files:
- c:\windows\system32\rqRKDWnL.dll
- c:\windows\system32\lebenesa.dll

aberrant.minds · 12-30-2008, 08:20 PM

File habodotu.exe received on 12.31.2008 04:08:12 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/38 (0%)

File rqRKDWnL.dll received on 12.31.2008 04:13:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 9/39 (23.08%)

a-squared 4.0.0.73 2008.12.31 -
AhnLab-V3 2008.12.31.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.30 -
Authentium 5.1.0.4 2008.12.30 -
Avast 4.8.1281.0 2008.12.30 -
AVG 8.0.0.199 2008.12.30 Small.AWC
BitDefender 7.2 2008.12.31 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 851 2008.12.31 -
DrWeb 4.44.0.09170 2008.12.31 -
eSafe 7.0.17.0 2008.12.30 Suspicious File
eTrust-Vet 31.6.6284 2008.12.31 Win32/SillyDl.GIQ
Ewido 4.0 2008.12.30 -
F-Prot 4.4.4.56 2008.12.30 -
F-Secure 8.0.14470.0 2008.12.31 -
Fortinet 3.117.0.0 2008.12.31 -
GData 19 2008.12.31 -
Ikarus T3.1.1.45.0 2008.12.31 -
K7AntiVirus 7.10.571 2008.12.30 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2008.12.31 -
McAfee 5479 2008.12.30 Downloader-BMH
McAfee+Artemis 5479 2008.12.30 Generic!Artemis
Microsoft 1.4205 2008.12.31 -
NOD32 3724 2008.12.30 -
Norman 5.80.02 2008.12.30 -
Panda 9.0.0.4 2008.12.30 -
PCTools 4.4.2.0 2008.12.30 -
Prevx1 V2 2008.12.31 Fraudulent Security Program
Rising 21.10.12.00 2008.12.30 -
SecureWeb-Gateway 6.7.6 2008.12.30 -
Sophos 4.37.0 2008.12.31 Troj/Dloadr-BYA
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.31 -
TheHacker 6.3.1.4.202 2008.12.30 -
TrendMicro 8.700.0.1004 2008.12.31 PAK_Generic.001
VBA32 3.12.8.10 2008.12.30 -
ViRobot 2008.12.30.1540 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.30 -

Additional information
File size: 45056 bytes
MD5...: cf222627744cec0cd3d5108d21060878
SHA1..: 8b95a0c7e91559d9e2f6cac68eeb039fe48e9773
SHA256: e4524273bdcc92d2068425ae58277abccb05c5838f404fac700793d1599c8726
SHA512: 7f7912e127583da2163b1fe24aaab3acf5d49ce4ca0b27532b6b2999d64ec48d
f916f0c84424be0d5c57518d3bf4212ef40768ff791a383d79fc00acf843e8ce

ssdeep: 768:yvrszB9Qy2EJP8mt2c41GV50K6jTOPN/p+2zuYGd3cLoVnKeNwrXr:yv46yL
JP8k2/1GVKS+2yYGVptNwr

PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1001c500
timedatestamp.....: 0x494f8204 (Mon Dec 22 12:03:16 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x11000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x12000 0xb000 0xa800 7.89 e44d1bae505d72136b7346dd24417004
UPX2 0x1d000 0x1000 0x400 3.25 2671e36db397c2c4f5351832aaced86b

( 8 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree
> ADVAPI32.dll: RegEnumKeyA
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> SHELL32.dll: SHGetFolderPathW
> SHLWAPI.dll: StrChrA
> USER32.dll: IsCharAlphaNumericA
> WININET.dll: InternetOpenW

( 5 exports )
CheckSave, CheckStack, OpenSave, ShellPath, s

packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=cf222627744cec0cd3d5108d21060878' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=cf222627744cec0cd3d5108d21060878</a>
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=D5E6862E00ED3C2BB04500876E676200DDFB62DD' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=D5E6862E00ED3C2BB04500876E676200DDFB62DD</a>

File lebenesa.dll received on 12.31.2008 04:17:39 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 4/39 (10.26%)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.31 -
AhnLab-V3 2008.12.31.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.30 -
Authentium 5.1.0.4 2008.12.30 -
Avast 4.8.1281.0 2008.12.30 -
AVG 8.0.0.199 2008.12.30 -
BitDefender 7.2 2008.12.31 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 851 2008.12.31 -
DrWeb 4.44.0.09170 2008.12.31 -
eSafe 7.0.17.0 2008.12.30 Suspicious File
eTrust-Vet 31.6.6284 2008.12.31 Win32/Vundo.BNP
Ewido 4.0 2008.12.30 -
F-Prot 4.4.4.56 2008.12.30 -
F-Secure 8.0.14470.0 2008.12.31 -
Fortinet 3.117.0.0 2008.12.31 -
GData 19 2008.12.31 -
Ikarus T3.1.1.45.0 2008.12.31 -
K7AntiVirus 7.10.571 2008.12.30 -
Kaspersky 7.0.0.125 2008.12.31 -
McAfee 5479 2008.12.30 -
McAfee+Artemis 5479 2008.12.30 -
Microsoft 1.4205 2008.12.31 -
NOD32 3724 2008.12.30 -
Norman 5.80.02 2008.12.30 -
Panda 9.0.0.4 2008.12.30 -
PCTools 4.4.2.0 2008.12.30 -
Prevx1 V2 2008.12.31 -
Rising 21.10.12.00 2008.12.30 -
SecureWeb-Gateway 6.7.6 2008.12.30 -
Sophos 4.37.0 2008.12.31 Troj/Virtum-Gen
Sunbelt 3.2.1809.2 2008.12.22 Virtumonde
Symantec 10 2008.12.31 -
TheHacker 6.3.1.4.202 2008.12.30 -
TrendMicro 8.700.0.1004 2008.12.31 -
VBA32 3.12.8.10 2008.12.30 -
ViRobot 2008.12.30.1540 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.30 -
Additional information
File size: 61648 bytes
MD5...: 2790c8fd29b7617e40a16c1ec7be95af
SHA1..: 73fcf33f841d0ee9d5693cbedd567c2956003266
SHA256: 60e75c988bca7aa21a44453233b9a4fe1197882d475d095cc4b20d74d1019881
SHA512: 63f7a01be9ce275f2918cc4f075c6ab0ed3c9bc8046e6aafe80e3f83354924a5
4f79ba8da7ccd05454e0d11de56944a2af81b5c8d5155f457392c5e75e4d35e8

ssdeep: 1536:Xo36nDpZ7NlgV7g5AZVxNu7mns3d+Rs1QgRMjXf6E:hpBgV7geVTdjP6E

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100011c0
timedatestamp.....: 0x3ef274dc (Fri Jun 20 02:43:40 2003)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4b34 0x4c00 7.90 1ed4f7aaa3c264b1451248ceaca09e0d
.data 0x6000 0x3eac 0x4000 7.80 70d5765d1f05c5431258e1156988dd5d
.dataa 0xa000 0x59c3 0x5400 7.98 cd3f572fd3169453dcb8d8b3219ccdc5
.rsrc 0x10000 0x410 0x600 2.45 001665e792a6280dc01198bf9190ed4d
.reloc 0x11000 0xc55e 0x600 0.51 9a8300813ab56f4f0ca0d6d13c67100c

( 4 imports )
> user32.dll: RegisterClassW, OffsetRect, MessageBoxW, MessageBoxIndirectW, MessageBeep, FillRect, EmptyClipboard, DispatchMessageW
> KERNEL32.dll: GetTickCount, RaiseException, GetOEMCP, ExitProcess, WideCharToMultiByte, lstrcatW, SetStdHandle
> advapi32.dll: RegSetValueExW, RegOpenKeyExW
> comdlg32.dll: GetOpenFileNameW, GetFileTitleW

( 0 exports )

tetonbob · 12-30-2008, 08:26 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/328538-possible-trojan-browser-redirects-popups.html#post1886729

Folder::
C:\VundoFix Backups
c:\documents and settings\Mine\Application Data\Twain

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"LoadAppInit_DLLs"=-
Collect::
c:\windows\system32\habodotu.exe
c:\windows\system32\rqRKDWnL.dll
c:\windows\system32\lebenesa.dll
c:\windows\Tasks\bjfnnaqx.job

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

If a browser does not open, ComboFix has generated a zipped file at C:\Qoobox\Quarantine\[4]-Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4, and include a link to this topic.
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

aberrant.minds · 12-30-2008, 10:42 PM

Here is the log you requested;

ComboFix 08-12-30.01 - Mine 2008-12-30 23:25:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.487 [GMT -6:00]
Running from: c:\documents and settings\Mine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mine\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mine\Application Data\Twain
C:\VundoFix Backups
c:\windows\system32\habodotu.exe
c:\windows\system32\lebenesa.dll
c:\windows\system32\rqRKDWnL.dll
c:\windows\Tasks\bjfnnaqx.job

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-27 21:55 . 2008-12-27 21:55 <DIR> d-------- C:\rsit
2008-12-26 22:13 . 2008-12-27 21:00 250 --a------ c:\windows\gmer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 03:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-30 21:01 --------- d-----w c:\program files\Trend Micro
2008-12-30 02:30 --------- d-----w c:\program files\EA GAMES
2008-12-28 02:59 --------- d-----w c:\program files\LimeWire
2008-03-12 20:22 61,224 ----a-w c:\documents and settings\Mine\GoToAssistDownloadHelper.exe
2007-12-29 19:23 92,064 ----a-w c:\documents and settings\Mine\mqdmmdm.sys
2007-12-29 19:23 9,232 ----a-w c:\documents and settings\Mine\mqdmmdfl.sys
2007-12-29 19:23 79,328 ----a-w c:\documents and settings\Mine\mqdmserd.sys
2007-12-29 19:23 66,656 ----a-w c:\documents and settings\Mine\mqdmbus.sys
2007-12-29 19:23 6,208 ----a-w c:\documents and settings\Mine\mqdmcmnt.sys
2007-12-29 19:23 5,936 ----a-w c:\documents and settings\Mine\mqdmwhnt.sys
2007-12-29 19:23 4,048 ----a-w c:\documents and settings\Mine\mqdmcr.sys
2007-12-29 19:23 25,600 ----a-w c:\documents and settings\Mine\usbsermptxp.sys
2007-12-29 19:23 22,768 ----a-w c:\documents and settings\Mine\usbsermpt.sys
2007-12-25 02:41 0 ----a-w c:\documents and settings\Mine\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18b4f769-0aeb-4716-a1d2-d88ffa0f779e}]
c:\windows\system32\jevetedo.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-18 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-07 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"nomtray"="c:\program files\NetMotion Client\nomtray.exe" [2007-08-01 287376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-03-08 900096]
"T-Mobile Connection Manager"="c:\program files\T-Mobile\Connection Manager\TMobileCM.exe" [2007-07-23 18968]
"namamuvuwa"="c:\windows\system32\denekilo.dll" [BU]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-13 110592]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\ComboFix\\nircmd.com"=
"c:\\WINDOWS\\system32\\cscript.exe"=

R1 fsclm;FIPS Driver;\??\c:\program files\NetMotion Client\fsclm.sys [2007-08-01 97760]
R1 NMDRV;NetMotion Client Driver;\??\c:\program files\NetMotion Client\nmdrv.sys [2007-08-01 629904]
R1 NMRoam;NetMotion Roaming Detection Daemon;c:\windows\system32\DRIVERS\nmroam.sys [2007-08-01 22160]
R1 NMutilnt;NetMotion Utility Driver;\??\c:\windows\system32\drivers\nmutilnt.sys [2007-08-01 19600]
R2 MESSERV;NetMotion Client;c:\program files\NetMotion Client\messerv.exe [2007-08-01 823952]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper;"c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe" [2008-10-01 64888]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2007-11-09 36368]
R3 nmvnic;NMVNIC Network Adapter;c:\windows\system32\DRIVERS\nmvnic.sys [2007-08-01 44688]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-11-09 280392]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-09 345696]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-09 923216]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-09 566872]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 29744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d014bb32-af13-11dc-8254-001d09b582b4}]
\Shell\AutoRun\command - E:\Launch.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071211
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\ICWMInstall.dll - O16 -: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524}
hxxps://unicel.on.intercall.com/confmgr/installs/ICWMInstall.cab
c:\windows\Downloaded Program Files\ICWMInstall.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 23:30:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-323037319-3703954567-865254948-1006\Software\SecuROM\License information*]
@Security="Inherited"
"datasecu"=hex:92,77,e0,e4,08,e0,b2,10,90,fa,03,57,25,c7,35,c4,ee,96,83,ff,dd,\
db,ae,d9,c9,90,36,d0,07,00,8e,12,49,2a,3f,cc,8f,39,26,dd,06,15,c4,7a,ff,9a,\
c0,18,e5,5b,18,66,b1,e4,cb,b0,17,52,84,e9,43,3a,f9,e6,dc,33,c1,0c,83,60,e6,\
00,12,5e,7f,ea,86,25,8f,32,9d,75,5a,c2,1a,86,11,35,ae,0b,25,80,f4,b0,8e,39,\
82,6e,90,b8,51,a8,d7,ca,3d,34,91,6a,57,48,72,eb,d8,57,49,67,0c,82,4b,35,18,\
d3,48,b3,13,12,8c,e8,2d,fa,f2,44,cc,22,1d,6b,2f,8d,0e,05,dc,b0,14,12,35,fe,\
df,01,a4,49,3c,dd,82,3b,bd,f1,e4,71,16,41,ab,4b,bb,87,2a,38,82,d5,2a,6e,8e,\
d8,25,0b,04,c4,ea,45,39,d4,83,f5,f0,7a,fa,bf,b6,49,1f,b1,b0,4f,f3,47,04,84,\
06,a6,10,cf,ee,ed,86,8b,9c,26,06,95,79,f5,a5,56,df,7d,21,ad,e9,cf,e4,e7,be,\
15,38,46,cb,87,08,81,08,71,94,76,f2,bf,98,cf,5e,22,41,32,a3,06,d6,94,80,e5,\
6d,46,be,ad,40,25,0d,4d,c1,71,83,60,fe,61,c5,35,59,42,00,a5,b6,78,a0,91,16,\
15,f6,1e,39,fa,91,bf,97,0a,d9,34,3e,09,e2,c1,1f,6b,c9,ca,8d,29,19,a1,f2,3a,\
98,e2,ae,45,4e,69,47,ab,41,46,92,46,41,f8,92,58,58,4f,3f,3f,3e,e7,df,ea,94,\
36,08,70,50,64,4a,2c,da,28,c1,ad,5b,5a,c5,75,26,b5,20,26,f3,ec,99,07,85,4a,\
7a,c8,c3,b7,64,94,73,45,5c,63,14,fc,56,2c,08,e3,f0,15,9c,8b,e9,a1,e8,e7,00,\
33,c2,a5,59,85,b4,82,ba,41,8d,78,b8,32,ec,cf,27,ee,a2,6c,23,95,16,53,1f,f2,\
56,d5,18,c4,60,e2,2e,88,e0,6d,78,0d,07,b1,68,35,93,75,d2,95,7a,10,04,bf,d0,\
b2,b3,f9,19,9b,31,8d,b8,cb,29,22,1d,c7,c7,43,86,96,6b,70,3d,64,f4,c5,c7,0a,\
5d,2d,b5,8d,f1,bc,d6,6c,b4,91,5d,c7,8d,2e,09,ff,10,fa,08,e1,ff,d8,63,6d,76,\
02,62,18,0f,b9,b4,c4,9e,43,37,5b,85,1e,28,ca,e8,0f,ab,6f,07,7a,ab,67,5d,06,\
6f,5a,4d,83,ee,28,af,18,4f,4d,48,7e,08,e5,74,33,42,72,31,64,bc,65,7a,c9,cb,\
97,9e,42,01,98,88,2a,02,79,60,a6,1e,96,77,85,04,83,b5,65,d9,16,9b,77,60,11,\
7e,e3,0c,54,bc,aa,62,44,51,c3,28,5e,5a,7b,67,9a,50,ef,2a,6a,75,e9,3f,d7,66,\
e6,f0,13,59,3f,8c,ef,61,55,a4,a0,75,55,16,3a,20,14,3e,a9,ad,07,14,57,59,97,\
01,36,43,19,cc,69,ba,ee,fd,6c,26,31,e6,53,54,e0,6a,6c,4e,0e,82,e4,eb,7c,88,\
dd,13,0f,ba,45,5a,7f,5e,13,e3,da,83,b0,2a,db,4b,1d,56,65,0c,73,11,45,29,e9,\
b3,d4,22,d6,91,b7,6e,f8,a3,32,af,da,97,b1,41,5e,89,db,9e,c0,a4,29,ce,c4,6c,\
59,55,3c,86,31,2d,d6,91,97,3c,f9,7a,3e,3e,10,88,4a,27,44,e1,cb,d3,73,e2,a0,\
1f,59,6d,5e,f2,3e,b1,35,b4,a1,0f,54,7c,1c,80,17,db,77,62,10,06,c5,1f,f2,ce,\
df,5f,42,a0,5c,0b,89,fb,4d,4a,c5,c7,af,5b,1f,de,ef,12,8b,ba,c0,bb,ea,40,49,\
3a,89,c2,3f,7d,a3,63,5e,b8,8e,f6,e9,63,56,9e,4e,6a,e0,bb,08,b7,8f,73,b3,1e,\
87,d9,88,22,83,0f,24,fb,e5,c2,be,81,9b,43,c8,46,89,8f,cd,9c,38,bc,73,51,21,\
5f,70,69,1c,9c,dd,00,3e,2c,d9,e1,e8,2a,1d,c9,db,bd,43,61,27,b5,b5,cd,7a,33,\
4d,74,ce,e3,a6,a5,ca,1d,30,46,46,cf,c5,20,ce,04,f7,95,50,bc,07,35,42,52,99,\
6b,c0,77,71,02,00,e6,3f,39,c4,f4,3a,3f,26,e4,9b,e0,7d,10,3c,cf,dc,e1,ca,a3,\
04,83,7d,f1,7e,bb,c2,a4,9d,1c,d7,81,9c,0b,73,55,a1,62,5c,06,ab,c9,68,79,7f,\
69,41,2d,9b,57,1f,7c,2b,57,06,b8,83,67,7f,78,67,a2,38,74,fd,c3,f1,04,22,49,\
10,c8,e7,7e,82,c2,5c,23,2e,b9,48,74,c3,50,9c,11,8d,c9,7a,9e,61,7c,e4,24,13,\
e7,c0,84,4b,a0,cd,fa,a7,b4,ca,e4,55,df,c9,0a,53,ee,0c,e4,68,a4,d3,db,ea,c3,\
8b,60,73,02,04,31,04,ef,00,aa,27,42,e0,32,33,29,7e,fd,9a,bf,9c,63,3d,99,ed,\
b1,2a,d4,1c,22,d3,b7,dd,75,fd,79,4f,39,a4,98,2c,e9,75,88,74,f0,e0,d0,60,ec,\
fb,ee,c5,de,88,e0,3b,0f,14,39,40,aa,de,12,fb,87,2c,5c,e5,d6,d6,cd,2c,68,b8,\
5e,95,55,2e,a9,28,f5,8e,2d,44,c6,75,3f,7c,a4,28,7f,42,3e,0a,45,13,25,1b,c2,\
af,48,8b,7d,62,24,1c,3b,89,a3,6b,98,03,ac,19,3d,34,97,ae,e8,64,f2,6f,be,ac,\
65,74,1b,87,3f,9c,e3,8c,0b,1f,c8,13,d1,cb,4e,51,70,ae,0b,f1,04,04,51,76,c3,\
81,1e,30,74,2a,bd,39,10,86,38,78,97,ba,21,02,27,95,cf,fa,51,47,82,71,4f,6f,\
09,5c,e8,94,a3,98,17,fd,a2,7e,92,f0,0a,34,18,06,6c,7d,42,d3,a6,08,83,04,b7,\
51,e7,92,a3,d9,35,e5,ef,c4,1b,46,ff,94,bd,b2,f2,65,db,46,db,ee,e3,04,04,4d,\
a8,f8,30,b5,64,a2,99,14,5d,c2,a8,0f,30,db,8c,90,90,c2,72,3d,c9,7f,eb,75,7d,\
5d,2a,89,e8,12,1f,6b,0b,ed,59,cc,fc,77,c8,0c,c5,fa,fa,2d,a3,c9,59,56,59,7e,\
74,10,33,2f,1d,13,9f,3f,a8,eb,5c,b6,1c,f2,a3,ee,ec,ff,47,24,e5,91,69,a1,06,\
90,98,69,31,bf,84,67,11,de,9a,40,53,52,67,7d,76,0e,de,ae,70,43,33,78,70,2c,\
c5,09,41,0c,b0,ac,97,ab,83,bb,5e,79,ed,c6,e2,b8,88,22,90,b7,1b,7b,3f,b6,00,\
57,25,fc,7b,4c,a7,85,e7,0f,a0,9b,af,74,ed,4c,4c,4d,8d,75,2b,01,e2,5f,40,9d,\
12,f7,55,bb,eb,8c,15,5b,00,82,96,fa,42,4f,ff,0f,87,a6,8a,22,31,2b,6f,90,87,\
d8,b3,b2,9e,f5,72,c1,d4,7d,49,57,dc,96,47,97,92,8b,2b,dc,36,6f,34,dc,c0,e7,\
9c,f4,fb,73,51,44,bc,58,86,38,bb,6e,2c,5e,39,c4,cf,50,79,91,f0,e2,71,69,dc,\
ce,1d,14,dc,5a,33,8e,48,74,8e,69,90,ef,1f,fe,fa,ec,8e,03,1a,39,66,1c,89,1c,\
81,a8,01,52,f6,c6,a5,ac,80,ab,5a,83,aa,f7,79,37,54,86,7c,eb,15,b3,48,da,2c,\
0b,56,c5,1b,4b,a8,a9,cb,c0,16,91,b1,f2,8f,df,e6,da,4c,38,23,83,c6,ac,c8,d5,\
ac,2f,88,d4,05,e1,b4,30,dd,3b,a5,dd,5e,9b,63,ae,6e,ee,bf,53,57,7b,5a,97,5e,\
05,4d,89,07,69,ad,7e,75,94,c7,07,f4,55,7e,83,67,a2,a6,63,d9,6b,6b,01,5b,cf,\
9e,4e,0c,02,c8,d6,8d,ed,3a,ef,68,73,df,c9,b0,58,15,4e,c0,c2,de,57,b7,c1,70,\
2b,9c,0d,c2,96,9a,d7,03,94,f4,a8,4f,2c,5b,4b,ae,d3,c3,b7,9c,e0,b2,d8,36,a9,\
9d,75,aa,fe,bb,e2,aa,63,57,93,2e,2a,69,b0,0a,c5,a2,ac,6c,70,39,a5,0f,d7,99,\
41,d6,48,68,79,d0,81,f4,95,ac,fa,4e,0d,27,64,81,26,9f,8b,5d,7e,29,33,a0,30,\
e1,1d,de,46,e2,34,ef,52,ac,a4,52,70,30,89,c7,85,b6,9e,9a,42,d0,6f,af,f3,40,\
91,41,a1,2b,84,f6,ab,c4,0f,e6,43,ae,f1,13,19,08,52,2c,ea,d0,f5,54,d3,12,61,\
fa,0e,f6,f5,ad,d8,ca,b3,8e,1e,b1,3d,f5,ce,e5,a4,53,fe,35,36,86,e5,bb,75,79,\
d2,f7,6e,30,50,86,5b,cb,da,d9,ce,6d,0d,dc,7a,1e,71,43,e9,cf,3b,3a,f4,50,82,\
02,84,d8,83,09,20,91,60,e6,af,e2,98,ab,15,81,24,19,6d,4f,6e,4e,1d,e9,de,67,\
cb,49,35,99,f7,bf,62,d7,4c,f5,74,e7,33,2e,a7,03,4e,7e,3b,9f,99,63,db,af,48,\
68,4b,2d,8a,a4,da,2f,9d,40,14,b4,13,87,2c,43,66,03,58,3d,ae,20,1c,65,cd,e9,\
91,eb,90,69,bc,f1,fe,b9,ad,15,da,c9,b0,82,7b,9f,1e,f7,de,bc,1c,aa,7a,d8,41,\
2e,b1,40,3b,1f,c8,35,7b,22,ed,f7,c9,21,54,95,b6,46,6c,54,66,6f,9b,fb,fe,02,\
8b,e6,6f,a4,95,7d,3c,e4,58,eb,e2,07,0d,ed,af,ed,2b,98,29,fa,a7,68,9b,da,15,\
59,7f,b6,17,85,c1,f8,d2,bd,0c,29,83,82,35,36,14,c5,69,c0,5f,0b,cf,f4,38,db,\
5b,7f,d8,77,97,91,3e,92,d5,db,bc,21,93,4e,29,0e,8a,87,d2,be,5a,14,75,e4,68,\
7a,a4,93,c0,ed,56,18,dd,ef,8e,85,97,2d,ab,d2,0b,be,88,31,34,87,c2,3c,61,45,\
41,e5,3b,35,47,0a,dc,f2,45,09,e5,a6,da,e4,3f,91,9a,9d,ca,85,6b,a4,18,09,61,\
37,93,c9,ac,30,47,f5,5b,02,ac,a3,09,c3,95,51,6a,60,be,87,6f,94,99,ec,01,6f,\
03,8a,ac,95,b2,54,fd,e0,a9,6c,6e,1e,07,f6,c1,f1,7d,5a,9c,54,60,c7,de,12,01,\
df,9f,97,93,ca,c3,ba,5f,fd,26,cf,0d,18,52,36,cc,f8,bd,97,93,26,a0,94,90,4d,\
75,58,6d,6c,e1,76,4f,57,c9,2b,56,c7,76,7e,3c,90,5d,6c,8c,a3,c5,23,de,2c,4e,\
65,d9,5c,08,44,5d,3c,c8,41,4e,dd,f2,3f,f5,3a,56,f1,39,5f,59,b7,d3,92,09,4d,\
55,24,71,d0,1b,a7,de,ad,2f,51,76,67,1e,fe,0f,20,25,2d,10,2a,7b,6f,ba,8f,ff,\
65,01,3b,26,05,81,07,4c,52,9c,3b,93,a9,6c,c8,b1,9e,d3,a5,36,7c,a3,cd,77,5f,\
4a,26,18,13,9c,ab,62,b8,78,5c,59,16,a2,20,04,d0,63,a0,99,22,28,be,ca,06,61,\
38,c3,57,1d,5e,a0,ec,a4,cf,59,34,0e,58,cb,47,ee,b5,77,32,5d,d4,0b,37,90,f0,\
15,34,43,7f,63,44,6d,19,91,ba,cb,97,65,af,2c,be,26,84,01,f4,19,89,05,85,0c,\
1a,03,a5,01,b1,16,67,8c,57,a1,2b,f9,fa,13,9c,46,42,a5,be,26,e4,9a,f1,40,79,\
4c,98,5f,e0,53,88,08,2c,98,06,7d,a4,f9,c7,ad,5b,0a,fa,18,35,25,8b,21,ee,31,\
ed,eb,fd,2a,02,c5,48,01,eb,89,53,44,8a,83,92,66,cc,15,45,aa,71,ee,bd,1b,6f,\
a4,d5,19,50,14,4e,99,8e,b5,a9,1e,d3,f7,77,6a,f6,31,5c,b8,60,7a,e2,45,e5,ad,\
fd,45,28,9e,bd,ca,17,58,1e,64,e6,d9,13,f0,91,db,82,7b,f5,65,56,14,4a,13,c4,\
47,ac,61,d0,7a,d9,94,ed,f9,40,08,b8,5a,b8,3c,e2,61,85,08,47,7d,28,ac,47,2e,\
cd,65,45,11,55,4c,96,42,f1,d2,91,45,a8,3e,85,d2,9d,bc,8f,5f,c5,67,a4,09,76,\
63,5b,59,ac,96,fd,8b,cc,fa,3a,dd,1b,94,56,59,a4,0f,21,de,09,77,94,44,77,3b,\
f1,b4,4d,9c,ff,0f,85,da,fc,d2,c4,9d,aa,14,a7,f5,e5,0b,2e,19,8d,da,fc,02,ac,\
4c,10,ab,c4,6d,7f,e3,23,b4,98,ff,ef,b1,76,e8,5a,de,d2,a6,7c,8e,d9,6a,13,cf,\
f1,ab,b6,43,5e,6b,84,27,a4,62,ae,42,a4,48,3c,f8,09,76,f7,ae,e2,db,5f,8f,fa,\
d7,f3,5f,1d,81,6c,dd,5d,f5,1e,3c,83,e5,f6,63,41,78,eb,b0,22,d9,69,a4,dd,1d,\
53,e6,e6,b4,48,ef,e3,f7,0d,d8,5f,5c,a4,3c,dc,d3,4b,b7,a7,7c,cb,f1,99,45,d3,\
61,01,8d,1a,2b,95,f4,4e,24,81,8f,e0,fd,e3,a2,3a,7e,29,17,62,57,1d,d3,7b,43,\
11,73,34,b1,e5,79,1e,7c,02,25,cc,61,00,a1,8f,60,1d,86,38,00,93,d1,3e,dc,72,\
42,03,c7,d2,58,25,eb,f4,77,aa,06,00,8f,a1,d5,cd,86,eb,4c,c5,27,0f,cb,a4,0b,\
5f,ec,39,08,1b,b7,71,5d,92,51,63,b0,62,ff,df,f3,4f,ba,81,9c,d5,fd,40,ce,70,\
af,ba,04,95,aa,78,c4,1b,56,6f,9d,7c,6f,b4,1b,61,41,5e,00,d9,e3,40,a4,69,96,\
40,a6,ca,b9,a9,e2,ec,bc,ac,23,25,18,60,f3,06,85,f9,a2,9d,3a,11,f0,3e,2a,bf,\
50,e1,16,1d,36,6f,4e,be,ff,5d,87,a1,c5,f9,51,80,56,6f,4b,af,2a,60,05,1b,d6,\
df,73,82,a2,0e,70,31,49,a5,5c,e2,55,b5,68,ee,c7,9b,86,17,bb,a2,cd,64,15,80,\
29,1b,59,f2,14,b1,6e,8b,c5,f9,0d,6e,36,66,19,ee,cc,dd,cc,95,fc,0e,e5,7b,2a,\
3a,13,22,37,78,77,35,ec,fd,cf,44,42,90,e0,8c,01,6f,e9,ce,91,fa,9f,fb,4c,b4,\
ee,22,7c,77,b0,f4,4f,78,98,45,26,e9,e4,db,17,17,e1,99,5a,d8,24,36,7e,91,45,\
76,27,7e,1e,17,fe,2c,fd,71,62,05,a3,0c,28,cb,3c,25,4e,54,37,a1,67,15,7e,bf,\
75,89,f7,fe,5b,d9,e8,c4,21,5e,80,c8,39,d1,73,ea,9e,c7,a9,b5,4c,cf,50,af,30,\
1d,eb,43,d2,43,01,61,60,3a,c9,4b,56,e5,25,5f,4c,e2,34,a2,dd,a7,e9,85,48,b1,\
89,68,ec,a7,2d,22,55,13,a5,68,27,c4,5e,5e,73,71,c5,80,8a,e5,65,c0,0b,da,c9,\
95,2c,ae,df,e2,b6,56,47,19,06,82,38,fd,fc,10,82,ee,7d,8e,2c,84,e8,11,b7,05,\
de,18,fa,6a,f6,0d,ef,b1,79,64,a5,42,1e,fb,a5,e2,45,2d,a9,48,05,8b,e4,22,29,\
c9,91,b9,e0,40,d5,0b,cc,b1,e8,ec,9d,90,0f,d3,fc,d0,11,54,91,8b,bb,60,be,d5,\
26,dd,e3,3a,16,90,28,0d,e9,f5,d0,c0,77,73,a3,58,c6,9b,61,9b,21,dc,ee,23,84,\
12,da,12,fa,53,89,f8,46,a2,85,ce,48,7a,64,07,04,e7,a4,7a,35,57,e2,fd,10,6c,\
02,7f,e8,ee,6c,85,97,2b,0f,e5,52,10,50,56,2e,b4,10,49,8b,f1,09,e1,d3,2a,1f,\
69,1f,f2,73,dd,dd,5e,f4,c9,15,aa,2d,fc,56,14,34,c8,63,05,0b,de,b5,eb,01,44,\
ff,d8,ee,9f,dd,97,7a,c2,7c,17,28,75,40,b0,79,54,d3,66,9f,6c,7c,7b,aa,32,7e,\
27,79,eb,96,ce,23,5d,11,f8,81,9d,ea,70,6b,b3,29,c7,67,ba,9f,24,20,54,75,78,\
d4,48,63,b8,04,9e,02,11,ff,52,37,f6,fb,65,fa,70,bf,ad,ab,b5,b2,7e,fe,70,2b,\
ef,a3,a2,c9,9a,07,f2,a1,52,0b,63,57,77,68,48,ed,62,bd,6d,0b,0e,67,11,81,4a,\
e7,4a,1b,16,d9,ec,68,11,77,da,ee,54,1e,57,b4,fd,6f,14,4c,3a,9a,40,10,76,77,\
90,55,ca,04,53,c9,19,b7,10,93,9a,75,ec,75,94,7a,eb,b6,62,42,07,cd,ae,dd,46,\
62,55,cb,fb,f2,2b,80,b9,35,41,1f,e0,03,e9,13,15,20,2d,40,30,5b,92,a5,60,77,\
84,c4,cb,4a,8f,1c,6e,6a,a8,5e,c6,90,40,ce,4d,ee,ac,77,ec,b7,e4,b4,7e,ae,1e,\
b2,00,66,e5,f8,12,85,b9,8e,1d,f6,9c,a4,3a,b3,9b,2b,e4,5f,73,45,ae,82,21,3f,\
7f,74,9a,b6,56,a7,8e,f7,ea,49,9f,b8,83,90,ff,0a,66,95,68,f7,84,51,a7,77,d9,\
fc,55,6b,eb,ee,07,c4,a8,d1,6b,f4,15,bf,06,d0,4c,05,cd,8a,00,25,28,22,69,87,\
2a,a2,a1,8f,7c,d3,fe,60,85,60,01,af,bb,1f,0d,08,4e,dd,8e,f3,76,29,b9,f0,5e,\
58,24,52,81,8f,09,03,c0,9e,2c,1e,ab,e7,3f,6b,bf,63,f3,aa,db,94,50,e8,75,d9,\
4b,bc,55,b1,44,21,20,85,13,f2,bf,05,31,f1,49,72,7d,84,95,9c,8d,6f,33,8c,bd,\
3a,80,d4,a2,e4,f8,16,08,d2,50,a9,1a,b9,cd,c5,39,e5,1e,be,3f,37,83,02,7d,31,\
00,59,fe,d3,54,cd,9a,8b,e3,35,2e,81,a8,db,c2,09,e6,82,da,7b,cd,75,c4,d2,0a,\
8d,56,3a,e6,ac,b6,49,09,77,61,50,14,a8,e0,1d,51,a8,ca,cc,08,79,d6,bc,b3,07,\
86,dd,c4,0f,4c,32,58,9d,30,a1,57,cf,0c,5c,6f,f1,77,32,a1,d1,84,f6,3b,64,1c,\
03,86,e0,20,db,57,bb,41,16,1d,bd,a7,10,97,62,22,cd,b7,6d,44,47,cd,01,6c,57,\
43,f9,6f,82,6e,6a,49,96,1b,2a,1f,c7,9a,3c,41,2a,d2,ef,01,b6,a5,b7,61,ab,b8,\
3a,92,7f,16,c3,10,c7,c1,f7,b6,68,1e,b1,9b,ff,86,f5,72,8c,e1,0c,2d,aa,ec,bc,\
b3,08,86,c5,e4,ce,0e,0e,eb,8c,1b,7c,83,54,bd,ee,33,a9,93,15,98,70,a7,39,af,\
99,1f,17,29,ac,08,bf,b4,fb,90,0a,f5,db,3d,f3,ad,f0,ad,94,db,4a,d4,f1,40,86,\
87,09,0d,33,83,31,2b,3c,36,75,12,8c,fd,5b,d0,e1,f3,fc,7d,5d,86,be,2a,c0,70,\
0e,b9,3a,16,2a,a4,61,b9,ae,3f,96,f2,3b,de,eb,0e,a7,3e,92,ee,33,56,fc,1d,69,\
a8,52,49,29,cf,40,94,36,27,eb,5e,97,7d,74,c3,54,71,d9,3e,88,50,8f,a2,80,08,\
45,12,7b,c5,72,c2,44,a2,e7,ac,46,d2,bb,f3,c3,ab,3b,73,4c,d5,7e,0d,bf,63,57,\
af,28,a3,e2,a2,a7,59,c8,20,d8,ea,d8,88,17,3f,84,4a,88,2e,6f,55,ff,d1,2a,b4,\
ff,f4,e4,47,aa,45,20,f6,07,46,92,6e,46,35,ce,2e,2f,38,9b,92,01,e0,2b,d7,7a,\
35,31,83,cf,fe,44,2e,5d,2e,66,3d,a6,f1,75,d8,e4,5c,71,44,7e,8a,a8,f8,c6,26,\
c0,e2,ff,c8,e1,16,9a,ee,61,e6,84,bb,4d,31,21,35,6d,a6,59,72,a7,29,0c,ee,92,\
48,c5,aa,bd,f0,6e,70,a8,62,b6,b6,68,ed,de,79,d8,dc,8e,40,f9,7c,4e,71,55,76,\
39,56,f0,49,d8,e9,35,92,5c,b5,b0,ea,38,03,1c,6c,6b,95,5a,4a,be,f1,5c,0f,44,\
18,ce,c6,7a,95,a7,72,72,68,a7,e0,1b,0c,6a,38,e1,16,c6,d6,d8,be,20,3a,48,8e,\
3e,3a,7c,fa,a4,c7,52,ac,ba,7a,56,a9,52,02,14,1b,13,5d,64,40,5f,d0,90,7c,0a,\
10,32,46,ba,78,2b,c5,06,8a,8f,12,d5,18,b8,62,fc,c6,09,a3,1e,b3,8a,12,fa,37,\
f0,8d,03,e2,88,ce,da,72,07,65,a5,9b,98,bb,6f,a5,c4,39,cb,9e,7b,29,42,93,81,\
b0,b6,c9,a6,81,48,f5,04,79,d0,18,1b,0d,09,59,a3,8a,07,34,2e,8f,91,da,ae,2c,\
5a,9c,03,49,8b,fd,a8,a6,e0,ce,07,41,76,e0,3a,85,a7,9e,5f,cd,48,ca,00,12,cf,\
e3,0f,b0,36,0c,d6,d3,f8,78,1b,fe,3d,82,73,e2,c0,3e,9a,e8,c6,e7,09,61,08,fa,\
f3,97,51,94,c9,a6,a7,f4,ad,09,48,0d,5a,c8,9e,57,5f,15,89,5e,0d,44,ce,67,67,\
9e,9a,b2,19,b8,d7,71,ad,79,db,d2,e0,92,d4,1d,fa,33,8d,19,2b,54,29,6e,d2,73,\
07,41,a1,02,94,67,c5,aa,fd,c5,f4,68,da,cd,4c,90,f4,92,29,28,bf,77,e3,cf,b0,\
40,22,77,d8,8d,14,b2,06,f0,b4,34,2a,cc,d2,87,51,3c,ca,06,ac,a7,f7,90,d4,6c,\
b8,b4,64,2d,a4,9d,95,9f,35,97,2a,14,71,cb,1e,7f,0b,25,02,d6,f2,31,f5,d4,92,\
6c,77,61,16,12,4a,e1,04,19,1c,2a,fa,d2,f3,d9,1c,7e,4e,10,9f,5c,46,c3,d5,84,\
02,05,d5,83,7b,7d,c5,6d,c7,f4,0a,0d,93,d7,17,08,81,af,ba,19,9e,76,ad,02,e7,\
06,3c,df,fd,f4,16,b4,31,03,cf,97,1b,23,c7,b6,05,f6,b9,38,5e,03,12,4e,6e,fe,\
cf,c9,fe,fb,87,e9,d1,92,48,bb,ed,26,ae,22,f5,df,72,b6,51,f6,37,dd,42,08,37,\
05,70,6d,45,ff,46,8e,02,5c,5f,e0,5e,89,69,05,96,7c,3f,d8,e4,84,0a,82,ce,05,\
6d,50,1a,76,36,a4,00,f7,14,38,95,2f,21,fb,4e,d3,75,73,76,a2,9d,1c,78,42,f9,\
90,36,e2,59,96,1a,0d,5d,dd,62,4e,9f,4c,88,1d,f4,c7,e3,ac,98,f7,09,96,47,19,\
5c,00,cd,f2,33,ce,6e,fb,a2,5c,16,f7,6d,3a,61,0f,99,25,f6,91,57,77,69,6b,7a,\
69,fc,6f,74,6a,b4,4b,2a,46,05,a4,71,6e,b7,aa,36,d4,11,cf,70,b0,5a,0d,30,df,\
82,d6,0c,ed,16,1e,fa,a4,b0,77,98,c0,d2,31,4b,dc,3d,4b,a7,97,76,f9,9d,e5,a4,\
25,ed,70,1e,cf,fc,4f,71,35,ea,70,90,96,74,aa,1a,e0,b3,7b,4e,61,96,bf,1d,86,\
64,53,53,58,ed,15,ec,9a,e0,3a,ee,ec,42,28,ec,3f,72,ac,54,3a,65,14,38,08,ad,\
e8,bc,7f,59,f7,c6,2b,69,3d,dc,31,93,fd,81,f3,89,64,bb,7b,34,d4,69,85,4c,3e,\
8f,ca,e6,89,79,5e,b4,07,c1,6f,0d,20,b2,3f,95,07,4d,3f,c2,7b,01,9d,82,3d,c7,\
04,4c,d9,dd,fa,4f,c8,ca,8a,c3,9f,79,64,38,52,1d,61,1e,28,69,53,58,79,da,cc,\
dc,78,59,6f,03,c9,59,cc,96,ee,0f,93,67,c6,a1,f1,8f,06,9c,d4,e4,02,d0,b3,3b,\
38,99,c4,d0,20,64,44,35,96,9e,76,7f,a5,2f,35,81,aa,7a,42,42,04,20,e6,79,ed,\
27,7f,b6,b5,98,5e,c5,b0,e8,c4,f5,d5,b5,44,a4,d8,cf,ea,97,f4,48,17,a6,1f,11,\
21,21,17,05,06,0f,c4,e5,e4,5a,88,a0,df,f6,53,fd,1f,ca,da,f9,c6,e2,8e,c4,9e,\
3b,c3,ef,58,e1,12,39,63,c4,a1,4c,73,c6,97,29,3d,e1,42,47,70,bd,1f,35,a3,da,\
f8,ce,c4,f4,1f,8f,ce,4d,2f,4b,e4,9a,6c,79,04,9b,2d,bf,9a,d0,bf,e8,02,ff,85,\
02,46,ec,2d,78,fa,cc,a4,76,8b,11,4c,ee,b8,44,74,68,16,3e,25,19,a7,d4,c4,7b,\
a1,cd,70,20,d2,71,8a,30,d9,24,07,ff,b2,80,c0,64,3c,10,77,96,61,75,1c,87,51,\
06,ee,00,24,fb,0c,b7,bf,72,25,5e,5e,6d,4e,1f,16,28,a1,53,c5,95,75,ee,e5,7d,\
6a,0c,30,d6,1f,b0,af,d5,81,e4,30,c1,28,37,11,9d,45,6f,97,74,d9,d2,66,f9,fb,\
7f,0a,35,b5,fb,55,ef,cb,ac,a7,0d,17,ec,c6,7d,35,b1,83,de,b7,25,38,1e,ef,f5,\
cf,68,5c,33,be,29,d5,af,fe,15,c4,6a,04,04,b7,34,03,c5,ef,bb,27,d9,d6,18,dc,\
f6,bb,61,94,08,02,32,3a,fb,3b,ef,84,a6,ee,61,9e,0e,c7,97,e3,b0,b0,b6,91,91,\
b8,fd,46,8a,60,9d,b0,c3,50,41,bc,ff,9b,66,42,d2,a3,da,49,3a,82,a5,f1,29,3d,\
db,0b,b0,6e,30,86,36,8d,9e,fd,91,b2,6b,e6,9f,c2,67,32,95,15,cb,d9,ff,4b,1d,\
c1,3e,cf,5b,35,2a,34,9a,20,6c,35,43,aa,b3,e1,f6,9d,1a,91,b1,25,5f,8d,d2,6a,\
24,f4,3b,9d,a7,1c,5f,5c,13,d5,2a,da,8f,a9,f3,62,2c,0a,bc,6f,61,a3,1f,61,87,\
92,59,07,b0,25,54,1e,17,06,c8,af,37,92,ad,f9,ac,c5,39,83,5e,8e,e7,76,5d,9c,\
ed,60,42,0b,14,d4,53,41,87,e8,2e,1c,02,da,4e,35,aa,59,f3,7c,be,7d,24,6f,fb,\
4b,f3,8a,ed,0f,d1,bc,7c,80,b6,22,97,93,21,19,bb,e2,e8,c2,f3,0d,51,19,b3,56,\
12,99,97,93,2f,20,e6,ca,1b,df,72,2d,55,f9,60,c3,7c,2b,cb,9f,16,bb,31,01,aa,\
cc,86,0f,9b,89,76,26,ec,39,4c,5b,42,7c,fb,77,8a,41,c3,56,ed,15,bc,1e,23,77,\
03,b9,c4,4d,83,9b,50,e3,b1,42,7e,ce,36,e1,65,79,9f,67,dc,6c,dd,41,9b,a4,6c,\
02,2c,56,1d,45,bb,44,ea,e1,61,cb,b6,f6,8d,60,5f,0e,eb,89,60,bd,95,e3,c1,6a,\
90,af,46,60,9b,7b,ef,78,a8,8b,18,0f,e8,f3,1f,57,ef,11,c5,94,90,ab,1f,db,f5,\
c5,17,ec,1c,59,08,0c,68,1d,f1,97,6d,3a,8d,f7,a6,d5,16,45,3d,7e,30,8f,fc,ab,\
c0,87,bf,86,79,fa,14,43,58,89,63,36,f1,f5,5b,fd,75,5c,b3,9c,55,98,ab,12,17,\
1c,fc,37,e3,bd,d7,59,e4,3a,93,a4,3e,06,56,b9,2e,4d,33,c3,68,71,40,60,b5,fb,\
10,77,f8,ac,08,14,59,b2,ca,10,31,7e,08,80,14,df,50,75,a4,8b,71,6d,a4,3f,01,\
0c,bc,4f,d8,5b,3e,a6,43,ac,2c,57,18,f8,ec,d6,17,ee,6a,52,8c,04,e1,5b,62,a3,\
09,97,5d,a9,fc,74,1b,c1,ec,57,8e,d1,7c,3b,b7,2e,87,df,6b,86,92,4d,ae,5e,7f,\
1d,cb,15,f2,52,57,a5,a1,1c,53,13,74,75,d2,12,4c,60,f2,e2,42,f5,57,d5,95,42,\
a7,00,4d,b4,bf,b9,e6,ea,8b,10,2d,e7,8d,fe,8b,4c,d8,f9,41,9c,b6,5a,46,4f,b4,\
61,4a,7e,9e,d6,8c,ad,20,42,8d,93,32,ff,61,94,8e,c7,17,23,15,63,56,07,38,15,\
44,af,9c,1f,7c,ce,01,7e,61,62,a9,73,b5,65,cf,02,72,85,bb,e3,44,e8,0d,e1,a1,\
cf,e5,b2,27,bf,e9,ac,50,56,2c,69,e8,0d,69,89,c7,fd,cc,d1,9b,09,70,f0,b5,bb,\
b8,35,96,0c,56,f9,e3,27,13,7d,97,b7,bc,13,5e,fb,dc,a0,b8,de,72,4b,59,cb,f2,\
49,ac,08,08,e0,39,46,ef,a2,44,43,8b,3f,92,6a,11,cf,b2,5d,92,cd,31,52,ae,b5,\
11
"rkeysecu"=hex:82,a1,c1,d4,70,8e,0e,f2,4d,9b,40,92,0f,b1,2e,7d

[HKEY_LOCAL_MACHINE\software\Sigmatel\GlobalState]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=Administrators
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1456)
c:\program files\NetMotion Client\nmlogon.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\drivers\dcfssvc.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-12-30 23:35:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 05:35:19
ComboFix2.txt 2008-12-31 01:10:44

Pre-Run: 50,034,245,632 bytes free
Post-Run: 50,127,470,592 bytes free

396 --- E O F --- 2008-12-18 06:30:12

Zip file submitted to http://www.bleepingcomputer.com per your instructions.

tetonbob · 12-30-2008, 10:55 PM

Thanks for uploading the file. Things are looking better, how is the machine behaving? Still a bit more work to do...

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18b4f769-0aeb-4716-a1d2-d88ffa0f779e}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"namamuvuwa"=-

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

aberrant.minds · 01-02-2009, 04:02 PM

The system seems to be running fine now, no pop-ups or browers hijacks. Here is the log you requested:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 02, 2009 18:11:20
Records in database: 1549397
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 94652
Threat name: 15
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 01:37:56

File name / Threat name / Threats count
C:\Documents and Settings\Mine\My Documents\Incomplete\Preview-T-5745425-Chubby Checker - Limbo rock.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Mine\My Documents\Incomplete\Preview-T-5745425-weightless ellis paul.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Mine\My Documents\Incomplete\T-5745425-Chubby Checker - Limbo rock.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\10.tmp Infected: Trojan.Win32.BHO.ilw 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\10C.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.fjh 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\10D.tmp Infected: Trojan.Win32.Monderb.aaiq 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\14.tmp Infected: Trojan-Downloader.Win32.Agent.aiyu 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\15.tmp Infected: Trojan-Downloader.Win32.Agent.aiyu 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1B.tmp Infected: Trojan-Downloader.Win32.Agent.aogd 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1C.tmp Infected: Trojan-Downloader.Win32.Agent.aogd 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\2.tmp Infected: Trojan.Win32.Agent.axoc 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\5.tmp Infected: not-a-virus:FraudTool.Win32.VirusRemover.k 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\6.tmp Infected: Backdoor.Win32.Agent.xbz 1
C:\Qoobox\Quarantine\C\Documents and Settings\Mine\Application Data\Twain\Twain.exe.vir Infected: Trojan.Win32.Agent.aycx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iafoor.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fpf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iyftkcht.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fpf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan-Clicker.Win32.VB.cqq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\qkjbufhq.dll.vir Infected: Trojan.Win32.Monder.agdp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rjmgcd.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRJAQhE.dll.vir Infected: Trojan.Win32.Monder.agan 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yovimuti.dll.vir Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.

tetonbob · 01-02-2009, 07:31 PM

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Mine\My Documents\Incomplete\Preview-T-5745425-Chubby Checker - Limbo rock.mp3"
"C:\Documents and Settings\Mine\My Documents\Incomplete\Preview-T-5745425-weightless ellis paul.mp3"
"C:\Documents and Settings\Mine\My Documents\Incomplete\T-5745425-Chubby Checker - Limbo rock.mp3"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

aberrant.minds · 01-03-2009, 09:54 PM

Ran th fix.bat file and received a message similar to

Files deleted
Press any key to continue

tetonbob · 01-03-2009, 09:59 PM

That's what we want.

Several items found by Kaspersky are in TrendMicro's quarantine. You should be able to remove them finally from within the user interface, something similar to this:

1. Open the management console.
2. Go to Administration > Quarantine Manager and click Delete All Quarantined Files.

Or, simply delete the contents of this folder:

C:\Program Files\Trend Micro\Internet Security 14\Quarantine

The other items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

tetonbob · 01-12-2009, 07:24 PM

Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

12-29-2008, 05:36 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan, Browser Redirects, & Popups Let's try this tool instead. Download RSIT by random/random and save it to your desktop. Double click RSIT.exe to start the tool and click Continue at the disclaimer. When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here. Please attach info.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\rsit\info.txt Click Upload. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-30-2008, 04:05 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan, Browser Redirects, & Popups Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Please visit this webpage for download links, and instructions for running combofix: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-30-2008, 06:37 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan, Browser Redirects, & Popups Good job... I need a bit more information before we continue. Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following into the File Name section of the File Upload window which opens: c:\windows\system32\habodotu.exe Then click the "Send File " button just below. This will scan the file. Please be patient. If you get a message saying File has already been analyzed: click Reanalyze file now Once scanned, copy and paste the results in your next reply. Please repeat for the following files: c:\windows\system32\rqRKDWnL.dll c:\windows\system32\lebenesa.dll __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-30-2008, 08:20 PM	#7 (permalink)
aberrant.minds Registered User Join Date: Nov 2006 Posts: 10 OS: XP	Re: Possible Trojan, Browser Redirects, & Popups File habodotu.exe received on 12.31.2008 04:08:12 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/38 (0%) File rqRKDWnL.dll received on 12.31.2008 04:13:28 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 9/39 (23.08%) a-squared 4.0.0.73 2008.12.31 - AhnLab-V3 2008.12.31.0 2008.12.30 - AntiVir 7.9.0.45 2008.12.30 - Authentium 5.1.0.4 2008.12.30 - Avast 4.8.1281.0 2008.12.30 - AVG 8.0.0.199 2008.12.30 Small.AWC BitDefender 7.2 2008.12.31 - CAT-QuickHeal 10.00 2008.12.30 - ClamAV 0.94.1 2008.12.30 - Comodo 851 2008.12.31 - DrWeb 4.44.0.09170 2008.12.31 - eSafe 7.0.17.0 2008.12.30 Suspicious File eTrust-Vet 31.6.6284 2008.12.31 Win32/SillyDl.GIQ Ewido 4.0 2008.12.30 - F-Prot 4.4.4.56 2008.12.30 - F-Secure 8.0.14470.0 2008.12.31 - Fortinet 3.117.0.0 2008.12.31 - GData 19 2008.12.31 - Ikarus T3.1.1.45.0 2008.12.31 - K7AntiVirus 7.10.571 2008.12.30 Trojan.Win32.Malware.1 Kaspersky 7.0.0.125 2008.12.31 - McAfee 5479 2008.12.30 Downloader-BMH McAfee+Artemis 5479 2008.12.30 Generic!Artemis Microsoft 1.4205 2008.12.31 - NOD32 3724 2008.12.30 - Norman 5.80.02 2008.12.30 - Panda 9.0.0.4 2008.12.30 - PCTools 4.4.2.0 2008.12.30 - Prevx1 V2 2008.12.31 Fraudulent Security Program Rising 21.10.12.00 2008.12.30 - SecureWeb-Gateway 6.7.6 2008.12.30 - Sophos 4.37.0 2008.12.31 Troj/Dloadr-BYA Sunbelt 3.2.1809.2 2008.12.22 - Symantec 10 2008.12.31 - TheHacker 6.3.1.4.202 2008.12.30 - TrendMicro 8.700.0.1004 2008.12.31 PAK_Generic.001 VBA32 3.12.8.10 2008.12.30 - ViRobot 2008.12.30.1540 2008.12.30 - VirusBuster 4.5.11.0 2008.12.30 - Additional information File size: 45056 bytes MD5...: cf222627744cec0cd3d5108d21060878 SHA1..: 8b95a0c7e91559d9e2f6cac68eeb039fe48e9773 SHA256: e4524273bdcc92d2068425ae58277abccb05c5838f404fac700793d1599c8726 SHA512: 7f7912e127583da2163b1fe24aaab3acf5d49ce4ca0b27532b6b2999d64ec48d f916f0c84424be0d5c57518d3bf4212ef40768ff791a383d79fc00acf843e8ce ssdeep: 768:yvrszB9Qy2EJP8mt2c41GV50K6jTOPN/p+2zuYGd3cLoVnKeNwrXr:yv46yL JP8k2/1GVKS+2yYGVptNwr PEiD..: - TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1001c500 timedatestamp.....: 0x494f8204 (Mon Dec 22 12:03:16 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x11000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x12000 0xb000 0xa800 7.89 e44d1bae505d72136b7346dd24417004 UPX2 0x1d000 0x1000 0x400 3.25 2671e36db397c2c4f5351832aaced86b ( 8 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree > ADVAPI32.dll: RegEnumKeyA > ole32.dll: CoInitialize > OLEAUT32.dll: - > SHELL32.dll: SHGetFolderPathW > SHLWAPI.dll: StrChrA > USER32.dll: IsCharAlphaNumericA > WININET.dll: InternetOpenW ( 5 exports ) CheckSave, CheckStack, OpenSave, ShellPath, s packers (Kaspersky): PE_Patch.UPX, UPX packers (F-Prot): UPX CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=cf222627744cec0cd3d5108d21060878' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=cf222627744cec0cd3d5108d21060878</a> Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=D5E6862E00ED3C2BB04500876E676200DDFB62DD' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=D5E6862E00ED3C2BB04500876E676200DDFB62DD</a> File lebenesa.dll received on 12.31.2008 04:17:39 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 4/39 (10.26%) Antivirus Version Last Update Result a-squared 4.0.0.73 2008.12.31 - AhnLab-V3 2008.12.31.0 2008.12.30 - AntiVir 7.9.0.45 2008.12.30 - Authentium 5.1.0.4 2008.12.30 - Avast 4.8.1281.0 2008.12.30 - AVG 8.0.0.199 2008.12.30 - BitDefender 7.2 2008.12.31 - CAT-QuickHeal 10.00 2008.12.30 - ClamAV 0.94.1 2008.12.30 - Comodo 851 2008.12.31 - DrWeb 4.44.0.09170 2008.12.31 - eSafe 7.0.17.0 2008.12.30 Suspicious File eTrust-Vet 31.6.6284 2008.12.31 Win32/Vundo.BNP Ewido 4.0 2008.12.30 - F-Prot 4.4.4.56 2008.12.30 - F-Secure 8.0.14470.0 2008.12.31 - Fortinet 3.117.0.0 2008.12.31 - GData 19 2008.12.31 - Ikarus T3.1.1.45.0 2008.12.31 - K7AntiVirus 7.10.571 2008.12.30 - Kaspersky 7.0.0.125 2008.12.31 - McAfee 5479 2008.12.30 - McAfee+Artemis 5479 2008.12.30 - Microsoft 1.4205 2008.12.31 - NOD32 3724 2008.12.30 - Norman 5.80.02 2008.12.30 - Panda 9.0.0.4 2008.12.30 - PCTools 4.4.2.0 2008.12.30 - Prevx1 V2 2008.12.31 - Rising 21.10.12.00 2008.12.30 - SecureWeb-Gateway 6.7.6 2008.12.30 - Sophos 4.37.0 2008.12.31 Troj/Virtum-Gen Sunbelt 3.2.1809.2 2008.12.22 Virtumonde Symantec 10 2008.12.31 - TheHacker 6.3.1.4.202 2008.12.30 - TrendMicro 8.700.0.1004 2008.12.31 - VBA32 3.12.8.10 2008.12.30 - ViRobot 2008.12.30.1540 2008.12.30 - VirusBuster 4.5.11.0 2008.12.30 - Additional information File size: 61648 bytes MD5...: 2790c8fd29b7617e40a16c1ec7be95af SHA1..: 73fcf33f841d0ee9d5693cbedd567c2956003266 SHA256: 60e75c988bca7aa21a44453233b9a4fe1197882d475d095cc4b20d74d1019881 SHA512: 63f7a01be9ce275f2918cc4f075c6ab0ed3c9bc8046e6aafe80e3f83354924a5 4f79ba8da7ccd05454e0d11de56944a2af81b5c8d5155f457392c5e75e4d35e8 ssdeep: 1536:Xo36nDpZ7NlgV7g5AZVxNu7mns3d+Rs1QgRMjXf6E:hpBgV7geVTdjP6E PEiD..: - TrID..: File type identification Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x100011c0 timedatestamp.....: 0x3ef274dc (Fri Jun 20 02:43:40 2003) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x4b34 0x4c00 7.90 1ed4f7aaa3c264b1451248ceaca09e0d .data 0x6000 0x3eac 0x4000 7.80 70d5765d1f05c5431258e1156988dd5d .dataa 0xa000 0x59c3 0x5400 7.98 cd3f572fd3169453dcb8d8b3219ccdc5 .rsrc 0x10000 0x410 0x600 2.45 001665e792a6280dc01198bf9190ed4d .reloc 0x11000 0xc55e 0x600 0.51 9a8300813ab56f4f0ca0d6d13c67100c ( 4 imports ) > user32.dll: RegisterClassW, OffsetRect, MessageBoxW, MessageBoxIndirectW, MessageBeep, FillRect, EmptyClipboard, DispatchMessageW > KERNEL32.dll: GetTickCount, RaiseException, GetOEMCP, ExitProcess, WideCharToMultiByte, lstrcatW, SetStdHandle > advapi32.dll: RegSetValueExW, RegOpenKeyExW > comdlg32.dll: GetOpenFileNameW, GetFileTitleW ( 0 exports )

12-30-2008, 10:42 PM	#9 (permalink)
aberrant.minds Registered User Join Date: Nov 2006 Posts: 10 OS: XP	Re: Possible Trojan, Browser Redirects, & Popups Here is the log you requested; ComboFix 08-12-30.01 - Mine 2008-12-30 23:25:48.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.487 [GMT -6:00] Running from: c:\documents and settings\Mine\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Mine\Desktop\CFScript.txt AV: PC-cillin Internet Security - Virus Protection On-access scanning disabled (Updated) FW: PC-cillin Internet Security - Firewall disabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Mine\Application Data\Twain C:\VundoFix Backups c:\windows\system32\habodotu.exe c:\windows\system32\lebenesa.dll c:\windows\system32\rqRKDWnL.dll c:\windows\Tasks\bjfnnaqx.job . ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 ))))))))))))))))))))))))))))))) . 2008-12-27 21:55 . 2008-12-27 21:55 <DIR> d-------- C:\rsit 2008-12-26 22:13 . 2008-12-27 21:00 250 --a------ c:\windows\gmer.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-31 03:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-12-30 21:01 --------- d-----w c:\program files\Trend Micro 2008-12-30 02:30 --------- d-----w c:\program files\EA GAMES 2008-12-28 02:59 --------- d-----w c:\program files\LimeWire 2008-03-12 20:22 61,224 ----a-w c:\documents and settings\Mine\GoToAssistDownloadHelper.exe 2007-12-29 19:23 92,064 ----a-w c:\documents and settings\Mine\mqdmmdm.sys 2007-12-29 19:23 9,232 ----a-w c:\documents and settings\Mine\mqdmmdfl.sys 2007-12-29 19:23 79,328 ----a-w c:\documents and settings\Mine\mqdmserd.sys 2007-12-29 19:23 66,656 ----a-w c:\documents and settings\Mine\mqdmbus.sys 2007-12-29 19:23 6,208 ----a-w c:\documents and settings\Mine\mqdmcmnt.sys 2007-12-29 19:23 5,936 ----a-w c:\documents and settings\Mine\mqdmwhnt.sys 2007-12-29 19:23 4,048 ----a-w c:\documents and settings\Mine\mqdmcr.sys 2007-12-29 19:23 25,600 ----a-w c:\documents and settings\Mine\usbsermptxp.sys 2007-12-29 19:23 22,768 ----a-w c:\documents and settings\Mine\usbsermpt.sys 2007-12-25 02:41 0 ----a-w c:\documents and settings\Mine\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18b4f769-0aeb-4716-a1d2-d88ffa0f779e}] c:\windows\system32\jevetedo.dll [BU] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-18 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-07 29744] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "nomtray"="c:\program files\NetMotion Client\nomtray.exe" [2007-08-01 287376] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-03-08 900096] "T-Mobile Connection Manager"="c:\program files\T-Mobile\Connection Manager\TMobileCM.exe" [2007-07-23 18968] "namamuvuwa"="c:\windows\system32\denekilo.dll" [BU] "SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 c:\windows\stsystra.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-13 110592] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 24576] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\ComboFix\\nircmd.com"= "c:\\WINDOWS\\system32\\cscript.exe"= R1 fsclm;FIPS Driver;\??\c:\program files\NetMotion Client\fsclm.sys [2007-08-01 97760] R1 NMDRV;NetMotion Client Driver;\??\c:\program files\NetMotion Client\nmdrv.sys [2007-08-01 629904] R1 NMRoam;NetMotion Roaming Detection Daemon;c:\windows\system32\DRIVERS\nmroam.sys [2007-08-01 22160] R1 NMutilnt;NetMotion Utility Driver;\??\c:\windows\system32\drivers\nmutilnt.sys [2007-08-01 19600] R2 MESSERV;NetMotion Client;c:\program files\NetMotion Client\messerv.exe [2007-08-01 823952] R2 RDIConverterPrintHelper;RDI Document Conversion Helper;"c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe" [2008-10-01 64888] R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2007-11-09 36368] R3 nmvnic;NMVNIC Network Adapter;c:\windows\system32\DRIVERS\nmvnic.sys [2007-08-01 44688] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-11-09 280392] S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-09 345696] S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-09 923216] S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-09 566872] S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-11 29744] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d014bb32-af13-11dc-8254-001d09b582b4}] \Shell\AutoRun\command - E:\Launch.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.dell.com uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071211 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 c:\windows\Downloaded Program Files\ICWMInstall.dll - O16 -: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} hxxps://unicel.on.intercall.com/confmgr/installs/ICWMInstall.cab c:\windows\Downloaded Program Files\ICWMInstall.inf . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-30 23:30:10 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-323037319-3703954567-865254948-1006\Software\SecuROM\License information] @Security="Inherited" "datasecu"=hex:92,77,e0,e4,08,e0,b2,10,90,fa,03,57,25,c7,35,c4,ee,96,83,ff,dd,\ db,ae,d9,c9,90,36,d0,07,00,8e,12,49,2a,3f,cc,8f,39,26,dd,06,15,c4,7a,ff,9a,\ c0,18,e5,5b,18,66,b1,e4,cb,b0,17,52,84,e9,43,3a,f9,e6,dc,33,c1,0c,83,60,e6,\ 00,12,5e,7f,ea,86,25,8f,32,9d,75,5a,c2,1a,86,11,35,ae,0b,25,80,f4,b0,8e,39,\ 82,6e,90,b8,51,a8,d7,ca,3d,34,91,6a,57,48,72,eb,d8,57,49,67,0c,82,4b,35,18,\ d3,48,b3,13,12,8c,e8,2d,fa,f2,44,cc,22,1d,6b,2f,8d,0e,05,dc,b0,14,12,35,fe,\ df,01,a4,49,3c,dd,82,3b,bd,f1,e4,71,16,41,ab,4b,bb,87,2a,38,82,d5,2a,6e,8e,\ d8,25,0b,04,c4,ea,45,39,d4,83,f5,f0,7a,fa,bf,b6,49,1f,b1,b0,4f,f3,47,04,84,\ 06,a6,10,cf,ee,ed,86,8b,9c,26,06,95,79,f5,a5,56,df,7d,21,ad,e9,cf,e4,e7,be,\ 15,38,46,cb,87,08,81,08,71,94,76,f2,bf,98,cf,5e,22,41,32,a3,06,d6,94,80,e5,\ 6d,46,be,ad,40,25,0d,4d,c1,71,83,60,fe,61,c5,35,59,42,00,a5,b6,78,a0,91,16,\ 15,f6,1e,39,fa,91,bf,97,0a,d9,34,3e,09,e2,c1,1f,6b,c9,ca,8d,29,19,a1,f2,3a,\ 98,e2,ae,45,4e,69,47,ab,41,46,92,46,41,f8,92,58,58,4f,3f,3f,3e,e7,df,ea,94,\ 36,08,70,50,64,4a,2c,da,28,c1,ad,5b,5a,c5,75,26,b5,20,26,f3,ec,99,07,85,4a,\ 7a,c8,c3,b7,64,94,73,45,5c,63,14,fc,56,2c,08,e3,f0,15,9c,8b,e9,a1,e8,e7,00,\ 33,c2,a5,59,85,b4,82,ba,41,8d,78,b8,32,ec,cf,27,ee,a2,6c,23,95,16,53,1f,f2,\ 56,d5,18,c4,60,e2,2e,88,e0,6d,78,0d,07,b1,68,35,93,75,d2,95,7a,10,04,bf,d0,\ b2,b3,f9,19,9b,31,8d,b8,cb,29,22,1d,c7,c7,43,86,96,6b,70,3d,64,f4,c5,c7,0a,\ 5d,2d,b5,8d,f1,bc,d6,6c,b4,91,5d,c7,8d,2e,09,ff,10,fa,08,e1,ff,d8,63,6d,76,\ 02,62,18,0f,b9,b4,c4,9e,43,37,5b,85,1e,28,ca,e8,0f,ab,6f,07,7a,ab,67,5d,06,\ 6f,5a,4d,83,ee,28,af,18,4f,4d,48,7e,08,e5,74,33,42,72,31,64,bc,65,7a,c9,cb,\ 97,9e,42,01,98,88,2a,02,79,60,a6,1e,96,77,85,04,83,b5,65,d9,16,9b,77,60,11,\ 7e,e3,0c,54,bc,aa,62,44,51,c3,28,5e,5a,7b,67,9a,50,ef,2a,6a,75,e9,3f,d7,66,\ e6,f0,13,59,3f,8c,ef,61,55,a4,a0,75,55,16,3a,20,14,3e,a9,ad,07,14,57,59,97,\ 01,36,43,19,cc,69,ba,ee,fd,6c,26,31,e6,53,54,e0,6a,6c,4e,0e,82,e4,eb,7c,88,\ dd,13,0f,ba,45,5a,7f,5e,13,e3,da,83,b0,2a,db,4b,1d,56,65,0c,73,11,45,29,e9,\ b3,d4,22,d6,91,b7,6e,f8,a3,32,af,da,97,b1,41,5e,89,db,9e,c0,a4,29,ce,c4,6c,\ 59,55,3c,86,31,2d,d6,91,97,3c,f9,7a,3e,3e,10,88,4a,27,44,e1,cb,d3,73,e2,a0,\ 1f,59,6d,5e,f2,3e,b1,35,b4,a1,0f,54,7c,1c,80,17,db,77,62,10,06,c5,1f,f2,ce,\ df,5f,42,a0,5c,0b,89,fb,4d,4a,c5,c7,af,5b,1f,de,ef,12,8b,ba,c0,bb,ea,40,49,\ 3a,89,c2,3f,7d,a3,63,5e,b8,8e,f6,e9,63,56,9e,4e,6a,e0,bb,08,b7,8f,73,b3,1e,\ 87,d9,88,22,83,0f,24,fb,e5,c2,be,81,9b,43,c8,46,89,8f,cd,9c,38,bc,73,51,21,\ 5f,70,69,1c,9c,dd,00,3e,2c,d9,e1,e8,2a,1d,c9,db,bd,43,61,27,b5,b5,cd,7a,33,\ 4d,74,ce,e3,a6,a5,ca,1d,30,46,46,cf,c5,20,ce,04,f7,95,50,bc,07,35,42,52,99,\ 6b,c0,77,71,02,00,e6,3f,39,c4,f4,3a,3f,26,e4,9b,e0,7d,10,3c,cf,dc,e1,ca,a3,\ 04,83,7d,f1,7e,bb,c2,a4,9d,1c,d7,81,9c,0b,73,55,a1,62,5c,06,ab,c9,68,79,7f,\ 69,41,2d,9b,57,1f,7c,2b,57,06,b8,83,67,7f,78,67,a2,38,74,fd,c3,f1,04,22,49,\ 10,c8,e7,7e,82,c2,5c,23,2e,b9,48,74,c3,50,9c,11,8d,c9,7a,9e,61,7c,e4,24,13,\ e7,c0,84,4b,a0,cd,fa,a7,b4,ca,e4,55,df,c9,0a,53,ee,0c,e4,68,a4,d3,db,ea,c3,\ 8b,60,73,02,04,31,04,ef,00,aa,27,42,e0,32,33,29,7e,fd,9a,bf,9c,63,3d,99,ed,\ b1,2a,d4,1c,22,d3,b7,dd,75,fd,79,4f,39,a4,98,2c,e9,75,88,74,f0,e0,d0,60,ec,\ fb,ee,c5,de,88,e0,3b,0f,14,39,40,aa,de,12,fb,87,2c,5c,e5,d6,d6,cd,2c,68,b8,\ 5e,95,55,2e,a9,28,f5,8e,2d,44,c6,75,3f,7c,a4,28,7f,42,3e,0a,45,13,25,1b,c2,\ af,48,8b,7d,62,24,1c,3b,89,a3,6b,98,03,ac,19,3d,34,97,ae,e8,64,f2,6f,be,ac,\ 65,74,1b,87,3f,9c,e3,8c,0b,1f,c8,13,d1,cb,4e,51,70,ae,0b,f1,04,04,51,76,c3,\ 81,1e,30,74,2a,bd,39,10,86,38,78,97,ba,21,02,27,95,cf,fa,51,47,82,71,4f,6f,\ 09,5c,e8,94,a3,98,17,fd,a2,7e,92,f0,0a,34,18,06,6c,7d,42,d3,a6,08,83,04,b7,\ 51,e7,92,a3,d9,35,e5,ef,c4,1b,46,ff,94,bd,b2,f2,65,db,46,db,ee,e3,04,04,4d,\ a8,f8,30,b5,64,a2,99,14,5d,c2,a8,0f,30,db,8c,90,90,c2,72,3d,c9,7f,eb,75,7d,\ 5d,2a,89,e8,12,1f,6b,0b,ed,59,cc,fc,77,c8,0c,c5,fa,fa,2d,a3,c9,59,56,59,7e,\ 74,10,33,2f,1d,13,9f,3f,a8,eb,5c,b6,1c,f2,a3,ee,ec,ff,47,24,e5,91,69,a1,06,\ 90,98,69,31,bf,84,67,11,de,9a,40,53,52,67,7d,76,0e,de,ae,70,43,33,78,70,2c,\ c5,09,41,0c,b0,ac,97,ab,83,bb,5e,79,ed,c6,e2,b8,88,22,90,b7,1b,7b,3f,b6,00,\ 57,25,fc,7b,4c,a7,85,e7,0f,a0,9b,af,74,ed,4c,4c,4d,8d,75,2b,01,e2,5f,40,9d,\ 12,f7,55,bb,eb,8c,15,5b,00,82,96,fa,42,4f,ff,0f,87,a6,8a,22,31,2b,6f,90,87,\ d8,b3,b2,9e,f5,72,c1,d4,7d,49,57,dc,96,47,97,92,8b,2b,dc,36,6f,34,dc,c0,e7,\ 9c,f4,fb,73,51,44,bc,58,86,38,bb,6e,2c,5e,39,c4,cf,50,79,91,f0,e2,71,69,dc,\ ce,1d,14,dc,5a,33,8e,48,74,8e,69,90,ef,1f,fe,fa,ec,8e,03,1a,39,66,1c,89,1c,\ 81,a8,01,52,f6,c6,a5,ac,80,ab,5a,83,aa,f7,79,37,54,86,7c,eb,15,b3,48,da,2c,\ 0b,56,c5,1b,4b,a8,a9,cb,c0,16,91,b1,f2,8f,df,e6,da,4c,38,23,83,c6,ac,c8,d5,\ ac,2f,88,d4,05,e1,b4,30,dd,3b,a5,dd,5e,9b,63,ae,6e,ee,bf,53,57,7b,5a,97,5e,\ 05,4d,89,07,69,ad,7e,75,94,c7,07,f4,55,7e,83,67,a2,a6,63,d9,6b,6b,01,5b,cf,\ 9e,4e,0c,02,c8,d6,8d,ed,3a,ef,68,73,df,c9,b0,58,15,4e,c0,c2,de,57,b7,c1,70,\ 2b,9c,0d,c2,96,9a,d7,03,94,f4,a8,4f,2c,5b,4b,ae,d3,c3,b7,9c,e0,b2,d8,36,a9,\ 9d,75,aa,fe,bb,e2,aa,63,57,93,2e,2a,69,b0,0a,c5,a2,ac,6c,70,39,a5,0f,d7,99,\ 41,d6,48,68,79,d0,81,f4,95,ac,fa,4e,0d,27,64,81,26,9f,8b,5d,7e,29,33,a0,30,\ e1,1d,de,46,e2,34,ef,52,ac,a4,52,70,30,89,c7,85,b6,9e,9a,42,d0,6f,af,f3,40,\ 91,41,a1,2b,84,f6,ab,c4,0f,e6,43,ae,f1,13,19,08,52,2c,ea,d0,f5,54,d3,12,61,\ fa,0e,f6,f5,ad,d8,ca,b3,8e,1e,b1,3d,f5,ce,e5,a4,53,fe,35,36,86,e5,bb,75,79,\ d2,f7,6e,30,50,86,5b,cb,da,d9,ce,6d,0d,dc,7a,1e,71,43,e9,cf,3b,3a,f4,50,82,\ 02,84,d8,83,09,20,91,60,e6,af,e2,98,ab,15,81,24,19,6d,4f,6e,4e,1d,e9,de,67,\ cb,49,35,99,f7,bf,62,d7,4c,f5,74,e7,33,2e,a7,03,4e,7e,3b,9f,99,63,db,af,48,\ 68,4b,2d,8a,a4,da,2f,9d,40,14,b4,13,87,2c,43,66,03,58,3d,ae,20,1c,65,cd,e9,\ 91,eb,90,69,bc,f1,fe,b9,ad,15,da,c9,b0,82,7b,9f,1e,f7,de,bc,1c,aa,7a,d8,41,\ 2e,b1,40,3b,1f,c8,35,7b,22,ed,f7,c9,21,54,95,b6,46,6c,54,66,6f,9b,fb,fe,02,\ 8b,e6,6f,a4,95,7d,3c,e4,58,eb,e2,07,0d,ed,af,ed,2b,98,29,fa,a7,68,9b,da,15,\ 59,7f,b6,17,85,c1,f8,d2,bd,0c,29,83,82,35,36,14,c5,69,c0,5f,0b,cf,f4,38,db,\ 5b,7f,d8,77,97,91,3e,92,d5,db,bc,21,93,4e,29,0e,8a,87,d2,be,5a,14,75,e4,68,\ 7a,a4,93,c0,ed,56,18,dd,ef,8e,85,97,2d,ab,d2,0b,be,88,31,34,87,c2,3c,61,45,\ 41,e5,3b,35,47,0a,dc,f2,45,09,e5,a6,da,e4,3f,91,9a,9d,ca,85,6b,a4,18,09,61,\ 37,93,c9,ac,30,47,f5,5b,02,ac,a3,09,c3,95,51,6a,60,be,87,6f,94,99,ec,01,6f,\ 03,8a,ac,95,b2,54,fd,e0,a9,6c,6e,1e,07,f6,c1,f1,7d,5a,9c,54,60,c7,de,12,01,\ df,9f,97,93,ca,c3,ba,5f,fd,26,cf,0d,18,52,36,cc,f8,bd,97,93,26,a0,94,90,4d,\ 75,58,6d,6c,e1,76,4f,57,c9,2b,56,c7,76,7e,3c,90,5d,6c,8c,a3,c5,23,de,2c,4e,\ 65,d9,5c,08,44,5d,3c,c8,41,4e,dd,f2,3f,f5,3a,56,f1,39,5f,59,b7,d3,92,09,4d,\ 55,24,71,d0,1b,a7,de,ad,2f,51,76,67,1e,fe,0f,20,25,2d,10,2a,7b,6f,ba,8f,ff,\ 65,01,3b,26,05,81,07,4c,52,9c,3b,93,a9,6c,c8,b1,9e,d3,a5,36,7c,a3,cd,77,5f,\ 4a,26,18,13,9c,ab,62,b8,78,5c,59,16,a2,20,04,d0,63,a0,99,22,28,be,ca,06,61,\ 38,c3,57,1d,5e,a0,ec,a4,cf,59,34,0e,58,cb,47,ee,b5,77,32,5d,d4,0b,37,90,f0,\ 15,34,43,7f,63,44,6d,19,91,ba,cb,97,65,af,2c,be,26,84,01,f4,19,89,05,85,0c,\ 1a,03,a5,01,b1,16,67,8c,57,a1,2b,f9,fa,13,9c,46,42,a5,be,26,e4,9a,f1,40,79,\ 4c,98,5f,e0,53,88,08,2c,98,06,7d,a4,f9,c7,ad,5b,0a,fa,18,35,25,8b,21,ee,31,\ ed,eb,fd,2a,02,c5,48,01,eb,89,53,44,8a,83,92,66,cc,15,45,aa,71,ee,bd,1b,6f,\ a4,d5,19,50,14,4e,99,8e,b5,a9,1e,d3,f7,77,6a,f6,31,5c,b8,60,7a,e2,45,e5,ad,\ fd,45,28,9e,bd,ca,17,58,1e,64,e6,d9,13,f0,91,db,82,7b,f5,65,56,14,4a,13,c4,\ 47,ac,61,d0,7a,d9,94,ed,f9,40,08,b8,5a,b8,3c,e2,61,85,08,47,7d,28,ac,47,2e,\ cd,65,45,11,55,4c,96,42,f1,d2,91,45,a8,3e,85,d2,9d,bc,8f,5f,c5,67,a4,09,76,\ 63,5b,59,ac,96,fd,8b,cc,fa,3a,dd,1b,94,56,59,a4,0f,21,de,09,77,94,44,77,3b,\ f1,b4,4d,9c,ff,0f,85,da,fc,d2,c4,9d,aa,14,a7,f5,e5,0b,2e,19,8d,da,fc,02,ac,\ 4c,10,ab,c4,6d,7f,e3,23,b4,98,ff,ef,b1,76,e8,5a,de,d2,a6,7c,8e,d9,6a,13,cf,\ f1,ab,b6,43,5e,6b,84,27,a4,62,ae,42,a4,48,3c,f8,09,76,f7,ae,e2,db,5f,8f,fa,\ d7,f3,5f,1d,81,6c,dd,5d,f5,1e,3c,83,e5,f6,63,41,78,eb,b0,22,d9,69,a4,dd,1d,\ 53,e6,e6,b4,48,ef,e3,f7,0d,d8,5f,5c,a4,3c,dc,d3,4b,b7,a7,7c,cb,f1,99,45,d3,\ 61,01,8d,1a,2b,95,f4,4e,24,81,8f,e0,fd,e3,a2,3a,7e,29,17,62,57,1d,d3,7b,43,\ 11,73,34,b1,e5,79,1e,7c,02,25,cc,61,00,a1,8f,60,1d,86,38,00,93,d1,3e,dc,72,\ 42,03,c7,d2,58,25,eb,f4,77,aa,06,00,8f,a1,d5,cd,86,eb,4c,c5,27,0f,cb,a4,0b,\ 5f,ec,39,08,1b,b7,71,5d,92,51,63,b0,62,ff,df,f3,4f,ba,81,9c,d5,fd,40,ce,70,\ af,ba,04,95,aa,78,c4,1b,56,6f,9d,7c,6f,b4,1b,61,41,5e,00,d9,e3,40,a4,69,96,\ 40,a6,ca,b9,a9,e2,ec,bc,ac,23,25,18,60,f3,06,85,f9,a2,9d,3a,11,f0,3e,2a,bf,\ 50,e1,16,1d,36,6f,4e,be,ff,5d,87,a1,c5,f9,51,80,56,6f,4b,af,2a,60,05,1b,d6,\ df,73,82,a2,0e,70,31,49,a5,5c,e2,55,b5,68,ee,c7,9b,86,17,bb,a2,cd,64,15,80,\ 29,1b,59,f2,14,b1,6e,8b,c5,f9,0d,6e,36,66,19,ee,cc,dd,cc,95,fc,0e,e5,7b,2a,\ 3a,13,22,37,78,77,35,ec,fd,cf,44,42,90,e0,8c,01,6f,e9,ce,91,fa,9f,fb,4c,b4,\ ee,22,7c,77,b0,f4,4f,78,98,45,26,e9,e4,db,17,17,e1,99,5a,d8,24,36,7e,91,45,\ 76,27,7e,1e,17,fe,2c,fd,71,62,05,a3,0c,28,cb,3c,25,4e,54,37,a1,67,15,7e,bf,\ 75,89,f7,fe,5b,d9,e8,c4,21,5e,80,c8,39,d1,73,ea,9e,c7,a9,b5,4c,cf,50,af,30,\ 1d,eb,43,d2,43,01,61,60,3a,c9,4b,56,e5,25,5f,4c,e2,34,a2,dd,a7,e9,85,48,b1,\ 89,68,ec,a7,2d,22,55,13,a5,68,27,c4,5e,5e,73,71,c5,80,8a,e5,65,c0,0b,da,c9,\ 95,2c,ae,df,e2,b6,56,47,19,06,82,38,fd,fc,10,82,ee,7d,8e,2c,84,e8,11,b7,05,\ de,18,fa,6a,f6,0d,ef,b1,79,64,a5,42,1e,fb,a5,e2,45,2d,a9,48,05,8b,e4,22,29,\ c9,91,b9,e0,40,d5,0b,cc,b1,e8,ec,9d,90,0f,d3,fc,d0,11,54,91,8b,bb,60,be,d5,\ 26,dd,e3,3a,16,90,28,0d,e9,f5,d0,c0,77,73,a3,58,c6,9b,61,9b,21,dc,ee,23,84,\ 12,da,12,fa,53,89,f8,46,a2,85,ce,48,7a,64,07,04,e7,a4,7a,35,57,e2,fd,10,6c,\ 02,7f,e8,ee,6c,85,97,2b,0f,e5,52,10,50,56,2e,b4,10,49,8b,f1,09,e1,d3,2a,1f,\ 69,1f,f2,73,dd,dd,5e,f4,c9,15,aa,2d,fc,56,14,34,c8,63,05,0b,de,b5,eb,01,44,\ ff,d8,ee,9f,dd,97,7a,c2,7c,17,28,75,40,b0,79,54,d3,66,9f,6c,7c,7b,aa,32,7e,\ 27,79,eb,96,ce,23,5d,11,f8,81,9d,ea,70,6b,b3,29,c7,67,ba,9f,24,20,54,75,78,\ d4,48,63,b8,04,9e,02,11,ff,52,37,f6,fb,65,fa,70,bf,ad,ab,b5,b2,7e,fe,70,2b,\ ef,a3,a2,c9,9a,07,f2,a1,52,0b,63,57,77,68,48,ed,62,bd,6d,0b,0e,67,11,81,4a,\ e7,4a,1b,16,d9,ec,68,11,77,da,ee,54,1e,57,b4,fd,6f,14,4c,3a,9a,40,10,76,77,\ 90,55,ca,04,53,c9,19,b7,10,93,9a,75,ec,75,94,7a,eb,b6,62,42,07,cd,ae,dd,46,\ 62,55,cb,fb,f2,2b,80,b9,35,41,1f,e0,03,e9,13,15,20,2d,40,30,5b,92,a5,60,77,\ 84,c4,cb,4a,8f,1c,6e,6a,a8,5e,c6,90,40,ce,4d,ee,ac,77,ec,b7,e4,b4,7e,ae,1e,\ b2,00,66,e5,f8,12,85,b9,8e,1d,f6,9c,a4,3a,b3,9b,2b,e4,5f,73,45,ae,82,21,3f,\ 7f,74,9a,b6,56,a7,8e,f7,ea,49,9f,b8,83,90,ff,0a,66,95,68,f7,84,51,a7,77,d9,\ fc,55,6b,eb,ee,07,c4,a8,d1,6b,f4,15,bf,06,d0,4c,05,cd,8a,00,25,28,22,69,87,\ 2a,a2,a1,8f,7c,d3,fe,60,85,60,01,af,bb,1f,0d,08,4e,dd,8e,f3,76,29,b9,f0,5e,\ 58,24,52,81,8f,09,03,c0,9e,2c,1e,ab,e7,3f,6b,bf,63,f3,aa,db,94,50,e8,75,d9,\ 4b,bc,55,b1,44,21,20,85,13,f2,bf,05,31,f1,49,72,7d,84,95,9c,8d,6f,33,8c,bd,\ 3a,80,d4,a2,e4,f8,16,08,d2,50,a9,1a,b9,cd,c5,39,e5,1e,be,3f,37,83,02,7d,31,\ 00,59,fe,d3,54,cd,9a,8b,e3,35,2e,81,a8,db,c2,09,e6,82,da,7b,cd,75,c4,d2,0a,\ 8d,56,3a,e6,ac,b6,49,09,77,61,50,14,a8,e0,1d,51,a8,ca,cc,08,79,d6,bc,b3,07,\ 86,dd,c4,0f,4c,32,58,9d,30,a1,57,cf,0c,5c,6f,f1,77,32,a1,d1,84,f6,3b,64,1c,\ 03,86,e0,20,db,57,bb,41,16,1d,bd,a7,10,97,62,22,cd,b7,6d,44,47,cd,01,6c,57,\ 43,f9,6f,82,6e,6a,49,96,1b,2a,1f,c7,9a,3c,41,2a,d2,ef,01,b6,a5,b7,61,ab,b8,\ 3a,92,7f,16,c3,10,c7,c1,f7,b6,68,1e,b1,9b,ff,86,f5,72,8c,e1,0c,2d,aa,ec,bc,\ b3,08,86,c5,e4,ce,0e,0e,eb,8c,1b,7c,83,54,bd,ee,33,a9,93,15,98,70,a7,39,af,\ 99,1f,17,29,ac,08,bf,b4,fb,90,0a,f5,db,3d,f3,ad,f0,ad,94,db,4a,d4,f1,40,86,\ 87,09,0d,33,83,31,2b,3c,36,75,12,8c,fd,5b,d0,e1,f3,fc,7d,5d,86,be,2a,c0,70,\ 0e,b9,3a,16,2a,a4,61,b9,ae,3f,96,f2,3b,de,eb,0e,a7,3e,92,ee,33,56,fc,1d,69,\ a8,52,49,29,cf,40,94,36,27,eb,5e,97,7d,74,c3,54,71,d9,3e,88,50,8f,a2,80,08,\ 45,12,7b,c5,72,c2,44,a2,e7,ac,46,d2,bb,f3,c3,ab,3b,73,4c,d5,7e,0d,bf,63,57,\ af,28,a3,e2,a2,a7,59,c8,20,d8,ea,d8,88,17,3f,84,4a,88,2e,6f,55,ff,d1,2a,b4,\ ff,f4,e4,47,aa,45,20,f6,07,46,92,6e,46,35,ce,2e,2f,38,9b,92,01,e0,2b,d7,7a,\ 35,31,83,cf,fe,44,2e,5d,2e,66,3d,a6,f1,75,d8,e4,5c,71,44,7e,8a,a8,f8,c6,26,\ c0,e2,ff,c8,e1,16,9a,ee,61,e6,84,bb,4d,31,21,35,6d,a6,59,72,a7,29,0c,ee,92,\ 48,c5,aa,bd,f0,6e,70,a8,62,b6,b6,68,ed,de,79,d8,dc,8e,40,f9,7c,4e,71,55,76,\ 39,56,f0,49,d8,e9,35,92,5c,b5,b0,ea,38,03,1c,6c,6b,95,5a,4a,be,f1,5c,0f,44,\ 18,ce,c6,7a,95,a7,72,72,68,a7,e0,1b,0c,6a,38,e1,16,c6,d6,d8,be,20,3a,48,8e,\ 3e,3a,7c,fa,a4,c7,52,ac,ba,7a,56,a9,52,02,14,1b,13,5d,64,40,5f,d0,90,7c,0a,\ 10,32,46,ba,78,2b,c5,06,8a,8f,12,d5,18,b8,62,fc,c6,09,a3,1e,b3,8a,12,fa,37,\ f0,8d,03,e2,88,ce,da,72,07,65,a5,9b,98,bb,6f,a5,c4,39,cb,9e,7b,29,42,93,81,\ b0,b6,c9,a6,81,48,f5,04,79,d0,18,1b,0d,09,59,a3,8a,07,34,2e,8f,91,da,ae,2c,\ 5a,9c,03,49,8b,fd,a8,a6,e0,ce,07,41,76,e0,3a,85,a7,9e,5f,cd,48,ca,00,12,cf,\ e3,0f,b0,36,0c,d6,d3,f8,78,1b,fe,3d,82,73,e2,c0,3e,9a,e8,c6,e7,09,61,08,fa,\ f3,97,51,94,c9,a6,a7,f4,ad,09,48,0d,5a,c8,9e,57,5f,15,89,5e,0d,44,ce,67,67,\ 9e,9a,b2,19,b8,d7,71,ad,79,db,d2,e0,92,d4,1d,fa,33,8d,19,2b,54,29,6e,d2,73,\ 07,41,a1,02,94,67,c5,aa,fd,c5,f4,68,da,cd,4c,90,f4,92,29,28,bf,77,e3,cf,b0,\ 40,22,77,d8,8d,14,b2,06,f0,b4,34,2a,cc,d2,87,51,3c,ca,06,ac,a7,f7,90,d4,6c,\ b8,b4,64,2d,a4,9d,95,9f,35,97,2a,14,71,cb,1e,7f,0b,25,02,d6,f2,31,f5,d4,92,\ 6c,77,61,16,12,4a,e1,04,19,1c,2a,fa,d2,f3,d9,1c,7e,4e,10,9f,5c,46,c3,d5,84,\ 02,05,d5,83,7b,7d,c5,6d,c7,f4,0a,0d,93,d7,17,08,81,af,ba,19,9e,76,ad,02,e7,\ 06,3c,df,fd,f4,16,b4,31,03,cf,97,1b,23,c7,b6,05,f6,b9,38,5e,03,12,4e,6e,fe,\ cf,c9,fe,fb,87,e9,d1,92,48,bb,ed,26,ae,22,f5,df,72,b6,51,f6,37,dd,42,08,37,\ 05,70,6d,45,ff,46,8e,02,5c,5f,e0,5e,89,69,05,96,7c,3f,d8,e4,84,0a,82,ce,05,\ 6d,50,1a,76,36,a4,00,f7,14,38,95,2f,21,fb,4e,d3,75,73,76,a2,9d,1c,78,42,f9,\ 90,36,e2,59,96,1a,0d,5d,dd,62,4e,9f,4c,88,1d,f4,c7,e3,ac,98,f7,09,96,47,19,\ 5c,00,cd,f2,33,ce,6e,fb,a2,5c,16,f7,6d,3a,61,0f,99,25,f6,91,57,77,69,6b,7a,\ 69,fc,6f,74,6a,b4,4b,2a,46,05,a4,71,6e,b7,aa,36,d4,11,cf,70,b0,5a,0d,30,df,\ 82,d6,0c,ed,16,1e,fa,a4,b0,77,98,c0,d2,31,4b,dc,3d,4b,a7,97,76,f9,9d,e5,a4,\ 25,ed,70,1e,cf,fc,4f,71,35,ea,70,90,96,74,aa,1a,e0,b3,7b,4e,61,96,bf,1d,86,\ 64,53,53,58,ed,15,ec,9a,e0,3a,ee,ec,42,28,ec,3f,72,ac,54,3a,65,14,38,08,ad,\ e8,bc,7f,59,f7,c6,2b,69,3d,dc,31,93,fd,81,f3,89,64,bb,7b,34,d4,69,85,4c,3e,\ 8f,ca,e6,89,79,5e,b4,07,c1,6f,0d,20,b2,3f,95,07,4d,3f,c2,7b,01,9d,82,3d,c7,\ 04,4c,d9,dd,fa,4f,c8,ca,8a,c3,9f,79,64,38,52,1d,61,1e,28,69,53,58,79,da,cc,\ dc,78,59,6f,03,c9,59,cc,96,ee,0f,93,67,c6,a1,f1,8f,06,9c,d4,e4,02,d0,b3,3b,\ 38,99,c4,d0,20,64,44,35,96,9e,76,7f,a5,2f,35,81,aa,7a,42,42,04,20,e6,79,ed,\ 27,7f,b6,b5,98,5e,c5,b0,e8,c4,f5,d5,b5,44,a4,d8,cf,ea,97,f4,48,17,a6,1f,11,\ 21,21,17,05,06,0f,c4,e5,e4,5a,88,a0,df,f6,53,fd,1f,ca,da,f9,c6,e2,8e,c4,9e,\ 3b,c3,ef,58,e1,12,39,63,c4,a1,4c,73,c6,97,29,3d,e1,42,47,70,bd,1f,35,a3,da,\ f8,ce,c4,f4,1f,8f,ce,4d,2f,4b,e4,9a,6c,79,04,9b,2d,bf,9a,d0,bf,e8,02,ff,85,\ 02,46,ec,2d,78,fa,cc,a4,76,8b,11,4c,ee,b8,44,74,68,16,3e,25,19,a7,d4,c4,7b,\ a1,cd,70,20,d2,71,8a,30,d9,24,07,ff,b2,80,c0,64,3c,10,77,96,61,75,1c,87,51,\ 06,ee,00,24,fb,0c,b7,bf,72,25,5e,5e,6d,4e,1f,16,28,a1,53,c5,95,75,ee,e5,7d,\ 6a,0c,30,d6,1f,b0,af,d5,81,e4,30,c1,28,37,11,9d,45,6f,97,74,d9,d2,66,f9,fb,\ 7f,0a,35,b5,fb,55,ef,cb,ac,a7,0d,17,ec,c6,7d,35,b1,83,de,b7,25,38,1e,ef,f5,\ cf,68,5c,33,be,29,d5,af,fe,15,c4,6a,04,04,b7,34,03,c5,ef,bb,27,d9,d6,18,dc,\ f6,bb,61,94,08,02,32,3a,fb,3b,ef,84,a6,ee,61,9e,0e,c7,97,e3,b0,b0,b6,91,91,\ b8,fd,46,8a,60,9d,b0,c3,50,41,bc,ff,9b,66,42,d2,a3,da,49,3a,82,a5,f1,29,3d,\ db,0b,b0,6e,30,86,36,8d,9e,fd,91,b2,6b,e6,9f,c2,67,32,95,15,cb,d9,ff,4b,1d,\ c1,3e,cf,5b,35,2a,34,9a,20,6c,35,43,aa,b3,e1,f6,9d,1a,91,b1,25,5f,8d,d2,6a,\ 24,f4,3b,9d,a7,1c,5f,5c,13,d5,2a,da,8f,a9,f3,62,2c,0a,bc,6f,61,a3,1f,61,87,\ 92,59,07,b0,25,54,1e,17,06,c8,af,37,92,ad,f9,ac,c5,39,83,5e,8e,e7,76,5d,9c,\ ed,60,42,0b,14,d4,53,41,87,e8,2e,1c,02,da,4e,35,aa,59,f3,7c,be,7d,24,6f,fb,\ 4b,f3,8a,ed,0f,d1,bc,7c,80,b6,22,97,93,21,19,bb,e2,e8,c2,f3,0d,51,19,b3,56,\ 12,99,97,93,2f,20,e6,ca,1b,df,72,2d,55,f9,60,c3,7c,2b,cb,9f,16,bb,31,01,aa,\ cc,86,0f,9b,89,76,26,ec,39,4c,5b,42,7c,fb,77,8a,41,c3,56,ed,15,bc,1e,23,77,\ 03,b9,c4,4d,83,9b,50,e3,b1,42,7e,ce,36,e1,65,79,9f,67,dc,6c,dd,41,9b,a4,6c,\ 02,2c,56,1d,45,bb,44,ea,e1,61,cb,b6,f6,8d,60,5f,0e,eb,89,60,bd,95,e3,c1,6a,\ 90,af,46,60,9b,7b,ef,78,a8,8b,18,0f,e8,f3,1f,57,ef,11,c5,94,90,ab,1f,db,f5,\ c5,17,ec,1c,59,08,0c,68,1d,f1,97,6d,3a,8d,f7,a6,d5,16,45,3d,7e,30,8f,fc,ab,\ c0,87,bf,86,79,fa,14,43,58,89,63,36,f1,f5,5b,fd,75,5c,b3,9c,55,98,ab,12,17,\ 1c,fc,37,e3,bd,d7,59,e4,3a,93,a4,3e,06,56,b9,2e,4d,33,c3,68,71,40,60,b5,fb,\ 10,77,f8,ac,08,14,59,b2,ca,10,31,7e,08,80,14,df,50,75,a4,8b,71,6d,a4,3f,01,\ 0c,bc,4f,d8,5b,3e,a6,43,ac,2c,57,18,f8,ec,d6,17,ee,6a,52,8c,04,e1,5b,62,a3,\ 09,97,5d,a9,fc,74,1b,c1,ec,57,8e,d1,7c,3b,b7,2e,87,df,6b,86,92,4d,ae,5e,7f,\ 1d,cb,15,f2,52,57,a5,a1,1c,53,13,74,75,d2,12,4c,60,f2,e2,42,f5,57,d5,95,42,\ a7,00,4d,b4,bf,b9,e6,ea,8b,10,2d,e7,8d,fe,8b,4c,d8,f9,41,9c,b6,5a,46,4f,b4,\ 61,4a,7e,9e,d6,8c,ad,20,42,8d,93,32,ff,61,94,8e,c7,17,23,15,63,56,07,38,15,\ 44,af,9c,1f,7c,ce,01,7e,61,62,a9,73,b5,65,cf,02,72,85,bb,e3,44,e8,0d,e1,a1,\ cf,e5,b2,27,bf,e9,ac,50,56,2c,69,e8,0d,69,89,c7,fd,cc,d1,9b,09,70,f0,b5,bb,\ b8,35,96,0c,56,f9,e3,27,13,7d,97,b7,bc,13,5e,fb,dc,a0,b8,de,72,4b,59,cb,f2,\ 49,ac,08,08,e0,39,46,ef,a2,44,43,8b,3f,92,6a,11,cf,b2,5d,92,cd,31,52,ae,b5,\ 11 "rkeysecu"=hex:82,a1,c1,d4,70,8e,0e,f2,4d,9b,40,92,0f,b1,2e,7d [HKEY_LOCAL_MACHINE\software\Sigmatel\GlobalState] @Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL) @Owner=Administrators @Denied: (Full) (Guests) @Allowed: (Full) (LocalSystem) @Allowed: (Full) (Administrators) @Allowed: (B 1 2 3 4 5) (S-1-5-4) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1456) c:\program files\NetMotion Client\nmlogon.dll c:\windows\system32\Ati2evxx.dll c:\windows\System32\BCMLogon.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\windows\system32\drivers\dcfssvc.exe c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\CLI.exe c:\program files\ATI Technologies\ATI.ACE\CLI.exe . ************************************************************************* . Completion time: 2008-12-30 23:35:21 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-31 05:35:19 ComboFix2.txt 2008-12-31 01:10:44 Pre-Run: 50,034,245,632 bytes free Post-Run: 50,127,470,592 bytes free 396 --- E O F --- 2008-12-18 06:30:12 Zip file submitted to http://www.bleepingcomputer.com per your instructions.

01-02-2009, 04:02 PM	#11 (permalink)
aberrant.minds Registered User Join Date: Nov 2006 Posts: 10 OS: XP	Re: Possible Trojan, Browser Redirects, & Popups The system seems to be running fine now, no pop-ups or browers hijacks. Here is the log you requested: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, January 2, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, January 02, 2009 18:11:20 Records in database: 1549397 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 94652 Threat name: 15 Infected objects: 21 Suspicious objects: 0 Duration of the scan: 01:37:56 File name / Threat name / Threats count C:\Documents and Settings\Mine\My Documents\Incomplete\Preview-T-5745425-Chubby Checker - Limbo rock.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Documents and Settings\Mine\My Documents\Incomplete\Preview-T-5745425-weightless ellis paul.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Documents and Settings\Mine\My Documents\Incomplete\T-5745425-Chubby Checker - Limbo rock.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\10.tmp Infected: Trojan.Win32.BHO.ilw 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\10C.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.fjh 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\10D.tmp Infected: Trojan.Win32.Monderb.aaiq 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\14.tmp Infected: Trojan-Downloader.Win32.Agent.aiyu 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\15.tmp Infected: Trojan-Downloader.Win32.Agent.aiyu 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1B.tmp Infected: Trojan-Downloader.Win32.Agent.aogd 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1C.tmp Infected: Trojan-Downloader.Win32.Agent.aogd 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\2.tmp Infected: Trojan.Win32.Agent.axoc 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\5.tmp Infected: not-a-virus:FraudTool.Win32.VirusRemover.k 1 C:\Program Files\Trend Micro\Internet Security 14\Quarantine\6.tmp Infected: Backdoor.Win32.Agent.xbz 1 C:\Qoobox\Quarantine\C\Documents and Settings\Mine\Application Data\Twain\Twain.exe.vir Infected: Trojan.Win32.Agent.aycx 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\iafoor.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fpf 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\iyftkcht.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fpf 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan-Clicker.Win32.VB.cqq 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\qkjbufhq.dll.vir Infected: Trojan.Win32.Monder.agdp 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\rjmgcd.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fjh 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRJAQhE.dll.vir Infected: Trojan.Win32.Monder.agan 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\yovimuti.dll.vir Infected: Trojan.Win32.Monder.gen 1 The selected area was scanned.

01-02-2009, 07:31 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan, Browser Redirects, & Popups Open NOTEPAD.exe and copy/paste the text in the codebox below into it: Code: @echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "C:\Documents and Settings\Mine\My Documents\Incomplete\Preview-T-5745425-Chubby Checker - Limbo rock.mp3" "C:\Documents and Settings\Mine\My Documents\Incomplete\Preview-T-5745425-weightless ellis paul.mp3" "C:\Documents and Settings\Mine\My Documents\Incomplete\T-5745425-Chubby Checker - Limbo rock.mp3" ) do ( del /a/f %%g >nul 2>&1 if exist %%g echo.%%g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! pause del %0 Save this as fix.bat Choose to "Save type as - All Files" It should look like this: Double click on fix.bat & allow it to run Post back to tell me what it says __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-03-2009, 09:54 PM	#13 (permalink)
aberrant.minds Registered User Join Date: Nov 2006 Posts: 10 OS: XP	Re: Possible Trojan, Browser Redirects, & Popups Ran th fix.bat file and received a message similar to Files deleted Press any key to continue

01-03-2009, 09:59 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan, Browser Redirects, & Popups That's what we want. Several items found by Kaspersky are in TrendMicro's quarantine. You should be able to remove them finally from within the user interface, something similar to this: 1. Open the management console. 2. Go to Administration > Quarantine Manager and click Delete All Quarantined Files. Or, simply delete the contents of this folder: C:\Program Files\Trend Micro\Internet Security 14\Quarantine The other items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below Other than that.... Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-12-2009, 07:24 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan, Browser Redirects, & Popups Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009