Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 36 Posts

·
Registered
Joined
·
35 Posts
Discussion Starter · #1 ·
Rip_Chain helped me fix pop-up problems on my HP. Need a little cleanup before we're done.
Now it's time to tackle the kid's Dell. It's way messed up. I have it next to my HP and I have to fix it without hooking it to the internet. I did the five steps except I could not do an online scan (Panda). I burned Spywareblaster Hijack This, iespyad, and avgas on a CD and installed them on the Dell.
Some of the symptoms of the dell are:

GFDSH Runtime error 5.

When I run AD-Aware2007, it shuts down "Initiated by NT Authaurity/System".

AVG - Once a scan is complete, "Apply all Actions" frezzes the computer.

Safe Mode doesn't display windows (Black Screen).

When I reboot, Message says, "Explorer.exe-No Disc in Drive A".
Sometimes on reboot I get a blue screen with a lot of white text.

I also noticed that they had 57 updates downloaded but not installed??

I have not installed Combofix yet. Waiting for advice.
Thanks for any help.

Here is the Hijack.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:04:53 AM, on 8/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\System32\qwerty12.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{E8F8DAE0-0AE7-1033-1202-030512200001}\Update.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasers.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasdc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Documents and Settings\Joyce\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://planetkc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?pr...11006237800000001151125000189&version=g_4.4.2
O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\System32\gebawxx.dll
O2 - BHO: (no name) - {3F1543FB-F76E-FF9C-4917-888DCA27D3BA} - C:\WINDOWS\System32\wwwyb.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {55431DD1-8795-4AF3-8FA0-D645DF7910D4} - C:\WINDOWS\SYSTEM32\werwea.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\Program Files\AdSponsorOI\AdSponsorOI.dll
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38F8D~1\Bar888.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\System32\yiyisrfk.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\Comet\Bin\csbho.dll (file missing)
O2 - BHO: (no name) - {FAC106F4-EC7A-4135-9705-6A0C3926FEBC} - C:\WINDOWS\System32\vtstu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38F8D~1\Bar888.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll
O4 - HKLM\..\Run: [{E8F8DAE0-0AE7-1033-1202-030512200001}] "C:\Program Files\Common Files\{E8F8DAE0-0AE7-1033-1202-030512200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{E8F8DAE0-0AE6-1033-1202-030512200001}] "C:\Program Files\Common Files\{E8F8DAE0-0AE6-1033-1202-030512200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\gtsswmal.dll",forkonce
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasers.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DC6_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasdc.exe"
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Joyce\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-21-1226715034-2328625344-728653132-1007\..\Run: [Firewall auto setup] C:\DOCUME~1\Joyce\LOCALS~1\Temp\winlogon.exe (User '?')
O4 - HKUS\S-1-5-21-1226715034-2328625344-728653132-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1226715034-2328625344-728653132-1007\..\Run: [IESet] IExplorer.dll .dbt (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - S-1-5-21-1226715034-2328625344-728653132-1007 Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE (User '?')
O4 - S-1-5-21-1226715034-2328625344-728653132-1007 Startup: PowerReg SchedulerV2.exe (User '?')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O20 - Winlogon Notify: gebawxx - C:\WINDOWS\SYSTEM32\gebawxx.dll
O20 - Winlogon Notify: vtstu - C:\WINDOWS\System32\vtstu.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10623 bytes
 

·
Registered
Joined
·
138 Posts
Hello hevbrewer,

This computer is has a lot more serious infections then your previously one did, that's for sure. This process will take a little while, if I read your post correctly there is no internet access for this computer?
Let's start off with a couple off basic logs and work our way up the food chian. Does any of the following information look faniliar to you?
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU


Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

WinAntiSpyware 2007
DriveCleaner Free
Comet
AdSponsorOI
webHancer
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #3 ·
I've never seen the Asia Pacific before. WinSpyware was on the computer but I removed it yesterday.
None of the others are installed.
I do not have internet access for this computer.
 

·
Registered
Joined
·
138 Posts
Hello hevbrewer,

You will also need to burn the following tool to a cd for use on your computer,

Please download this file - combofix.exe by sUBs
  • Save it to your Desktop
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll
  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #5 ·
Rip,
ComboFix is on the desktop But the paste can't find it. It's in:
C:\Documents and Settings\All Users\Desktop
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #7 ·
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:11:36 PM, on 8/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Joyce\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://planetkc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {55431DD1-8795-4AF3-8FA0-D645DF7910D4} - C:\WINDOWS\SYSTEM32\werwea.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\Program Files\AdSponsorOI\AdSponsorOI.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1226715034-2328625344-728653132-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - S-1-5-21-1226715034-2328625344-728653132-1007 Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE (User '?')
O4 - S-1-5-21-1226715034-2328625344-728653132-1007 Startup: PowerReg SchedulerV2.exe (User '?')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6446 bytes
ComboFix 07-08-17.2 - "Joyce" 2007-08-19 15:48:55.2 - NTFSx86


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
C:\23572734.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\Heather\APPLIC~1\..\err.log
C:\DOCUME~1\Heather\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\Heather\APPLIC~1\WinAntiVirus Pro 2007\Logs\update.log
C:\DOCUME~1\Heather\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa6Support.log
C:\DOCUME~1\Heather\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log
C:\DOCUME~1\Joyce\APPLIC~1.\DriveCleaner Free
C:\DOCUME~1\Joyce\APPLIC~1.\DriveCleaner Free\Logs\update.log
C:\DOCUME~1\Joyce\APPLIC~1.\pppatc~1
C:\DOCUME~1\Joyce\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Joyce\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\Joyce\APPLIC~1.\winantispyware 2007 free\description.txt
C:\DOCUME~1\Joyce\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\DOCUME~1\Joyce\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\Joyce\APPLIC~1\..\err.log
C:\DOCUME~1\Joyce\APPLIC~1\DriveCleaner Free\Logs\update.log
C:\DOCUME~1\Joyce\APPLIC~1\install.dat
C:\DOCUME~1\Joyce\APPLIC~1\WinAntiSpyware 2007 Free\description.txt
C:\DOCUME~1\Joyce\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\DOCUME~1\Joyce\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\Joyce\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\Joyce\APPLIC~1\WinAntiVirus Pro 2007\Logs\update.log
C:\DOCUME~1\Joyce\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa6Support.log
C:\DOCUME~1\Joyce\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log
C:\DOCUME~1\Joyce\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat
C:\DOCUME~1\Joyce\Desktop\Download WinAntiSpyware 2007 Free.lnk
C:\DOCUME~1\Joyce\MYDOCU~1.\ymante~1
C:\DOCUME~1\Joyce\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\Joyce\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\Joyce\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\Program Files\comet
C:\Program Files\comet\Bin\__delete_on_reboot__c_s_b_h_o_._d_l_l_
C:\Program Files\comet\Bin\comet.exe
C:\Program Files\comet\Bin\comutil.dll
C:\Program Files\comet\Bin\csadzap.dll
C:\Program Files\comet\Bin\csapputil.dll
C:\Program Files\comet\Bin\csband.dll
C:\Program Files\comet\Bin\csbrange.dll
C:\Program Files\comet\Bin\cscore.dll
C:\Program Files\comet\Bin\csctx.dll
C:\Program Files\comet\Bin\cseng.dll
C:\Program Files\comet\Bin\csinst.dll
C:\Program Files\comet\Bin\csinstall.exe
C:\Program Files\comet\Bin\cstray.exe
C:\Program Files\comet\Bin\csutil.dll
C:\Program Files\comet\Bin\fileutil.dll
C:\Program Files\comet\Bin\skinui.dll
C:\Program Files\comet\Bin\unins.ico
C:\Program Files\comet\Data\csres.dat
C:\Program Files\comet\Products\adzap\1b.gif
C:\Program Files\comet\Products\adzap\1bl.gif
C:\Program Files\comet\Products\adzap\1br.gif
C:\Program Files\comet\Products\adzap\1l.gif
C:\Program Files\comet\Products\adzap\1r.gif
C:\Program Files\comet\Products\adzap\1t.gif
C:\Program Files\comet\Products\adzap\1tl.gif
C:\Program Files\comet\Products\adzap\1tr.gif
C:\Program Files\comet\Products\adzap\adzap.html
C:\Program Files\comet\Products\adzap\adzap.js
C:\Program Files\comet\Products\adzap\adzap.wav
C:\Program Files\comet\Products\adzap\adzap_tb.js
C:\Program Files\comet\Products\adzap\azunins.js
C:\Program Files\comet\Products\adzap\cap1a.gif
C:\Program Files\comet\Products\adzap\cap1b.gif
C:\Program Files\comet\Products\adzap\cap2a.gif
C:\Program Files\comet\Products\adzap\cap2b.gif
C:\Program Files\comet\Products\adzap\cap3a.gif
C:\Program Files\comet\Products\adzap\cap3b.gif
C:\Program Files\comet\Products\adzap\except.xml
C:\Program Files\comet\Products\adzap\header.gif
C:\Program Files\comet\Products\adzap\pubutton.bmp
C:\Program Files\comet\Products\adzap\pubutton_alert.bmp
C:\Program Files\comet\Products\adzap\pubutton_off.bmp
C:\Program Files\comet\Products\adzap\scr_adzap.js
C:\Program Files\comet\Products\adzap\sump.gif
C:\Program Files\comet\Products\adzap\sys_except.xml
C:\Program Files\comet\Products\adzap\zapometer.gif
C:\Program Files\comet\Products\FunButton\funbutton.bmp
C:\Program Files\comet\Products\RefButton\refbutton.bmp
C:\Program Files\comet\Products\RefButton\refbutton.js
C:\Program Files\comet\Products\RelatedSearch\related.xml
C:\Program Files\comet\Products\RelatedSearch\related.xsl
C:\Program Files\comet\Products\Screensaver\screensaver.bmp
C:\Program Files\comet\Products\Shared\autosrch.js
C:\Program Files\comet\Products\Shared\related.js
C:\Program Files\comet\Products\Shared\tbproducts.js
C:\Program Files\comet\Products\Smileytown\smileytown.bmp
C:\Program Files\comet\Products\Smileytown\smileytown.js
C:\Program Files\comet\Products\Smileytown\smileytown.xml
C:\Program Files\comet\Products\Travel\cars.xsl
C:\Program Files\comet\Products\Travel\flights.xsl
C:\Program Files\comet\Products\Travel\hotels.xsl
C:\Program Files\comet\Products\Travel\travel.js
C:\Program Files\comet\Products\Travel\travel_context.xml
C:\Program Files\comet\Products\WebButton\webbutton.bmp
C:\Program Files\comet\Services\AddRemove\addremove.htm
C:\Program Files\comet\Services\AddRemove\addremove.js
C:\Program Files\comet\Services\AddRemove\addremove_cc.js
C:\Program Files\comet\Services\AddRemove\armask.gif
C:\Program Files\comet\Services\AddRemove\arskin.gif
C:\Program Files\comet\Services\AddRemove\cc3.ico
C:\Program Files\comet\Services\AddRemove\strip.gif
C:\Program Files\comet\Services\AddRemove\stripend.gif
C:\Program Files\comet\Services\AddRemove\title_arui.gif
C:\Program Files\comet\Services\AddRemove\titlelabel_ar.gif
C:\Program Files\comet\Services\band.js
C:\Program Files\comet\Services\cnfmgr.js
C:\Program Files\comet\Services\context.js
C:\Program Files\comet\Services\controlpanel.js
C:\Program Files\comet\Services\license.js
C:\Program Files\comet\Services\License\adzap.lic
C:\Program Files\comet\Services\logging.js
C:\Program Files\comet\Services\LogQueue\p00000029_o015FA5D0_logging_1186974730281_1.xml
C:\Program Files\comet\Services\LogQueue\p000000D5_o05C19020_logging_1187149026973_1.xml
C:\Program Files\comet\Services\LogQueue\p000001E5_o01838240_logging_1154054208305_2.xml
C:\Program Files\comet\Services\LogQueue\p00001281_o017469A0_logging_1187062625625_1.xml
C:\Program Files\comet\Services\LogQueue\p00001467_o021C3568_logging_1177290099846_1.xml
C:\Program Files\comet\Services\LogQueue\p00002745_o013347F8_logging_1187241408390_1.xml
C:\Program Files\comet\Services\LogQueue\p0000D78A_o013317C8_logging_1187333237531_1.xml
C:\Program Files\comet\Services\masterconfig.xml
C:\Program Files\comet\Services\Messaging\Base\1line_left.gif
C:\Program Files\comet\Services\Messaging\Base\1line_left_mask.gif
C:\Program Files\comet\Services\Messaging\Base\1line_left_small.gif
C:\Program Files\comet\Services\Messaging\Base\1line_left_small_mask.gif
C:\Program Files\comet\Services\Messaging\Base\1line_right.gif
C:\Program Files\comet\Services\Messaging\Base\1line_right_mask.gif
C:\Program Files\comet\Services\Messaging\Base\1line_right_small.gif
C:\Program Files\comet\Services\Messaging\Base\1line_right_small_mask.gif
C:\Program Files\comet\Services\Messaging\Base\2line_left.gif
C:\Program Files\comet\Services\Messaging\Base\2line_left_mask.gif
C:\Program Files\comet\Services\Messaging\Base\2line_left_small.gif
C:\Program Files\comet\Services\Messaging\Base\2line_left_small_mask.gif
C:\Program Files\comet\Services\Messaging\Base\2line_right.gif
C:\Program Files\comet\Services\Messaging\Base\2line_right_mask.gif
C:\Program Files\comet\Services\Messaging\Base\2line_right_small.gif
C:\Program Files\comet\Services\Messaging\Base\2line_right_small_mask.gif
C:\Program Files\comet\Services\Messaging\Base\3line_left.gif
C:\Program Files\comet\Services\Messaging\Base\3line_left_mask.gif
C:\Program Files\comet\Services\Messaging\Base\3line_left_small.gif
C:\Program Files\comet\Services\Messaging\Base\3line_left_small_mask.gif
C:\Program Files\comet\Services\Messaging\Base\3line_right.gif
C:\Program Files\comet\Services\Messaging\Base\3line_right_mask.gif
C:\Program Files\comet\Services\Messaging\Base\3line_right_small.gif
C:\Program Files\comet\Services\Messaging\Base\3line_right_small_mask.gif
C:\Program Files\comet\Services\Messaging\Base\defaultbuttonmessage.xml
C:\Program Files\comet\Services\Messaging\Base\message.js
C:\Program Files\comet\Services\Messaging\Campaigns\AdZap\band_bubble.gif
C:\Program Files\comet\Services\Messaging\Campaigns\AdZap\band_bubble_mask.gif
C:\Program Files\comet\Services\Messaging\Campaigns\AdZap\bandmessage.xml
C:\Program Files\comet\Services\Messaging\Campaigns\AdZap\buttonmessage.xml
C:\Program Files\comet\Services\Messaging\Listeners\adzap_0001.js
C:\Program Files\comet\Services\Messaging\Listeners\travel_0001.js
C:\Program Files\comet\Services\Messaging\messaging.js
C:\Program Files\comet\Services\Messaging\settings.xml
C:\Program Files\comet\Services\tbmgr.js
C:\Program Files\comet\Services\toolbar.js
C:\Program Files\comet\Services\update.js
C:\Program Files\comet\Services\utillauncher.js
C:\Program Files\comet\Services\winutil.js
C:\Program Files\comet\Temp\CS10.tmp
C:\Program Files\comet\Temp\CS11.tmp
C:\Program Files\comet\Temp\CS12.tmp
C:\Program Files\comet\Temp\CS12D.tmp
C:\Program Files\comet\Temp\CS12E.tmp
C:\Program Files\comet\Temp\CS12F.tmp
C:\Program Files\comet\Temp\CS130.tmp
C:\Program Files\comet\Temp\CS131.tmp
C:\Program Files\comet\Temp\CS146C.tmp
C:\Program Files\comet\Temp\CS146D.tmp
C:\Program Files\comet\Temp\CS146E.tmp
C:\Program Files\comet\Temp\CS146F.tmp
C:\Program Files\comet\Temp\CS1470.tmp
C:\Program Files\comet\Temp\CS1471.tmp
C:\Program Files\comet\Temp\CS1472.tmp
C:\Program Files\comet\Temp\CS1473.tmp
C:\Program Files\comet\Temp\CS1474.tmp
C:\Program Files\comet\Temp\CS1509.tmp
C:\Program Files\comet\Temp\CS150A.tmp
C:\Program Files\comet\Temp\CS150B.tmp
C:\Program Files\comet\Temp\CS150C.tmp
C:\Program Files\comet\Temp\CS15A4.tmp
C:\Program Files\comet\Temp\CS15A5.tmp
C:\Program Files\comet\Temp\CS15A6.tmp
C:\Program Files\comet\Temp\CS15A7.tmp
C:\Program Files\comet\Temp\CS16.tmp
C:\Program Files\comet\Temp\CS163C.tmp
C:\Program Files\comet\Temp\CS163D.tmp
C:\Program Files\comet\Temp\CS163E.tmp
C:\Program Files\comet\Temp\CS163F.tmp
C:\Program Files\comet\Temp\CS16D4.tmp
C:\Program Files\comet\Temp\CS16D5.tmp
C:\Program Files\comet\Temp\CS16D6.tmp
C:\Program Files\comet\Temp\CS16D7.tmp
C:\Program Files\comet\Temp\CS16D8.tmp
C:\Program Files\comet\Temp\CS16D9.tmp
C:\Program Files\comet\Temp\CS16DA.tmp
C:\Program Files\comet\Temp\CS16DB.tmp
C:\Program Files\comet\Temp\CS16DC.tmp
C:\Program Files\comet\Temp\CS17.tmp
C:\Program Files\comet\Temp\CS1772.tmp
C:\Program Files\comet\Temp\CS1773.tmp
C:\Program Files\comet\Temp\CS1774.tmp
C:\Program Files\comet\Temp\CS1775.tmp
C:\Program Files\comet\Temp\CS18.tmp
C:\Program Files\comet\Temp\CS180A.tmp
C:\Program Files\comet\Temp\CS180B.tmp
C:\Program Files\comet\Temp\CS180C.tmp
C:\Program Files\comet\Temp\CS180D.tmp
C:\Program Files\comet\Temp\CS18A3.tmp
C:\Program Files\comet\Temp\CS18A4.tmp
C:\Program Files\comet\Temp\CS18A5.tmp
C:\Program Files\comet\Temp\CS18A6.tmp
C:\Program Files\comet\Temp\CS18A7.tmp
C:\Program Files\comet\Temp\CS18A8.tmp
C:\Program Files\comet\Temp\CS18AA.tmp
C:\Program Files\comet\Temp\CS18AB.tmp
C:\Program Files\comet\Temp\CS18E.tmp
C:\Program Files\comet\Temp\CS18F.tmp
C:\Program Files\comet\Temp\CS19.tmp
C:\Program Files\comet\Temp\CS190.tmp
C:\Program Files\comet\Temp\CS191.tmp
C:\Program Files\comet\Temp\CS1941.tmp
C:\Program Files\comet\Temp\CS1942.tmp
C:\Program Files\comet\Temp\CS1943.tmp
C:\Program Files\comet\Temp\CS1944.tmp
C:\Program Files\comet\Temp\CS198.tmp
C:\Program Files\comet\Temp\CS19A.tmp
C:\Program Files\comet\Temp\CS19B.tmp
C:\Program Files\comet\Temp\CS19C.tmp
C:\Program Files\comet\Temp\CS19D.tmp
C:\Program Files\comet\Temp\CS19DA.tmp
C:\Program Files\comet\Temp\CS19DB.tmp
C:\Program Files\comet\Temp\CS19DC.tmp
C:\Program Files\comet\Temp\CS19DD.tmp
C:\Program Files\comet\Temp\CS19E.tmp
C:\Program Files\comet\Temp\CS19F.tmp
C:\Program Files\comet\Temp\CS1A.tmp
C:\Program Files\comet\Temp\CS1A0.tmp
C:\Program Files\comet\Temp\CS1A1.tmp
C:\Program Files\comet\Temp\CS1A6.tmp
C:\Program Files\comet\Temp\CS1A7.tmp
C:\Program Files\comet\Temp\CS1A8.tmp
C:\Program Files\comet\Temp\CS1A9.tmp
C:\Program Files\comet\Temp\CS1AA.tmp
C:\Program Files\comet\Temp\CS1AB.tmp
C:\Program Files\comet\Temp\CS1AC.tmp
C:\Program Files\comet\Temp\CS1AD.tmp
C:\Program Files\comet\Temp\CS1AE.tmp
C:\Program Files\comet\Temp\CS1B.tmp
C:\Program Files\comet\Temp\CS1C.tmp
C:\Program Files\comet\Temp\CS1D.tmp
C:\Program Files\comet\Temp\CS1E.tmp
C:\Program Files\comet\Temp\CS1F.tmp
C:\Program Files\comet\Temp\CS20.tmp
C:\Program Files\comet\Temp\CS21.tmp
C:\Program Files\comet\Temp\CS22.tmp
C:\Program Files\comet\Temp\CS23.tmp
C:\Program Files\comet\Temp\CS236.tmp
C:\Program Files\comet\Temp\CS237.tmp
C:\Program Files\comet\Temp\CS238.tmp
C:\Program Files\comet\Temp\CS239.tmp
C:\Program Files\comet\Temp\CS23D.tmp
C:\Program Files\comet\Temp\CS23E.tmp
C:\Program Files\comet\Temp\CS23F.tmp
C:\Program Files\comet\Temp\CS24.tmp
C:\Program Files\comet\Temp\CS240.tmp
C:\Program Files\comet\Temp\CS245.tmp
C:\Program Files\comet\Temp\CS246.tmp
C:\Program Files\comet\Temp\CS247.tmp
C:\Program Files\comet\Temp\CS248.tmp
C:\Program Files\comet\Temp\CS25.tmp
C:\Program Files\comet\Temp\CS25B.tmp
C:\Program Files\comet\Temp\CS25C.tmp
C:\Program Files\comet\Temp\CS25D.tmp
C:\Program Files\comet\Temp\CS25E.tmp
C:\Program Files\comet\Temp\CS26.tmp
C:\Program Files\comet\Temp\CS27.tmp
C:\Program Files\comet\Temp\CS28.tmp
C:\Program Files\comet\Temp\CS2861.tmp
C:\Program Files\comet\Temp\CS2862.tmp
C:\Program Files\comet\Temp\CS2863.tmp
C:\Program Files\comet\Temp\CS2864.tmp
C:\Program Files\comet\Temp\CS2865.tmp
C:\Program Files\comet\Temp\CS2866.tmp
C:\Program Files\comet\Temp\CS2867.tmp
C:\Program Files\comet\Temp\CS2868.tmp
C:\Program Files\comet\Temp\CS2869.tmp
C:\Program Files\comet\Temp\CS29.tmp
C:\Program Files\comet\Temp\CS2900.tmp
C:\Program Files\comet\Temp\CS2901.tmp
C:\Program Files\comet\Temp\CS2902.tmp
C:\Program Files\comet\Temp\CS2903.tmp
C:\Program Files\comet\Temp\CS2998.tmp
C:\Program Files\comet\Temp\CS2999.tmp
C:\Program Files\comet\Temp\CS299A.tmp
C:\Program Files\comet\Temp\CS299B.tmp
C:\Program Files\comet\Temp\CS2A.tmp
C:\Program Files\comet\Temp\CS2A31.tmp
C:\Program Files\comet\Temp\CS2A32.tmp
C:\Program Files\comet\Temp\CS2A33.tmp
C:\Program Files\comet\Temp\CS2A34.tmp
C:\Program Files\comet\Temp\CS2ACB.tmp
C:\Program Files\comet\Temp\CS2ACC.tmp
C:\Program Files\comet\Temp\CS2ACD.tmp
C:\Program Files\comet\Temp\CS2ACE.tmp
C:\Program Files\comet\Temp\CS2ACF.tmp
C:\Program Files\comet\Temp\CS2AD0.tmp
C:\Program Files\comet\Temp\CS2AD1.tmp
C:\Program Files\comet\Temp\CS2AD2.tmp
C:\Program Files\comet\Temp\CS2AD3.tmp
C:\Program Files\comet\Temp\CS2B.tmp
C:\Program Files\comet\Temp\CS2B69.tmp
C:\Program Files\comet\Temp\CS2B6A.tmp
C:\Program Files\comet\Temp\CS2B6B.tmp
C:\Program Files\comet\Temp\CS2B6C.tmp
C:\Program Files\comet\Temp\CS2C.tmp
C:\Program Files\comet\Temp\CS2C03.tmp
C:\Program Files\comet\Temp\CS2C04.tmp
C:\Program Files\comet\Temp\CS2C05.tmp
C:\Program Files\comet\Temp\CS2C06.tmp
C:\Program Files\comet\Temp\CS2C9B.tmp
C:\Program Files\comet\Temp\CS2C9C.tmp
C:\Program Files\comet\Temp\CS2C9D.tmp
C:\Program Files\comet\Temp\CS2C9E.tmp
C:\Program Files\comet\Temp\CS2C9F.tmp
C:\Program Files\comet\Temp\CS2CA0.tmp
C:\Program Files\comet\Temp\CS2CA1.tmp
C:\Program Files\comet\Temp\CS2CA2.tmp
C:\Program Files\comet\Temp\CS2CA3.tmp
C:\Program Files\comet\Temp\CS2CE.tmp
C:\Program Files\comet\Temp\CS2CF.tmp
C:\Program Files\comet\Temp\CS2D.tmp
C:\Program Files\comet\Temp\CS2D0.tmp
C:\Program Files\comet\Temp\CS2D1.tmp
C:\Program Files\comet\Temp\CS2D38.tmp
C:\Program Files\comet\Temp\CS2D39.tmp
C:\Program Files\comet\Temp\CS2D3A.tmp
C:\Program Files\comet\Temp\CS2D3B.tmp
C:\Program Files\comet\Temp\CS2DD.tmp
C:\Program Files\comet\Temp\CS2DD2.tmp
C:\Program Files\comet\Temp\CS2DD3.tmp
C:\Program Files\comet\Temp\CS2DD4.tmp
C:\Program Files\comet\Temp\CS2DD5.tmp
C:\Program Files\comet\Temp\CS2DE.tmp
C:\Program Files\comet\Temp\CS2DF.tmp
C:\Program Files\comet\Temp\CS2E.tmp
C:\Program Files\comet\Temp\CS2E0.tmp
C:\Program Files\comet\Temp\CS2E1.tmp
C:\Program Files\comet\Temp\CS2E2.tmp
C:\Program Files\comet\Temp\CS2E3.tmp
C:\Program Files\comet\Temp\CS2E4.tmp
C:\Program Files\comet\Temp\CS2E5.tmp
C:\Program Files\comet\Temp\CS2EB.tmp
C:\Program Files\comet\Temp\CS2EC.tmp
C:\Program Files\comet\Temp\CS2ED.tmp
C:\Program Files\comet\Temp\CS2EE.tmp
C:\Program Files\comet\Temp\CS2F.tmp
C:\Program Files\comet\Temp\CS30.tmp
C:\Program Files\comet\Temp\CS31.tmp
C:\Program Files\comet\Temp\CS32.tmp
C:\Program Files\comet\Temp\CS35.tmp
C:\Program Files\comet\Temp\CS36.tmp
C:\Program Files\comet\Temp\CS360.tmp
C:\Program Files\comet\Temp\CS361.tmp
C:\Program Files\comet\Temp\CS362.tmp
C:\Program Files\comet\Temp\CS363.tmp
C:\Program Files\comet\Temp\CS367.tmp
C:\Program Files\comet\Temp\CS368.tmp
C:\Program Files\comet\Temp\CS369.tmp
C:\Program Files\comet\Temp\CS36A.tmp
C:\Program Files\comet\Temp\CS36B.tmp
C:\Program Files\comet\Temp\CS36C.tmp
C:\Program Files\comet\Temp\CS36D.tmp
C:\Program Files\comet\Temp\CS36E.tmp
C:\Program Files\comet\Temp\CS36F.tmp
C:\Program Files\comet\Temp\CS370.tmp
C:\Program Files\comet\Temp\CS371.tmp
C:\Program Files\comet\Temp\CS372.tmp
C:\Program Files\comet\Temp\CS373.tmp
C:\Program Files\comet\Temp\CS374.tmp
C:\Program Files\comet\Temp\CS375.tmp
C:\Program Files\comet\Temp\CS376.tmp
C:\Program Files\comet\Temp\CS377.tmp
C:\Program Files\comet\Temp\CS378.tmp
C:\Program Files\comet\Temp\CS37B.tmp
C:\Program Files\comet\Temp\CS37C.tmp
C:\Program Files\comet\Temp\CS37D.tmp
C:\Program Files\comet\Temp\CS37E.tmp
C:\Program Files\comet\Temp\CS38.tmp
C:\Program Files\comet\Temp\CS39.tmp
C:\Program Files\comet\Temp\CS3A.tmp
C:\Program Files\comet\Temp\CS3B.tmp
C:\Program Files\comet\Temp\CS3C.tmp
C:\Program Files\comet\Temp\CS3C5E.tmp
C:\Program Files\comet\Temp\CS3C5F.tmp
C:\Program Files\comet\Temp\CS3C60.tmp
C:\Program Files\comet\Temp\CS3C61.tmp
C:\Program Files\comet\Temp\CS3C62.tmp
C:\Program Files\comet\Temp\CS3C63.tmp
C:\Program Files\comet\Temp\CS3C64.tmp
C:\Program Files\comet\Temp\CS3C65.tmp
C:\Program Files\comet\Temp\CS3C66.tmp
C:\Program Files\comet\Temp\CS3CF2.tmp
C:\Program Files\comet\Temp\CS3CF3.tmp
C:\Program Files\comet\Temp\CS3CF4.tmp
C:\Program Files\comet\Temp\CS3CF5.tmp
C:\Program Files\comet\Temp\CS3D6A.tmp
C:\Program Files\comet\Temp\CS3D6B.tmp
C:\Program Files\comet\Temp\CS3D6C.tmp
C:\Program Files\comet\Temp\CS3D6D.tmp
C:\Program Files\comet\Temp\CS3E.tmp
C:\Program Files\comet\Temp\CS3E03.tmp
C:\Program Files\comet\Temp\CS3E04.tmp
C:\Program Files\comet\Temp\CS3E05.tmp
C:\Program Files\comet\Temp\CS3E06.tmp
C:\Program Files\comet\Temp\CS3E9B.tmp
C:\Program Files\comet\Temp\CS3E9C.tmp
C:\Program Files\comet\Temp\CS3E9D.tmp
C:\Program Files\comet\Temp\CS3E9E.tmp
C:\Program Files\comet\Temp\CS3E9F.tmp
C:\Program Files\comet\Temp\CS3EA0.tmp
C:\Program Files\comet\Temp\CS3EA1.tmp
C:\Program Files\comet\Temp\CS3EA2.tmp
C:\Program Files\comet\Temp\CS3EA3.tmp
C:\Program Files\comet\Temp\CS3F.tmp
C:\Program Files\comet\Temp\CS3F3A.tmp
C:\Program Files\comet\Temp\CS3F3B.tmp
C:\Program Files\comet\Temp\CS3F3C.tmp
C:\Program Files\comet\Temp\CS3F3D.tmp
C:\Program Files\comet\Temp\CS3FA.tmp
C:\Program Files\comet\Temp\CS3FB.tmp
C:\Program Files\comet\Temp\CS3FC.tmp
C:\Program Files\comet\Temp\CS3FD.tmp
C:\Program Files\comet\Temp\CS3FD3.tmp
C:\Program Files\comet\Temp\CS3FD4.tmp
C:\Program Files\comet\Temp\CS3FD5.tmp
C:\Program Files\comet\Temp\CS3FD6.tmp
C:\Program Files\comet\Temp\CS3FE.tmp
C:\Program Files\comet\Temp\CS3FF.tmp
C:\Program Files\comet\Temp\CS400.tmp
C:\Program Files\comet\Temp\CS401.tmp
C:\Program Files\comet\Temp\CS402.tmp
C:\Program Files\comet\Temp\CS405.tmp
C:\Program Files\comet\Temp\CS406.tmp
C:\Program Files\comet\Temp\CS406D.tmp
C:\Program Files\comet\Temp\CS406E.tmp
C:\Program Files\comet\Temp\CS406F.tmp
C:\Program Files\comet\Temp\CS407.tmp
C:\Program Files\comet\Temp\CS4070.tmp
C:\Program Files\comet\Temp\CS4071.tmp
C:\Program Files\comet\Temp\CS4072.tmp
C:\Program Files\comet\Temp\CS4073.tmp
C:\Program Files\comet\Temp\CS4074.tmp
C:\Program Files\comet\Temp\CS4075.tmp
C:\Program Files\comet\Temp\CS408.tmp
C:\Program Files\comet\Temp\CS40F.tmp
C:\Program Files\comet\Temp\CS41.tmp
C:\Program Files\comet\Temp\CS410.tmp
C:\Program Files\comet\Temp\CS410C.tmp
C:\Program Files\comet\Temp\CS410D.tmp
C:\Program Files\comet\Temp\CS410E.tmp
C:\Program Files\comet\Temp\CS410F.tmp
C:\Program Files\comet\Temp\CS411.tmp
C:\Program Files\comet\Temp\CS412.tmp
C:\Program Files\comet\Temp\CS415.tmp
C:\Program Files\comet\Temp\CS416.tmp
C:\Program Files\comet\Temp\CS417.tmp
C:\Program Files\comet\Temp\CS418.tmp
C:\Program Files\comet\Temp\CS41A6.tmp
C:\Program Files\comet\Temp\CS41A7.tmp
C:\Program Files\comet\Temp\CS41A8.tmp
C:\Program Files\comet\Temp\CS41A9.tmp
C:\Program Files\comet\Temp\CS42.tmp
C:\Program Files\comet\Temp\CS43.tmp
C:\Program Files\comet\Temp\CS44.tmp
C:\Program Files\comet\Temp\CS45.tmp
C:\Program Files\comet\Temp\CS46.tmp
C:\Program Files\comet\Temp\CS47.tmp
C:\Program Files\comet\Temp\CS477.tmp
C:\Program Files\comet\Temp\CS478.tmp
C:\Program Files\comet\Temp\CS479.tmp
C:\Program Files\comet\Temp\CS47A.tmp
C:\Program Files\comet\Temp\CS48.tmp
C:\Program Files\comet\Temp\CS49.tmp
C:\Program Files\comet\Temp\CS49E.tmp
C:\Program Files\comet\Temp\CS49F.tmp
C:\Program Files\comet\Temp\CS4A.tmp
C:\Program Files\comet\Temp\CS4A0.tmp
C:\Program Files\comet\Temp\CS4A1.tmp
C:\Program Files\comet\Temp\CS4AA.tmp
C:\Program Files\comet\Temp\CS4AB.tmp
C:\Program Files\comet\Temp\CS4AC.tmp
C:\Program Files\comet\Temp\CS4AD.tmp
C:\Program Files\comet\Temp\CS4AE.tmp
C:\Program Files\comet\Temp\CS4AF.tmp
C:\Program Files\comet\Temp\CS4B0.tmp
C:\Program Files\comet\Temp\CS4B1.tmp
C:\Program Files\comet\Temp\CS4B2.tmp
C:\Program Files\comet\Temp\CS4B3.tmp
C:\Program Files\comet\Temp\CS4B4.tmp
C:\Program Files\comet\Temp\CS4B5.tmp
C:\Program Files\comet\Temp\CS4B6.tmp
C:\Program Files\comet\Temp\CS4F.tmp
C:\Program Files\comet\Temp\CS50.tmp
C:\Program Files\comet\Temp\CS5040.tmp
C:\Program Files\comet\Temp\CS5041.tmp
C:\Program Files\comet\Temp\CS5042.tmp
C:\Program Files\comet\Temp\CS5043.tmp
C:\Program Files\comet\Temp\CS5044.tmp
C:\Program Files\comet\Temp\CS5045.tmp
C:\Program Files\comet\Temp\CS5046.tmp
C:\Program Files\comet\Temp\CS5047.tmp
C:\Program Files\comet\Temp\CS5048.tmp
C:\Program Files\comet\Temp\CS50DF.tmp
C:\Program Files\comet\Temp\CS50E0.tmp
C:\Program Files\comet\Temp\CS50E1.tmp
C:\Program Files\comet\Temp\CS50E2.tmp
C:\Program Files\comet\Temp\CS51.tmp
C:\Program Files\comet\Temp\CS517A.tmp
C:\Program Files\comet\Temp\CS517B.tmp
C:\Program Files\comet\Temp\CS517C.tmp
C:\Program Files\comet\Temp\CS517D.tmp
C:\Program Files\comet\Temp\CS52.tmp
C:\Program Files\comet\Temp\CS5213.tmp
C:\Program Files\comet\Temp\CS5214.tmp
C:\Program Files\comet\Temp\CS5215.tmp
C:\Program Files\comet\Temp\CS5216.tmp
C:\Program Files\comet\Temp\CS52AE.tmp
C:\Program Files\comet\Temp\CS52AF.tmp
C:\Program Files\comet\Temp\CS52B0.tmp
C:\Program Files\comet\Temp\CS52B1.tmp
C:\Program Files\comet\Temp\CS52B2.tmp
C:\Program Files\comet\Temp\CS52B3.tmp
C:\Program Files\comet\Temp\CS52B4.tmp
C:\Program Files\comet\Temp\CS52B5.tmp
C:\Program Files\comet\Temp\CS52B6.tmp
C:\Program Files\comet\Temp\CS534E.tmp
C:\Program Files\comet\Temp\CS534F.tmp
C:\Program Files\comet\Temp\CS5350.tmp
C:\Program Files\comet\Temp\CS5351.tmp
C:\Program Files\comet\Temp\CS537.tmp
C:\Program Files\comet\Temp\CS538.tmp
C:\Program Files\comet\Temp\CS539.tmp
C:\Program Files\comet\Temp\CS53A.tmp
C:\Program Files\comet\Temp\CS53B.tmp
C:\Program Files\comet\Temp\CS53C.tmp
C:\Program Files\comet\Temp\CS53D.tmp
C:\Program Files\comet\Temp\CS53E.tmp
C:\Program Files\comet\Temp\CS53E8.tmp
C:\Program Files\comet\Temp\CS53E9.tmp
C:\Program Files\comet\Temp\CS53EA.tmp
C:\Program Files\comet\Temp\CS53EB.tmp
C:\Program Files\comet\Temp\CS53F.tmp
C:\Program Files\comet\Temp\CS5483.tmp
C:\Program Files\comet\Temp\CS5484.tmp
C:\Program Files\comet\Temp\CS5485.tmp
C:\Program Files\comet\Temp\CS5486.tmp
C:\Program Files\comet\Temp\CS5487.tmp
C:\Program Files\comet\Temp\CS5488.tmp
C:\Program Files\comet\Temp\CS5489.tmp
C:\Program Files\comet\Temp\CS548A.tmp
C:\Program Files\comet\Temp\CS548B.tmp
C:\Program Files\comet\Temp\CS54B.tmp
C:\Program Files\comet\Temp\CS54C.tmp
C:\Program Files\comet\Temp\CS54D.tmp
C:\Program Files\comet\Temp\CS54E.tmp
C:\Program Files\comet\Temp\CS54F.tmp
C:\Program Files\comet\Temp\CS55.tmp
C:\Program Files\comet\Temp\CS550.tmp
C:\Program Files\comet\Temp\CS551.tmp
C:\Program Files\comet\Temp\CS552.tmp
C:\Program Files\comet\Temp\CS5522.tmp
C:\Program Files\comet\Temp\CS5523.tmp
C:\Program Files\comet\Temp\CS5524.tmp
C:\Program Files\comet\Temp\CS5525.tmp
C:\Program Files\comet\Temp\CS55BD.tmp
C:\Program Files\comet\Temp\CS55BE.tmp
C:\Program Files\comet\Temp\CS55BF.tmp
C:\Program Files\comet\Temp\CS55C0.tmp
C:\Program Files\comet\Temp\CS56.tmp
C:\Program Files\comet\Temp\CS57.tmp
C:\Program Files\comet\Temp\CS58.tmp
C:\Program Files\comet\Temp\CS59.tmp
C:\Program Files\comet\Temp\CS5A.tmp
C:\Program Files\comet\Temp\CS5B.tmp
C:\Program Files\comet\Temp\CS5C.tmp
C:\Program Files\comet\Temp\CS5D.tmp
C:\Program Files\comet\Temp\CS5D7.tmp
C:\Program Files\comet\Temp\CS5D8.tmp
C:\Program Files\comet\Temp\CS5D9.tmp
C:\Program Files\comet\Temp\CS5DA.tmp
C:\Program Files\comet\Temp\CS5E3.tmp
C:\Program Files\comet\Temp\CS5E4.tmp
C:\Program Files\comet\Temp\CS5E5.tmp
C:\Program Files\comet\Temp\CS5E6.tmp
C:\Program Files\comet\Temp\CS5E8.tmp
C:\Program Files\comet\Temp\CS5E9.tmp
C:\Program Files\comet\Temp\CS5EA.tmp
C:\Program Files\comet\Temp\CS5EB.tmp
C:\Program Files\comet\Temp\CS5EC.tmp
C:\Program Files\comet\Temp\CS5ED.tmp
C:\Program Files\comet\Temp\CS5EE.tmp
C:\Program Files\comet\Temp\CS5F0.tmp
C:\Program Files\comet\Temp\CS5F1.tmp
C:\Program Files\comet\Temp\CS64.tmp
C:\Program Files\comet\Temp\CS6460.tmp
C:\Program Files\comet\Temp\CS6461.tmp
C:\Program Files\comet\Temp\CS6462.tmp
C:\Program Files\comet\Temp\CS6463.tmp
C:\Program Files\comet\Temp\CS6464.tmp
C:\Program Files\comet\Temp\CS6465.tmp
C:\Program Files\comet\Temp\CS6466.tmp
C:\Program Files\comet\Temp\CS6467.tmp
C:\Program Files\comet\Temp\CS6468.tmp
C:\Program Files\comet\Temp\CS64FE.tmp
C:\Program Files\comet\Temp\CS64FF.tmp
C:\Program Files\comet\Temp\CS6500.tmp
C:\Program Files\comet\Temp\CS6501.tmp
C:\Program Files\comet\Temp\CS6599.tmp
C:\Program Files\comet\Temp\CS659A.tmp
C:\Program Files\comet\Temp\CS659B.tmp
C:\Program Files\comet\Temp\CS659C.tmp
C:\Program Files\comet\Temp\CS6634.tmp
C:\Program Files\comet\Temp\CS6635.tmp
C:\Program Files\comet\Temp\CS6636.tmp
C:\Program Files\comet\Temp\CS6637.tmp
C:\Program Files\comet\Temp\CS66CF.tmp
C:\Program Files\comet\Temp\CS66D0.tmp
C:\Program Files\comet\Temp\CS66D1.tmp
C:\Program Files\comet\Temp\CS66D2.tmp
C:\Program Files\comet\Temp\CS66D3.tmp
C:\Program Files\comet\Temp\CS66D4.tmp
C:\Program Files\comet\Temp\CS66D5.tmp
C:\Program Files\comet\Temp\CS66D6.tmp
C:\Program Files\comet\Temp\CS66D7.tmp
C:\Program Files\comet\Temp\CS67.tmp
C:\Program Files\comet\Temp\CS676E.tmp
C:\Program Files\comet\Temp\CS676F.tmp
C:\Program Files\comet\Temp\CS6770.tmp
C:\Program Files\comet\Temp\CS6771.tmp
C:\Program Files\comet\Temp\CS6809.tmp
C:\Program Files\comet\Temp\CS680A.tmp
C:\Program Files\comet\Temp\CS680B.tmp
C:\Program Files\comet\Temp\CS680C.tmp
C:\Program Files\comet\Temp\CS689.tmp
C:\Program Files\comet\Temp\CS68A.tmp
C:\Program Files\comet\Temp\CS68A3.tmp
C:\Program Files\comet\Temp\CS68A4.tmp
C:\Program Files\comet\Temp\CS68A5.tmp
C:\Program Files\comet\Temp\CS68A6.tmp
C:\Program Files\comet\Temp\CS68A7.tmp
C:\Program Files\comet\Temp\CS68A8.tmp
C:\Program Files\comet\Temp\CS68A9.tmp
C:\Program Files\comet\Temp\CS68AA.tmp
C:\Program Files\comet\Temp\CS68AB.tmp
C:\Program Files\comet\Temp\CS68C.tmp
C:\Program Files\comet\Temp\CS68D.tmp
C:\Program Files\comet\Temp\CS6942.tmp
C:\Program Files\comet\Temp\CS6943.tmp
C:\Program Files\comet\Temp\CS6944.tmp
C:\Program Files\comet\Temp\CS6945.tmp
C:\Program Files\comet\Temp\CS69DC.tmp
C:\Program Files\comet\Temp\CS69DD.tmp
C:\Program Files\comet\Temp\CS69DE.tmp
C:\Program Files\comet\Temp\CS69DF.tmp
C:\Program Files\comet\Temp\CS6A.tmp
C:\Program Files\comet\Temp\CS6B.tmp
C:\Program Files\comet\Temp\CS7.tmp
C:\Program Files\comet\Temp\CS722.tmp
C:\Program Files\comet\Temp\CS723.tmp
C:\Program Files\comet\Temp\CS724.tmp
C:\Program Files\comet\Temp\CS725.tmp
C:\Program Files\comet\Temp\CS78.tmp
C:\Program Files\comet\Temp\CS7881.tmp
C:\Program Files\comet\Temp\CS7882.tmp
C:\Program Files\comet\Temp\CS7883.tmp
C:\Program Files\comet\Temp\CS7884.tmp
C:\Program Files\comet\Temp\CS7885.tmp
C:\Program Files\comet\Temp\CS7886.tmp
C:\Program Files\comet\Temp\CS7887.tmp
C:\Program Files\comet\Temp\CS7888.tmp
C:\Program Files\comet\Temp\CS7889.tmp
C:\Program Files\comet\Temp\CS791F.tmp
C:\Program Files\comet\Temp\CS7920.tmp
C:\Program Files\comet\Temp\CS7921.tmp
C:\Program Files\comet\Temp\CS7922.tmp
C:\Program Files\comet\Temp\CS79BA.tmp
C:\Program Files\comet\Temp\CS79BB.tmp
C:\Program Files\comet\Temp\CS79BC.tmp
C:\Program Files\comet\Temp\CS79BD.tmp
C:\Program Files\comet\Temp\CS7A56.tmp
C:\Program Files\comet\Temp\CS7A57.tmp
C:\Program Files\comet\Temp\CS7A58.tmp
C:\Program Files\comet\Temp\CS7A59.tmp
C:\Program Files\comet\Temp\CS7AF1.tmp
C:\Program Files\comet\Temp\CS7AF2.tmp
C:\Program Files\comet\Temp\CS7AF3.tmp
C:\Program Files\comet\Temp\CS7AF4.tmp
C:\Program Files\comet\Temp\CS7AF5.tmp
C:\Program Files\comet\Temp\CS7AF6.tmp
C:\Program Files\comet\Temp\CS7AF7.tmp
C:\Program Files\comet\Temp\CS7AF8.tmp
C:\Program Files\comet\Temp\CS7AF9.tmp
C:\Program Files\comet\Temp\CS7B90.tmp
C:\Program Files\comet\Temp\CS7B91.tmp
C:\Program Files\comet\Temp\CS7B92.tmp
C:\Program Files\comet\Temp\CS7B93.tmp
C:\Program Files\comet\Temp\CS7BC.tmp
C:\Program Files\comet\Temp\CS7BD.tmp
C:\Program Files\comet\Temp\CS7BE.tmp
C:\Program Files\comet\Temp\CS7BF.tmp
C:\Program Files\comet\Temp\CS7C0.tmp
C:\Program Files\comet\Temp\CS7C1.tmp
C:\Program Files\comet\Temp\CS7C2.tmp
C:\Program Files\comet\Temp\CS7C2B.tmp
C:\Program Files\comet\Temp\CS7C2C.tmp
C:\Program Files\comet\Temp\CS7C2D.tmp
C:\Program Files\comet\Temp\CS7C2E.tmp
C:\Program Files\comet\Temp\CS7C3.tmp
C:\Program Files\comet\Temp\CS7C5.tmp
C:\Program Files\comet\Temp\CS7CC5.tmp
C:\Program Files\comet\Temp\CS7CC6.tmp
C:\Program Files\comet\Temp\CS7CC7.tmp
C:\Program Files\comet\Temp\CS7CC8.tmp
C:\Program Files\comet\Temp\CS7D5F.tmp
C:\Program Files\comet\Temp\CS7D60.tmp
C:\Program Files\comet\Temp\CS7D61.tmp
C:\Program Files\comet\Temp\CS7D62.tmp
C:\Program Files\comet\Temp\CS7D63.tmp
C:\Program Files\comet\Temp\CS7D64.tmp
C:\Program Files\comet\Temp\CS7D65.tmp
C:\Program Files\comet\Temp\CS7D66.tmp
C:\Program Files\comet\Temp\CS7D67.tmp
C:\Program Files\comet\Temp\CS7DFF.tmp
C:\Program Files\comet\Temp\CS7E00.tmp
C:\Program Files\comet\Temp\CS7E01.tmp
C:\Program Files\comet\Temp\CS7E02.tmp
C:\Program Files\comet\Temp\CS8.tmp
C:\Program Files\comet\Temp\CS81.tmp
C:\Program Files\comet\Temp\CS852.tmp
C:\Program Files\comet\Temp\CS853.tmp
C:\Program Files\comet\Temp\CS854.tmp
C:\Program Files\comet\Temp\CS856.tmp
C:\Program Files\comet\Temp\CS857.tmp
C:\Program Files\comet\Temp\CS858.tmp
C:\Program Files\comet\Temp\CS859.tmp
C:\Program Files\comet\Temp\CS85A.tmp
C:\Program Files\comet\Temp\CS85B.tmp
C:\Program Files\comet\Temp\CS85C.tmp
C:\Program Files\comet\Temp\CS85D.tmp
C:\Program Files\comet\Temp\CS85E.tmp
C:\Program Files\comet\Temp\CS85F.tmp
C:\Program Files\comet\Temp\CS88.tmp
C:\Program Files\comet\Temp\CS8B76.tmp
C:\Program Files\comet\Temp\CS8B77.tmp
C:\Program Files\comet\Temp\CS8B78.tmp
C:\Program Files\comet\Temp\CS8B79.tmp
C:\Program Files\comet\Temp\CS8B7A.tmp
C:\Program Files\comet\Temp\CS8B7B.tmp
C:\Program Files\comet\Temp\CS8B7C.tmp
C:\Program Files\comet\Temp\CS8B7E.tmp
C:\Program Files\comet\Temp\CS8B7F.tmp
C:\Program Files\comet\Temp\CS8C0F.tmp
C:\Program Files\comet\Temp\CS8C10.tmp
C:\Program Files\comet\Temp\CS8C12.tmp
C:\Program Files\comet\Temp\CS8C13.tmp
C:\Program Files\comet\Temp\CS8C7F.tmp
C:\Program Files\comet\Temp\CS8C80.tmp
C:\Program Files\comet\Temp\CS8C81.tmp
C:\Program Files\comet\Temp\CS8C82.tmp
C:\Program Files\comet\Temp\CS8CEA.tmp
C:\Program Files\comet\Temp\CS8CEB.tmp
C:\Program Files\comet\Temp\CS8CEC.tmp
C:\Program Files\comet\Temp\CS8CED.tmp
C:\Program Files\comet\Temp\CS8CEE.tmp
C:\Program Files\comet\Temp\CS8CEF.tmp
C:\Program Files\comet\Temp\CS8CF0.tmp
C:\Program Files\comet\Temp\CS8CF2.tmp
C:\Program Files\comet\Temp\CS8CF3.tmp
C:\Program Files\comet\Temp\CS8D5E.tmp
C:\Program Files\comet\Temp\CS8D5F.tmp
C:\Program Files\comet\Temp\CS8D60.tmp
C:\Program Files\comet\Temp\CS8D61.tmp
C:\Program Files\comet\Temp\CS8DDA.tmp
C:\Program Files\comet\Temp\CS8DDB.tmp
C:\Program Files\comet\Temp\CS8DDD.tmp
C:\Program Files\comet\Temp\CS8DDE.tmp
C:\Program Files\comet\Temp\CS8E4A.tmp
C:\Program Files\comet\Temp\CS8E4B.tmp
C:\Program Files\comet\Temp\CS8E4C.tmp
C:\Program Files\comet\Temp\CS8E4E.tmp
C:\Program Files\comet\Temp\CS8E4F.tmp
C:\Program Files\comet\Temp\CS8E50.tmp
C:\Program Files\comet\Temp\CS8E51.tmp
C:\Program Files\comet\Temp\CS8E52.tmp
C:\Program Files\comet\Temp\CS8E53.tmp
C:\Program Files\comet\Temp\CS8EB8.tmp
C:\Program Files\comet\Temp\CS8EB9.tmp
C:\Program Files\comet\Temp\CS8EBA.tmp
C:\Program Files\comet\Temp\CS8EBB.tmp
C:\Program Files\comet\Temp\CS8F.tmp
C:\Program Files\comet\Temp\CS8F4F.tmp
C:\Program Files\comet\Temp\CS8F50.tmp
C:\Program Files\comet\Temp\CS8F51.tmp
C:\Program Files\comet\Temp\CS8F52.tmp
C:\Program Files\comet\Temp\CS8F7.tmp
C:\Program Files\comet\Temp\CS8F8.tmp
C:\Program Files\comet\Temp\CS8F9.tmp
C:\Program Files\comet\Temp\CS8FA.tmp
C:\Program Files\comet\Temp\CS9.tmp
C:\Program Files\comet\Temp\CS90.tmp
C:\Program Files\comet\Temp\CS9E13.tmp
C:\Program Files\comet\Temp\CS9E14.tmp
C:\Program Files\comet\Temp\CS9E15.tmp
C:\Program Files\comet\Temp\CS9E16.tmp
C:\Program Files\comet\Temp\CS9E17.tmp
C:\Program Files\comet\Temp\CS9E18.tmp
C:\Program Files\comet\Temp\CS9E19.tmp
C:\Program Files\comet\Temp\CS9E1B.tmp
C:\Program Files\comet\Temp\CS9E1C.tmp
C:\Program Files\comet\Temp\CS9EAF.tmp
C:\Program Files\comet\Temp\CS9EB0.tmp
C:\Program Files\comet\Temp\CS9EB2.tmp
C:\Program Files\comet\Temp\CS9EB3.tmp
C:\Program Files\comet\Temp\CS9F49.tmp
C:\Program Files\comet\Temp\CS9F4A.tmp
C:\Program Files\comet\Temp\CS9F4B.tmp
C:\Program Files\comet\Temp\CS9F4C.tmp
C:\Program Files\comet\Temp\CS9FE7.tmp
C:\Program Files\comet\Temp\CS9FE8.tmp
C:\Program Files\comet\Temp\CS9FEA.tmp
C:\Program Files\comet\Temp\CS9FEB.tmp
C:\Program Files\comet\Temp\CSA.tmp
C:\Program Files\comet\Temp\CSA089.tmp
C:\Program Files\comet\Temp\CSA08A.tmp
C:\Program Files\comet\Temp\CSA08B.tmp
C:\Program Files\comet\Temp\CSA08C.tmp
C:\Program Files\comet\Temp\CSA125.tmp
C:\Program Files\comet\Temp\CSA126.tmp
C:\Program Files\comet\Temp\CSA127.tmp
C:\Program Files\comet\Temp\CSA128.tmp
C:\Program Files\comet\Temp\CSA1BF.tmp
C:\Program Files\comet\Temp\CSA1C0.tmp
C:\Program Files\comet\Temp\CSA1C1.tmp
C:\Program Files\comet\Temp\CSA1C2.tmp
C:\Program Files\comet\Temp\CSA25A.tmp
C:\Program Files\comet\Temp\CSA25B.tmp
C:\Program Files\comet\Temp\CSA25C.tmp
C:\Program Files\comet\Temp\CSA25D.tmp
C:\Program Files\comet\Temp\CSA25E.tmp
C:\Program Files\comet\Temp\CSA25F.tmp
C:\Program Files\comet\Temp\CSA260.tmp
C:\Program Files\comet\Temp\CSA261.tmp
C:\Program Files\comet\Temp\CSA262.tmp
C:\Program Files\comet\Temp\CSA2FA.tmp
C:\Program Files\comet\Temp\CSA2FB.tmp
C:\Program Files\comet\Temp\CSA2FC.tmp
C:\Program Files\comet\Temp\CSA2FD.tmp
C:\Program Files\comet\Temp\CSAF.tmp
C:\Program Files\comet\Temp\CSB.tmp
C:\Program Files\comet\Temp\CSB0.tmp
C:\Program Files\comet\Temp\CSB1.tmp
C:\Program Files\comet\Temp\CSB2.tmp
C:\Program Files\comet\Temp\CSB255.tmp
C:\Program Files\comet\Temp\CSB256.tmp
C:\Program Files\comet\Temp\CSB257.tmp
C:\Program Files\comet\Temp\CSB258.tmp
C:\Program Files\comet\Temp\CSB259.tmp
C:\Program Files\comet\Temp\CSB25A.tmp
C:\Program Files\comet\Temp\CSB25B.tmp
C:\Program Files\comet\Temp\CSB25C.tmp
C:\Program Files\comet\Temp\CSB25D.tmp
C:\Program Files\comet\Temp\CSB2F2.tmp
C:\Program Files\comet\Temp\CSB2F3.tmp
C:\Program Files\comet\Temp\CSB2F4.tmp
C:\Program Files\comet\Temp\CSB2F5.tmp
C:\Program Files\comet\Temp\CSB38D.tmp
C:\Program Files\comet\Temp\CSB38E.tmp
C:\Program Files\comet\Temp\CSB38F.tmp
C:\Program Files\comet\Temp\CSB390.tmp
C:\Program Files\comet\Temp\CSB427.tmp
C:\Program Files\comet\Temp\CSB428.tmp
C:\Program Files\comet\Temp\CSB429.tmp
C:\Program Files\comet\Temp\CSB42A.tmp
C:\Program Files\comet\Temp\CSB4C1.tmp
C:\Program Files\comet\Temp\CSB4C2.tmp
C:\Program Files\comet\Temp\CSB4C3.tmp
C:\Program Files\comet\Temp\CSB4C4.tmp
C:\Program Files\comet\Temp\CSB4C5.tmp
C:\Program Files\comet\Temp\CSB4C6.tmp
C:\Program Files\comet\Temp\CSB4C7.tmp
C:\Program Files\comet\Temp\CSB4C8.tmp
C:\Program Files\comet\Temp\CSB4CA.tmp
C:\Program Files\comet\Temp\CSB561.tmp
C:\Program Files\comet\Temp\CSB562.tmp
C:\Program Files\comet\Temp\CSB563.tmp
C:\Program Files\comet\Temp\CSB565.tmp
C:\Program Files\comet\Temp\CSB5FA.tmp
C:\Program Files\comet\Temp\CSB5FB.tmp
C:\Program Files\comet\Temp\CSB5FD.tmp
C:\Program Files\comet\Temp\CSB5FE.tmp
C:\Program Files\comet\Temp\CSB696.tmp
C:\Program Files\comet\Temp\CSB697.tmp
C:\Program Files\comet\Temp\CSB698.tmp
C:\Program Files\comet\Temp\CSB699.tmp
C:\Program Files\comet\Temp\CSB69A.tmp
C:\Program Files\comet\Temp\CSB69B.tmp
C:\Program Files\comet\Temp\CSB69C.tmp
C:\Program Files\comet\Temp\CSB69E.tmp
C:\Program Files\comet\Temp\CSB69F.tmp
C:\Program Files\comet\Temp\CSB735.tmp
C:\Program Files\comet\Temp\CSB736.tmp
C:\Program Files\comet\Temp\CSB738.tmp
C:\Program Files\comet\Temp\CSB739.tmp
C:\Program Files\comet\Temp\CSB7D0.tmp
C:\Program Files\comet\Temp\CSB7D1.tmp
C:\Program Files\comet\Temp\CSB7D2.tmp
C:\Program Files\comet\Temp\CSB7D3.tmp
C:\Program Files\comet\Temp\CSBF.tmp
C:\Program Files\comet\Temp\CSC.tmp
C:\Program Files\comet\Temp\CSC0.tmp
C:\Program Files\comet\Temp\CSC1.tmp
C:\Program Files\comet\Temp\CSC698.tmp
C:\Program Files\comet\Temp\CSC699.tmp
C:\Program Files\comet\Temp\CSC69A.tmp
C:\Program Files\comet\Temp\CSC69B.tmp
C:\Program Files\comet\Temp\CSC69C.tmp
C:\Program Files\comet\Temp\CSC69D.tmp
C:\Program Files\comet\Temp\CSC69E.tmp
C:\Program Files\comet\Temp\CSC69F.tmp
C:\Program Files\comet\Temp\CSC736.tmp
C:\Program Files\comet\Temp\CSC737.tmp
C:\Program Files\comet\Temp\CSC738.tmp
C:\Program Files\comet\Temp\CSC739.tmp
C:\Program Files\comet\Temp\CSC7D2.tmp
C:\Program Files\comet\Temp\CSC7D3.tmp
C:\Program Files\comet\Temp\CSC7D4.tmp
C:\Program Files\comet\Temp\CSC7D5.tmp
C:\Program Files\comet\Temp\CSC86F.tmp
C:\Program Files\comet\Temp\CSC870.tmp
C:\Program Files\comet\Temp\CSC871.tmp
C:\Program Files\comet\Temp\CSC872.tmp
C:\Program Files\comet\Temp\CSC90B.tmp
C:\Program Files\comet\Temp\CSC90C.tmp
C:\Program Files\comet\Temp\CSC90D.tmp
C:\Program Files\comet\Temp\CSC90E.tmp
C:\Program Files\comet\Temp\CSC90F.tmp
C:\Program Files\comet\Temp\CSC910.tmp
C:\Program Files\comet\Temp\CSC911.tmp
C:\Program Files\comet\Temp\CSC912.tmp
C:\Program Files\comet\Temp\CSCA.tmp
C:\Program Files\comet\Temp\CSCA44.tmp
C:\Program Files\comet\Temp\CSCA45.tmp
C:\Program Files\comet\Temp\CSCA46.tmp
C:\Program Files\comet\Temp\CSCA47.tmp
C:\Program Files\comet\Temp\CSCAE0.tmp
C:\Program Files\comet\Temp\CSCAE1.tmp
C:\Program Files\comet\Temp\CSCAE3.tmp
C:\Program Files\comet\Temp\CSCAE4.tmp
C:\Program Files\comet\Temp\CSCAE5.tmp
C:\Program Files\comet\Temp\CSCAE6.tmp
C:\Program Files\comet\Temp\CSCAE7.tmp
C:\Program Files\comet\Temp\CSCAE8.tmp
C:\Program Files\comet\Temp\CSCB.tmp
C:\Program Files\comet\Temp\CSCB81.tmp
C:\Program Files\comet\Temp\CSCB82.tmp
C:\Program Files\comet\Temp\CSCB84.tmp
C:\Program Files\comet\Temp\CSCB85.tmp
C:\Program Files\comet\Temp\CSCC.tmp
C:\Program Files\comet\Temp\CSCC1E.tmp
C:\Program Files\comet\Temp\CSCC1F.tmp
C:\Program Files\comet\Temp\CSCC21.tmp
C:\Program Files\comet\Temp\CSCC22.tmp
C:\Program Files\comet\Temp\CSCD.tmp
C:\Program Files\comet\Temp\CSD.tmp
C:\Program Files\comet\Temp\CSDB00.tmp
C:\Program Files\comet\Temp\CSDB01.tmp
C:\Program Files\comet\Temp\CSDB02.tmp
C:\Program Files\comet\Temp\CSDB03.tmp
C:\Program Files\comet\Temp\CSDB04.tmp
C:\Program Files\comet\Temp\CSDB05.tmp
C:\Program Files\comet\Temp\CSDB06.tmp
C:\Program Files\comet\Temp\CSDB07.tmp
C:\Program Files\comet\Temp\CSDB08.tmp
C:\Program Files\comet\Temp\CSDB9F.tmp
C:\Program Files\comet\Temp\CSDBA0.tmp
C:\Program Files\comet\Temp\CSDBA1.tmp
C:\Program Files\comet\Temp\CSDBA2.tmp
C:\Program Files\comet\Temp\CSDC3B.tmp
C:\Program Files\comet\Temp\CSDC3C.tmp
C:\Program Files\comet\Temp\CSDC3D.tmp
C:\Program Files\comet\Temp\CSDC3E.tmp
C:\Program Files\comet\Temp\CSDCD8.tmp
C:\Program Files\comet\Temp\CSDCD9.tmp
C:\Program Files\comet\Temp\CSDCDA.tmp
C:\Program Files\comet\Temp\CSDCDB.tmp
C:\Program Files\comet\Temp\CSDD74.tmp
C:\Program Files\comet\Temp\CSDD75.tmp
C:\Program Files\comet\Temp\CSDD76.tmp
C:\Program Files\comet\Temp\CSDD77.tmp
C:\Program Files\comet\Temp\CSDD78.tmp
C:\Program Files\comet\Temp\CSDD79.tmp
C:\Program Files\comet\Temp\CSDD7A.tmp
C:\Program Files\comet\Temp\CSDD7B.tmp
C:\Program Files\comet\Temp\CSDD7C.tmp
C:\Program Files\comet\Temp\CSDE16.tmp
C:\Program Files\comet\Temp\CSDE17.tmp
C:\Program Files\comet\Temp\CSDE18.tmp
C:\Program Files\comet\Temp\CSDE19.tmp
C:\Program Files\comet\Temp\CSDEB2.tmp
C:\Program Files\comet\Temp\CSDEB3.tmp
C:\Program Files\comet\Temp\CSDEB5.tmp
C:\Program Files\comet\Temp\CSDEB6.tmp
C:\Program Files\comet\Temp\CSDF4F.tmp
C:\Program Files\comet\Temp\CSDF50.tmp
C:\Program Files\comet\Temp\CSDF51.tmp
C:\Program Files\comet\Temp\CSDF52.tmp
C:\Program Files\comet\Temp\CSDF53.tmp
C:\Program Files\comet\Temp\CSDF54.tmp
C:\Program Files\comet\Temp\CSDF55.tmp
C:\Program Files\comet\Temp\CSDF56.tmp
C:\Program Files\comet\Temp\CSDF57.tmp
C:\Program Files\comet\Temp\CSDFF0.tmp
C:\Program Files\comet\Temp\CSDFF1.tmp
C:\Program Files\comet\Temp\CSDFF2.tmp
C:\Program Files\comet\Temp\CSDFF4.tmp
C:\Program Files\comet\Temp\CSE.tmp
C:\Program Files\comet\Temp\CSE08C.tmp
C:\Program Files\comet\Temp\CSE08D.tmp
C:\Program Files\comet\Temp\CSE08E.tmp
C:\Program Files\comet\Temp\CSE08F.tmp
C:\Program Files\comet\Temp\CSEF2A.tmp
C:\Program Files\comet\Temp\CSEF2B.tmp
C:\Program Files\comet\Temp\CSEF2C.tmp
C:\Program Files\comet\Temp\CSEF2D.tmp
C:\Program Files\comet\Temp\CSEF2E.tmp
C:\Program Files\comet\Temp\CSEF2F.tmp
C:\Program Files\comet\Temp\CSEF30.tmp
C:\Program Files\comet\Temp\CSEF32.tmp
C:\Program Files\comet\Temp\CSEF33.tmp
C:\Program Files\comet\Temp\CSEFC3.tmp
C:\Program Files\comet\Temp\CSEFC4.tmp
C:\Program Files\comet\Temp\CSEFC5.tmp
C:\Program Files\comet\Temp\CSEFC6.tmp
C:\Program Files\comet\Temp\CSF.tmp
C:\Program Files\comet\Temp\CSF05E.tmp
C:\Program Files\comet\Temp\CSF05F.tmp
C:\Program Files\comet\Temp\CSF061.tmp
C:\Program Files\comet\Temp\CSF062.tmp
C:\Program Files\comet\Temp\CSF0FA.tmp
C:\Program Files\comet\Temp\CSF0FB.tmp
C:\Program Files\comet\Temp\CSF0FC.tmp
C:\Program Files\comet\Temp\CSF0FD.tmp
C:\Program Files\comet\Temp\CSF196.tmp
C:\Program Files\comet\Temp\CSF197.tmp
C:\Program Files\comet\Temp\CSF198.tmp
C:\Program Files\comet\Temp\CSF199.tmp
C:\Program Files\comet\Temp\CSF19A.tmp
C:\Program Files\comet\Temp\CSF19B.tmp
C:\Program Files\comet\Temp\CSF19C.tmp
C:\Program Files\comet\Temp\CSF19D.tmp
C:\Program Files\comet\Temp\CSF19E.tmp
C:\Program Files\comet\Temp\CSF236.tmp
C:\Program Files\comet\Temp\CSF237.tmp
C:\Program Files\comet\Temp\CSF238.tmp
C:\Program Files\comet\Temp\CSF239.tmp
C:\Program Files\comet\Temp\CSF2D1.tmp
C:\Program Files\comet\Temp\CSF2D2.tmp
C:\Program Files\comet\Temp\CSF2D3.tmp
C:\Program Files\comet\Temp\CSF2D4.tmp
C:\Program Files\comet\Temp\CSF36D.tmp
C:\Program Files\comet\Temp\CSF36E.tmp
C:\Program Files\comet\Temp\CSF36F.tmp
C:\Program Files\comet\Temp\CSF370.tmp
C:\Program Files\comet\Temp\CSF409.tmp
C:\Program Files\comet\Temp\CSF40A.tmp
C:\Program Files\comet\Temp\CSF40B.tmp
C:\Program Files\comet\Temp\CSF40C.tmp
C:\Program Files\comet\Temp\CSF40D.tmp
C:\Program Files\comet\Temp\CSF40E.tmp
C:\Program Files\comet\Temp\CSF40F.tmp
C:\Program Files\comet\Temp\CSF410.tmp
C:\Program Files\comet\Temp\CSF411.tmp
C:\Program Files\comet\Temp\CSF4AA.tmp
C:\Program Files\comet\Temp\CSF4AB.tmp
C:\Program Files\comet\Temp\CSF4AD.tmp
C:\Program Files\comet\Temp\CSF4AE.tmp
C:\Program Files\comet\Temp\intro.js
C:\Program Files\comet\Uninstall\un_adzap.xml
C:\Program Files\comet\Uninstall\un_autosearch.xml
C:\Program Files\comet\Uninstall\un_errorsearch.xml
C:\Program Files\comet\Uninstall\un_funbutton.xml
C:\Program Files\comet\Uninstall\un_platform.xml
C:\Program Files\comet\Uninstall\un_refbutton.xml
C:\Program Files\comet\Uninstall\un_relatedsearch.xml
C:\Program Files\comet\Uninstall\un_screensaver.xml
C:\Program Files\comet\Uninstall\un_searchassist.xml
C:\Program Files\comet\Uninstall\un_smileytown.xml
C:\Program Files\comet\Uninstall\un_travel.xml
C:\Program Files\comet\Uninstall\un_webbutton.xml
C:\Program Files\comet\Update\travelbutton.bmp
C:\Program Files\comet\Update\un_travelbutton.xml
C:\Program Files\Common Files\{38F8D~1
C:\Program Files\Common Files\{38F8D~1\Bar888.dll
C:\Program Files\Common Files\{38F8D~1\toolbardll.lzma
C:\Program Files\Common Files\{38F8D~1\UnInstall.exe
C:\Program Files\Common Files\{E8F8D~1
C:\Program Files\Common Files\{E8F8D~1\system.dll
C:\Program Files\Common Files\{E8F8D~1\Update.exe
C:\Program Files\Common Files\{E8F8D~2
C:\Program Files\Common Files\{E8F8D~2\system.dll
C:\Program Files\Common Files\{E8F8D~2\Update.exe
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\drivecleaner free\udcpas.exe
C:\Program Files\Common Files\drivecleaner free\udcsdr.exe
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007 Free
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasdc.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasers.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\winantivirus pro 2007
C:\Program Files\Common Files\WinAntiVirus Pro 2007\err.log
C:\Program Files\Common Files\winantivirus pro 2007\err.log
C:\Program Files\Common Files\winantivirus pro 2007\uwa7pcw.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe
C:\Program Files\Common Files\winantivirus pro 2007\WAPChk.dll
C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\DriveCleaner Free
C:\Program Files\DriveCleaner Free\sr.log
C:\Program Files\inetget2
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\pppatc~1
C:\Program Files\pppatc~1\m?config.exe
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml
C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml.backup
C:\Program Files\screensavers.com\Installer\bin\ScreensaversInst.dll
C:\Program Files\screensavers.com\Installer\bin\siuninst.exe
C:\Program Files\screensavers.com\Wallpaper\Jack O`Lanterns .jpg
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\sstem3~1
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\SET253E.tmp
C:\Program Files\webhancer\Programs\SET2540.tmp
C:\Program Files\webhancer\Programs\SET2544.tmp
C:\Program Files\webhancer\Programs\SET2546.tmp
C:\Program Files\webhancer\Programs\SET2548.tmp
C:\Program Files\webhancer\Programs\SET32C.tmp
C:\Program Files\webhancer\Programs\SET32E.tmp
C:\Program Files\webhancer\Programs\SET330.tmp
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\whAgent.ini
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\Program Files\wnsxs~1
C:\qqd.sys
C:\WA7P
C:\WINDOWS\DOWNLO~1\UDC6_0001_D19M1908NetInstaller.exe
C:\WINDOWS\DOWNLO~1\USDR6_0001_D19M2108NetInstaller.exe
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\DOWNLO~1\UWAS7_0001_N91M1112NetInstaller.exe
C:\WINDOWS\inf\cc_43.inf
C:\WINDOWS\notedad.exe
C:\WINDOWS\reginig_ingen.exe
C:\WINDOWS\reginig_unknown.exe
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\smante~1
C:\WINDOWS\spooldr.exe
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\agmjtyxr.exe
C:\WINDOWS\system32\akldhhet.exe
C:\WINDOWS\system32\aligdxio.exe
C:\WINDOWS\system32\bgnrxmuv.exe
C:\WINDOWS\system32\buqdgmvl.exe
C:\WINDOWS\system32\cdmtwnte.exe
C:\WINDOWS\system32\dhpr.dll
C:\WINDOWS\system32\dorcslcf.exe
C:\WINDOWS\system32\dplmfigp.exe
C:\WINDOWS\system32\drivers\asc3550u.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\SECDRV.SYS
C:\WINDOWS\SYSTEM32\erjwcumn.ini
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\fwnfnfrs.exe
C:\WINDOWS\system32\gebawxx.dll
C:\WINDOWS\system32\gmc.exe.exe
C:\WINDOWS\system32\gtsswmal.dll
C:\WINDOWS\system32\gxfpafqc.exe
C:\WINDOWS\system32\hdpwttfd.exe
C:\WINDOWS\system32\hyntgeab.exe
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\ifiexjqx.exe
C:\WINDOWS\system32\inaaq.dll
C:\WINDOWS\system32\iwdesweo.exe
C:\WINDOWS\system32\iyxchisd.exe
C:\WINDOWS\system32\jkrqbnfo.exe
C:\WINDOWS\system32\kdlgdgfc.exe
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\SYSTEM32\lamwsstg.ini
C:\WINDOWS\system32\lflujkni.exe
C:\WINDOWS\system32\lsdbrjic.exe
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\mtlcnlic.exe
C:\WINDOWS\system32\mvsfyvix.exe
C:\WINDOWS\system32\nfewcwll.exe
C:\WINDOWS\system32\njsrwthr.exe
C:\WINDOWS\system32\nmucwjre.dll
C:\WINDOWS\system32\nokaagap.exe
C:\WINDOWS\system32\nwbawbig.exe
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\pymaguau.exe
C:\WINDOWS\system32\qkkfydku.exe
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\redmuhcg.exe
C:\WINDOWS\system32\reginif_ingen.exe
C:\WINDOWS\system32\reginig_ingen.exe
C:\WINDOWS\system32\reginig_unknown.exe
C:\WINDOWS\system32\rjlufbow.exe
C:\WINDOWS\system32\s.dll
C:\WINDOWS\system32\sgisbgme.exe
C:\WINDOWS\system32\sifdkkxn.exe
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\smante~1\u?erinit.exe
C:\WINDOWS\system32\spooldr.sys
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\tkdmgocf.exe
C:\WINDOWS\system32\tksseull.exe
C:\WINDOWS\system32\tlarjwlw.exe
C:\WINDOWS\system32\tlpoyorg.exe
C:\WINDOWS\system32\tmahdhrn.exe
C:\WINDOWS\system32\udnlmvfm.exe
C:\WINDOWS\system32\uhhnfgst.exe
C:\WINDOWS\system32\uhibxlwu.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\SYSTEM32\utstv.bak1
C:\WINDOWS\SYSTEM32\utstv.bak2
C:\WINDOWS\SYSTEM32\utstv.ini
C:\WINDOWS\SYSTEM32\utstv.ini2
C:\WINDOWS\SYSTEM32\utstv.tmp
C:\WINDOWS\system32\uyipagrn.exe
C:\WINDOWS\system32\vhcqxons.exe
C:\WINDOWS\system32\vhkimsyb.exe
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\vxxypakp.exe
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wkrcoype.exe
C:\WINDOWS\system32\wnnlegfj.exe
C:\WINDOWS\system32\wnscpcc.exe
C:\WINDOWS\system32\wnscpisv32.exe
C:\WINDOWS\system32\wwwyb.dll
C:\WINDOWS\system32\xxvqvqwx.exe
C:\WINDOWS\system32\yiyisrfk.dll
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ymbols~1\?ymbols\
C:\WINDOWS\system32\ymbols~1\ping.exe
C:\winstall.exe
Restored copy from - c:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys



((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_FWDRV.SYS
-------\LEGACY_ICF
-------\LEGACY_POOF
-------\LEGACY_QQD.SYS
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SYSLIBRARY
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\ApiMon
-------\COM+ Messages
-------\core
-------\DomainService
-------\fwdrv.sys
-------\ICF
-------\qqd.sys
-------\runtime
-------\SysLibrary
-------\vspf
-------\vspf_hk


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-19 14:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 07:37 21,312 --a------ C:\WINDOWS\choice.exe
2007-08-19 07:14 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2007-08-19 07:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-17 20:37 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-16 13:02 81,320 --a------ C:\Program Files\Uninstall.exe
2007-08-16 13:02 79,408 --a------ C:\Program Files\shellexecutehook.dll
2007-08-16 13:02 6,731,312 --a------ C:\Program Files\avgas.exe
2007-08-16 13:02 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-08-16 13:02 6,380 --a------ C:\Program Files\clsid.dat
2007-08-16 13:02 448,048 --a------ C:\Program Files\engine.dll
2007-08-16 13:02 312,880 --a------ C:\Program Files\guard.exe
2007-08-16 13:02 261,680 --a------ C:\Program Files\context64.dll
2007-08-16 13:02 18,494 --a------ C:\Program Files\heuristic.dat
2007-08-16 13:02 144,944 --a------ C:\Program Files\context.dll
2007-08-16 13:02 14,072 --a------ C:\Program Files\avgasc64.sys
2007-08-16 13:02 126,512 --a------ C:\Program Files\shellexecutehook64.dll
2007-08-16 13:02 12,024 --a------ C:\Program Files\guard64.sys
2007-08-16 13:02 11,000 --a------ C:\Program Files\guard.sys
2007-08-16 13:02 10,872 --a------ C:\Program Files\avgascln.sys
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Translations
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Signatures
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Reports
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Quarantine
2007-08-15 12:57 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-08-14 22:51 106,405 --a------ C:\WINDOWS\SYSTEM32\aqxqeqos.dll
2007-08-12 22:26 151,552 --a------ C:\WINDOWS\SYSTEM32\werwea.dll
2007-08-12 22:26 131,072 --a------ C:\WINDOWS\SYSTEM32\werwea.exe
2007-08-12 22:15 131,072 --a------ C:\WINDOWS\SYSTEM32\werwea_unknown.exe
2007-08-12 21:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-12 21:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-12 21:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-05 21:28 7,923 --a------ C:\WINDOWS\SYSTEM32\DefLib.sys
2007-07-22 13:19 87,248 --a------ C:\DOCUME~1\Joyce\APPLIC~1\antivirus.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 15:57 --------- d-------- C:\Program Files\Greetings Workshop
2007-08-19 13:49 348416 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-08-16 06:56 9114 --a------ C:\Program Files\error.txt
2007-08-15 15:48 --------- d-------- C:\Program Files\Messenger
2007-08-15 11:36 1459290 --a------ C:\Program Files\help.chm
2007-08-05 22:05 --------- d-------- C:\Program Files\Google
2007-08-05 22:04 --------- d-------- C:\Program Files\LimeWire
2007-08-05 21:29 12800 --a------ C:\WINDOWS\system32\SVCHOST.EXE
2007-08-05 21:29 12800 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2007-06-17 22:29 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-26 11:09 217 --a------ C:\WINDOWS\ssrkx.exe
2007-05-10 18:27 87760 --a------ C:\DOCUME~1\Joyce\APPLIC~1\errsafer.exe
2007-04-01 18:47 95696 --a------ C:\DOCUME~1\Joyce\APPLIC~1\sysdoctor.exe
2007-03-15 16:27 122648 --a------ C:\DOCUME~1\Joyce\APPLIC~1\drvcleaner.exe
2006-12-26 14:23 4264 --a------ C:\Program Files\logfile.txt
2006-11-11 21:22 41 --a------ C:\Program Files\updater.ewidolog
2006-11-11 08:52 31 --a------ C:\Program Files\lang.ini

C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
359,040 2004-08-04 06:14:40 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\tcpip.sys
340,480 2006-04-20 11:38:44 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp1qfe\tcpip.sys
359,808 2006-04-20 11:51:50 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
360,576 2006-04-20 12:18:35 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
339,968 2005-05-25 19:41:10 C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp1qfe\tcpip.sys
359,808 2005-05-25 19:04:02 C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2gdr\tcpip.sys
359,936 2005-05-25 19:07:12 C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2qfe\tcpip.sys
340,480 2006-01-13 01:13:17 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP1QFE\tcpip.sys
359,808 2006-01-13 02:28:14 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2GDR\tcpip.sys
360,448 2006-01-13 17:07:08 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2QFE\tcpip.sys
348,416 2007-08-19 18:49:16 C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35E78239-811E-4c3f-B37D-F339AC16C2C0}]
C:\PROGRA~1\Comet\bin\autosearch.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55431DD1-8795-4AF3-8FA0-D645DF7910D4}]
2007-08-13 02:46 151552 --a------ C:\WINDOWS\SYSTEM32\werwea.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CA1C00B-90FC-4F3E-911F-95306ABA49AA}]
2007-05-04 07:01 192512 --a------ C:\Program Files\AdSponsorOI\AdSponsorOI.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\System32\WinNB58.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-01-17 21:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-17 21:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-01-17 21:32]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2007-01-17 21:32]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2007-01-17 21:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2007-01-17 21:32]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-01-17 21:32]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-01-17 21:32]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2007-01-17 21:32]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-01-17 21:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\Joyce\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1996-06-25 01:00:00]
PowerReg SchedulerV2.exe [2004-08-10 11:58:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-08-02 09:26:16]
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"w32time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"uploadmgr"=2 (0x2)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=3 (0x3)



Contents of the 'Scheduled Tasks' folder
2007-08-10 20:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 15:57:26
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-19 15:59:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 15:59

--- E O F ---
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #9 ·
Rip, Monday morning...I got the KillAll command to work on the Dell Computer.
Here is the combo and hijack
ComboFix 07-08-17.2 - "Joyce" 2007-08-20 8:40:24.3 - NTFSx86


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Joyce\spooldr.ini
C:\WINDOWS\system32\DefLib.sys


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-19 14:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 07:37 21,312 --a------ C:\WINDOWS\choice.exe
2007-08-19 07:14 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2007-08-19 07:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-17 20:37 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-16 13:02 81,320 --a------ C:\Program Files\Uninstall.exe
2007-08-16 13:02 79,408 --a------ C:\Program Files\shellexecutehook.dll
2007-08-16 13:02 6,731,312 --a------ C:\Program Files\avgas.exe
2007-08-16 13:02 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-08-16 13:02 6,380 --a------ C:\Program Files\clsid.dat
2007-08-16 13:02 448,048 --a------ C:\Program Files\engine.dll
2007-08-16 13:02 312,880 --a------ C:\Program Files\guard.exe
2007-08-16 13:02 261,680 --a------ C:\Program Files\context64.dll
2007-08-16 13:02 18,494 --a------ C:\Program Files\heuristic.dat
2007-08-16 13:02 144,944 --a------ C:\Program Files\context.dll
2007-08-16 13:02 14,072 --a------ C:\Program Files\avgasc64.sys
2007-08-16 13:02 126,512 --a------ C:\Program Files\shellexecutehook64.dll
2007-08-16 13:02 12,024 --a------ C:\Program Files\guard64.sys
2007-08-16 13:02 11,000 --a------ C:\Program Files\guard.sys
2007-08-16 13:02 10,872 --a------ C:\Program Files\avgascln.sys
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Translations
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Signatures
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Reports
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Quarantine
2007-08-15 12:57 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-08-14 22:51 106,405 --a------ C:\WINDOWS\SYSTEM32\aqxqeqos.dll
2007-08-12 22:26 151,552 --a------ C:\WINDOWS\SYSTEM32\werwea.dll
2007-08-12 22:26 131,072 --a------ C:\WINDOWS\SYSTEM32\werwea.exe
2007-08-12 22:15 131,072 --a------ C:\WINDOWS\SYSTEM32\werwea_unknown.exe
2007-08-12 21:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-12 21:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-12 21:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-22 13:19 87,248 --a------ C:\DOCUME~1\Joyce\APPLIC~1\antivirus.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 00:00 --------- d-------- C:\Program Files\Greetings Workshop
2007-08-19 13:49 348416 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-08-16 06:56 9114 --a------ C:\Program Files\error.txt
2007-08-15 15:48 --------- d-------- C:\Program Files\Messenger
2007-08-15 11:36 1459290 --a------ C:\Program Files\help.chm
2007-08-05 22:05 --------- d-------- C:\Program Files\Google
2007-08-05 22:04 --------- d-------- C:\Program Files\LimeWire
2007-08-05 21:29 12800 --a------ C:\WINDOWS\system32\SVCHOST.EXE
2007-08-05 21:29 12800 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2007-06-17 22:29 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-26 11:09 217 --a------ C:\WINDOWS\ssrkx.exe
2007-05-10 18:27 87760 --a------ C:\DOCUME~1\Joyce\APPLIC~1\errsafer.exe
2007-04-01 18:47 95696 --a------ C:\DOCUME~1\Joyce\APPLIC~1\sysdoctor.exe
2007-03-15 16:27 122648 --a------ C:\DOCUME~1\Joyce\APPLIC~1\drvcleaner.exe
2006-12-26 14:23 4264 --a------ C:\Program Files\logfile.txt
2006-11-11 21:22 41 --a------ C:\Program Files\updater.ewidolog
2006-11-11 08:52 31 --a------ C:\Program Files\lang.ini

C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
359,040 2004-08-04 06:14:40 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\tcpip.sys
340,480 2006-04-20 11:38:44 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp1qfe\tcpip.sys
359,808 2006-04-20 11:51:50 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
360,576 2006-04-20 12:18:35 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
339,968 2005-05-25 19:41:10 C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp1qfe\tcpip.sys
359,808 2005-05-25 19:04:02 C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2gdr\tcpip.sys
359,936 2005-05-25 19:07:12 C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2qfe\tcpip.sys
340,480 2006-01-13 01:13:17 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP1QFE\tcpip.sys
359,808 2006-01-13 02:28:14 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2GDR\tcpip.sys
360,448 2006-01-13 17:07:08 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2QFE\tcpip.sys
348,416 2007-08-19 18:49:16 C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35E78239-811E-4c3f-B37D-F339AC16C2C0}]
C:\PROGRA~1\Comet\bin\autosearch.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55431DD1-8795-4AF3-8FA0-D645DF7910D4}]
2007-08-13 02:46 151552 --a------ C:\WINDOWS\SYSTEM32\werwea.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CA1C00B-90FC-4F3E-911F-95306ABA49AA}]
2007-05-04 07:01 192512 --a------ C:\Program Files\AdSponsorOI\AdSponsorOI.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\System32\WinNB58.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-01-17 21:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-17 21:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-01-17 21:32]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2007-01-17 21:32]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2007-01-17 21:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2007-01-17 21:32]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-01-17 21:32]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-01-17 21:32]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2007-01-17 21:32]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-01-17 21:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\Joyce\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1996-06-25 01:00:00]
PowerReg SchedulerV2.exe [2004-08-10 11:58:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-08-02 09:26:16]
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"w32time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"uploadmgr"=2 (0x2)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=3 (0x3)


*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-08-10 20:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 08:42:04
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

C:\WINDOWS\SYSTEM32\CMD.EXE [1448] 0xFF7F7648


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 8:42:35
C:\ComboFix-quarantined-files.txt ... 2007-08-20 08:42
C:\ComboFix2.txt ... 2007-08-19 15:59

--- E O F ---
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:44:57 AM, on 8/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Documents and Settings\Joyce\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://planetkc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {55431DD1-8795-4AF3-8FA0-D645DF7910D4} - C:\WINDOWS\SYSTEM32\werwea.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\Program Files\AdSponsorOI\AdSponsorOI.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1226715034-2328625344-728653132-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - S-1-5-21-1226715034-2328625344-728653132-1007 Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE (User '?')
O4 - S-1-5-21-1226715034-2328625344-728653132-1007 Startup: PowerReg SchedulerV2.exe (User '?')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6397 bytes
 

·
Registered
Joined
·
138 Posts
Hello hevbrewer,

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it hmm.bat. Please save it on your desktop.

Code:
@Echo off
attrib -s -r -h "C:\Windows\System32\tcpip.sys"
del /q "C:\Windows\System32\tcpip.sys"
copy "C:\Windows\System32\dllcache\tcpip.sys" "C:\Windows\System32"
quit
Double click hmm.bat. A window will open and close. This is normal.


A. Please RUN HijackThis
  1. Click the SCAN button to produce a log.

  2. Place a check mark beside each one of the following items:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://planetkc.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {55431DD1-8795-4AF3-8FA0-D645DF7910D4} - C:\WINDOWS\SYSTEM32\werwea.dll
    O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\Program Files\AdSponsorOI\AdSponsorOI.dll
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
    O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll (file missing)
    O4 - S-1-5-21-1226715034-2328625344-728653132-1007 Startup: PowerReg SchedulerV2.exe (User '?')
    O4 - Startup: PowerReg SchedulerV2.exe
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\aqxqeqos.dll
C:\WINDOWS\SYSTEM32\werwea.dll
C:\WINDOWS\SYSTEM32\werwea.exe
C:\WINDOWS\SYSTEM32\werwea_unknown.exe
C:\DOCUME~1\Joyce\APPLIC~1\antivirus.exe
C:\WINDOWS\ssrkx.exe
C:\DOCUME~1\Joyce\APPLIC~1\errsafer.exe
C:\DOCUME~1\Joyce\APPLIC~1\sysdoctor.exe
C:\DOCUME~1\Joyce\APPLIC~1\drvcleaner.exe
C:\WINDOWS\SYSTEM32\werwea.dll

Folder::
C:\Program Files\AdSponsorOI

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #11 ·
ComboFix 07-08-17.2 - "Joyce" 2007-08-22 12:36:23.4 - NTFSx86
Command switches used :: C:\Documents and Settings\Joyce\Desktop\CFScript.txt

FILE::
C:\WINDOWS\SYSTEM32\aqxqeqos.dll
C:\WINDOWS\SYSTEM32\werwea.dll
C:\WINDOWS\SYSTEM32\werwea.exe
C:\WINDOWS\SYSTEM32\werwea_unknown.exe
C:\DOCUME~1\Joyce\APPLIC~1\antivirus.exe
C:\WINDOWS\ssrkx.exe
C:\DOCUME~1\Joyce\APPLIC~1\errsafer.exe
C:\DOCUME~1\Joyce\APPLIC~1\sysdoctor.exe
C:\DOCUME~1\Joyce\APPLIC~1\drvcleaner.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Joyce\APPLIC~1\antivirus.exe
C:\DOCUME~1\Joyce\APPLIC~1\drvcleaner.exe
C:\DOCUME~1\Joyce\APPLIC~1\errsafer.exe
C:\DOCUME~1\Joyce\APPLIC~1\sysdoctor.exe
C:\Program Files\AdSponsorOI
C:\Program Files\AdSponsorOI\AdSponsorOI.dll
C:\Program Files\AdSponsorOI\tpaldr.exe
C:\Program Files\AdSponsorOI\Uninstall.exe
C:\WINDOWS\ssrkx.exe
C:\WINDOWS\SYSTEM32\aqxqeqos.dll
C:\WINDOWS\SYSTEM32\werwea.dll
C:\WINDOWS\SYSTEM32\werwea.exe
C:\WINDOWS\SYSTEM32\werwea_unknown.exe


((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))


2007-08-22 12:17 173 --a------ C:\hmm.bat
2007-08-19 14:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 07:37 21,312 --a------ C:\WINDOWS\choice.exe
2007-08-19 07:14 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2007-08-19 07:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-17 20:37 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-16 13:02 81,320 --a------ C:\Program Files\Uninstall.exe
2007-08-16 13:02 79,408 --a------ C:\Program Files\shellexecutehook.dll
2007-08-16 13:02 6,731,312 --a------ C:\Program Files\avgas.exe
2007-08-16 13:02 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-08-16 13:02 6,380 --a------ C:\Program Files\clsid.dat
2007-08-16 13:02 448,048 --a------ C:\Program Files\engine.dll
2007-08-16 13:02 312,880 --a------ C:\Program Files\guard.exe
2007-08-16 13:02 261,680 --a------ C:\Program Files\context64.dll
2007-08-16 13:02 18,494 --a------ C:\Program Files\heuristic.dat
2007-08-16 13:02 144,944 --a------ C:\Program Files\context.dll
2007-08-16 13:02 14,072 --a------ C:\Program Files\avgasc64.sys
2007-08-16 13:02 126,512 --a------ C:\Program Files\shellexecutehook64.dll
2007-08-16 13:02 12,024 --a------ C:\Program Files\guard64.sys
2007-08-16 13:02 11,000 --a------ C:\Program Files\guard.sys
2007-08-16 13:02 10,872 --a------ C:\Program Files\avgascln.sys
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Translations
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Signatures
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Reports
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Quarantine
2007-08-15 12:57 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-08-12 21:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-12 21:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-12 21:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 12:39 --------- d-------- C:\Program Files\Greetings Workshop
2007-08-19 13:49 348416 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-08-16 06:56 9114 --a------ C:\Program Files\error.txt
2007-08-15 15:48 --------- d-------- C:\Program Files\Messenger
2007-08-15 11:36 1459290 --a------ C:\Program Files\help.chm
2007-08-05 22:05 --------- d-------- C:\Program Files\Google
2007-08-05 22:04 --------- d-------- C:\Program Files\LimeWire
2007-08-05 21:29 12800 --a------ C:\WINDOWS\system32\SVCHOST.EXE
2007-08-05 21:29 12800 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2007-06-17 22:29 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-12-26 14:23 4264 --a------ C:\Program Files\logfile.txt
2006-11-11 21:22 41 --a------ C:\Program Files\updater.ewidolog
2006-11-11 08:52 31 --a------ C:\Program Files\lang.ini

C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
359,040 2004-08-04 06:14:40 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\tcpip.sys
340,480 2006-04-20 11:38:44 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp1qfe\tcpip.sys
359,808 2006-04-20 11:51:50 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
360,576 2006-04-20 12:18:35 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
339,968 2005-05-25 19:41:10 C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp1qfe\tcpip.sys
359,808 2005-05-25 19:04:02 C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2gdr\tcpip.sys
359,936 2005-05-25 19:07:12 C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2qfe\tcpip.sys
340,480 2006-01-13 01:13:17 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP1QFE\tcpip.sys
359,808 2006-01-13 02:28:14 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2GDR\tcpip.sys
360,448 2006-01-13 17:07:08 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2QFE\tcpip.sys
348,416 2007-08-19 18:49:16 C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\System32\WinNB58.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-01-17 21:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-17 21:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-01-17 21:32]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2007-01-17 21:32]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2007-01-17 21:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2007-01-17 21:32]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-01-17 21:32]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-01-17 21:32]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2007-01-17 21:32]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-01-17 21:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\Joyce\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1996-06-25 01:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-08-02 09:26:16]
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"w32time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"uploadmgr"=2 (0x2)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=3 (0x3)



Contents of the 'Scheduled Tasks' folder
2007-08-10 20:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 12:39:23
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 12:40:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-22 12:40
C:\ComboFix2.txt ... 2007-08-20 08:42
C:\ComboFix3.txt ... 2007-08-19 15:59

--- E O F ---
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:41:51 PM, on 8/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Joyce\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - S-1-5-21-1226715034-2328625344-728653132-1007 Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE (User '?')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5033 bytes
 

·
Registered
Joined
·
138 Posts
Hello hevbrewer,

Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
(
copy /y /b C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys C:\WINDOWS\system32\dllcache
copy /y /b C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys C:\WINDOWS\system32\drivers
vfind -tf %systemroot%\tcpip.sys
)>>log.txt
notepad log.txt
Save this as grr.bat Choose to "Save type as - All Files"
Double click grr.bat and allow it to run.
Please post back with the results.
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #13 ·
The system cannot find the path specified.
The system cannot find the path specified.
C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp1qfe\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp1qfe\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2gdr\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2qfe\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP1QFE\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2GDR\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2QFE\tcpip.sys
C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS
 

·
Registered
Joined
·
138 Posts
Hello hevbrewer,

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #15 ·
Rip,
We are working on the computer that is not connected to the internet. I have been burning the other tools (HiJack, Combo, etc.) onto a disk from my computer (HP) and installing them manually on the Dell. Then I burn the results of the scans and post them from my computer. Once we get the Dell cleaned up I'll return it to the kid's house where I can hook to their dial-up. Do you have another option other than Panda?
Thanks
 

·
Registered
Joined
·
138 Posts
Hello hevbrewer,

I understand, we'll try it a different way. What I'm trying to do is replace your infected tcpip.sys file with a clean one that is uninfected.

Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
(
copy /y /b C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\tcpip.sys C:\WINDOWS\system32\dllcache
copy /y /b C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\tcpip.sys C:\WINDOWS\system32\drivers
vfind -tf %systemroot%\tcpip.sys
)>>log.txt
notepad log.txt
Save this as 123.bat Choose to "Save type as - All Files"
Double click 123.bat and allow it to run.
Please post back with the results.
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #17 ·
1 file(s) copied.
1 file(s) copied.
C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp1qfe\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp1qfe\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2gdr\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2qfe\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP1QFE\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2GDR\tcpip.sys
C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2QFE\tcpip.sys
C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
 

·
Registered
Joined
·
138 Posts
Alright now let's make sure eveything is running right again:

  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #19 ·
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:16:14 PM, on 8/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Joyce\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1226715034-2328625344-728653132-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - S-1-5-21-1226715034-2328625344-728653132-1007 Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE (User '?')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{2918C082-D561-44D6-BAED-CEFA94EF412B}: NameServer = 61.123.225.72
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5172 bytes
ComboFix 07-08-17.2 - "Joyce" 2007-08-26 21:11:30.5 - NTFSx86


((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 )))))))))))))))))))))))))))))))


2007-08-26 19:29 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-26 16:22 <DIR> d-------- C:\DOCUME~1\Joyce\APPLIC~1\MSN6
2007-08-24 04:56 242 --a------ C:\grr.bat
2007-08-22 12:17 173 --a------ C:\hmm.bat
2007-08-19 14:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 07:37 21,312 --a------ C:\WINDOWS\choice.exe
2007-08-19 07:14 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2007-08-19 07:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-17 20:37 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-16 13:02 81,320 --a------ C:\Program Files\Uninstall.exe
2007-08-16 13:02 79,408 --a------ C:\Program Files\shellexecutehook.dll
2007-08-16 13:02 6,731,312 --a------ C:\Program Files\avgas.exe
2007-08-16 13:02 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-08-16 13:02 6,380 --a------ C:\Program Files\clsid.dat
2007-08-16 13:02 448,048 --a------ C:\Program Files\engine.dll
2007-08-16 13:02 312,880 --a------ C:\Program Files\guard.exe
2007-08-16 13:02 261,680 --a------ C:\Program Files\context64.dll
2007-08-16 13:02 18,494 --a------ C:\Program Files\heuristic.dat
2007-08-16 13:02 144,944 --a------ C:\Program Files\context.dll
2007-08-16 13:02 14,072 --a------ C:\Program Files\avgasc64.sys
2007-08-16 13:02 126,512 --a------ C:\Program Files\shellexecutehook64.dll
2007-08-16 13:02 12,024 --a------ C:\Program Files\guard64.sys
2007-08-16 13:02 11,000 --a------ C:\Program Files\guard.sys
2007-08-16 13:02 10,872 --a------ C:\Program Files\avgascln.sys
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Translations
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Signatures
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Reports
2007-08-16 13:02 <DIR> d-------- C:\Program Files\Quarantine
2007-08-15 12:57 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-08-15 12:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-08-12 21:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-12 21:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-12 21:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-26 19:11 --------- d-------- C:\Program Files\Greetings Workshop
2007-08-25 00:13 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-16 06:56 9114 --a------ C:\Program Files\error.txt
2007-08-15 15:48 --------- d-------- C:\Program Files\Messenger
2007-08-15 11:36 1459290 --a------ C:\Program Files\help.chm
2007-08-05 22:05 --------- d-------- C:\Program Files\Google
2007-08-05 22:04 --------- d-------- C:\Program Files\LimeWire
2007-08-05 21:29 12800 --a------ C:\WINDOWS\system32\SVCHOST.EXE
2007-08-05 21:29 12800 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2006-12-26 14:23 4264 --a------ C:\Program Files\logfile.txt
2006-11-11 21:22 41 --a------ C:\Program Files\updater.ewidolog
2006-11-11 08:52 31 --a------ C:\Program Files\lang.ini


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\System32\WinNB58.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-01-17 21:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-17 21:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-01-17 21:32]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2007-01-17 21:32]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2007-01-17 21:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2007-01-17 21:32]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-01-17 21:32]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-01-17 21:32]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2007-01-17 21:32]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-01-17 21:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\Joyce\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1996-06-25 01:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-08-02 09:26:16]
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"w32time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"uploadmgr"=2 (0x2)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=3 (0x3)



Contents of the 'Scheduled Tasks' folder
2007-08-10 20:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 21:13:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 21:13:43
C:\ComboFix-quarantined-files.txt ... 2007-08-26 21:13
C:\ComboFix2.txt ... 2007-08-22 12:40
C:\ComboFix3.txt ... 2007-08-20 08:42

--- E O F ---
 

·
Registered
Joined
·
138 Posts
Hello hevbrewer,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
 
1 - 20 of 36 Posts
Status
Not open for further replies.
Top