Winlogon

**Plutonus** · 2007-11-03, 05:23

Yup I still am getting the same issues, and it seems whenever I open IE or My Computer I get the fake "viruses found" announcement from my taskbar which takes me to a website.

Never downloaded any of those codecs etc.

Looking at those cookies, I've never seen half of those websites before.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:54 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
e:\program files\common files\mcafee\mna\mcnasvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
E:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Apps\NetLimiter 2 Pro\nlsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\Explorer.EXE
C:\Apps\NetLimiter 2 Pro\NLClient.exe
E:\WINDOWS\system32\ctfmon.exe
e:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\Program Files\ASUS\Asus Probe\AsusProb.exe
E:\WINDOWS\system32\CNAC6RPK.EXE
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Apps\Winamp\winampa.exe
E:\WINDOWS\LOGI_MWX.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Apps\D-Tools\daemon.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
E:\WINDOWS\system32\wscntfy.exe
C:\Games\Steam\Steam.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\Logitech\SetPoint\KEM.exe
E:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Apps\Winamp\winamp.exe
E:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
e:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Apps\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {6EA3996D-C362-430E-BC84-88FDB3D53510} - e:\windows\system32\adsldpcl.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - e:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C9FD9808-DD6B-4854-B5E2-DB9BFEDCE5C2} - E:\WINDOWS\system32\dbmsvinnl.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [ASUS Probe] E:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Apps\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Apps\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Apps\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTSyncU.exe] "E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190284954735
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190285765076
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hfgjwjqe - E:\WINDOWS\SYSTEM32\adsldpcl.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - E:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - e:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - E:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Apps\Nero 7\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Apps\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10422 bytes

On a separate note, do you know what the "Bonjour" thing is. It keeps on wanting internet access but I block it, just wondering if it's necessary or anything.

**shelf life** · 2007-11-04, 15:07

hi Plutonus,

thanks for the info. looks like we need smitfraudfix. so another download to get and run. this should take care of the popups. This clean step needs to run in safe mode
-------------------------------------------
Download SmitfraudFix (by S!Ri) to your Desktop:

http://www.bleepingcomputer.com/files/smitfraudfix.php

you might want to copy/paste this into notepad and save it somewhere so you can read it in safe mode:

boot computer into safe mode.
to reach safe mode: restart your computer and tap the f8 key during the boot up. chose the first option from the list: safe mode. log on the your regular account.

locate the smitfraud icon on the desktop and double click it to start.
from the main option menu, chose the second option (clean). after smitfraud runs-- disk clean will run, last when asked if you want to clean the registry, select y (yes) then enter. computer will reboot and after the restart produce a log. please save the log somewhere.

after the reboot, run superantispyware once. post the saved log from the smitfraud clean and a new hjt log.

Bonjour Service: i think this is installed by apple itunes. and maybe also by other software. you use a ipod?

shelf life

**Plutonus** · 2007-11-13, 07:17

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:35 PM, on 13/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
e:\program files\common files\mcafee\mna\mcnasvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
E:\WINDOWS\Explorer.EXE
e:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
E:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Apps\NetLimiter 2 Pro\nlsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Apps\NetLimiter 2 Pro\NLClient.exe
E:\WINDOWS\system32\CNAC6RPK.EXE
e:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\ASUS\Asus Probe\AsusProb.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Apps\Winamp\winampa.exe
E:\WINDOWS\LOGI_MWX.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Apps\D-Tools\daemon.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
E:\WINDOWS\system32\ctfmon.exe
C:\Games\Steam\Steam.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\Logitech\SetPoint\KEM.exe
E:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Apps\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {6EA3996D-C362-430E-BC84-88FDB3D53510} - e:\windows\system32\adsldpcl.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - e:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C9FD9808-DD6B-4854-B5E2-DB9BFEDCE5C2} - E:\WINDOWS\system32\dbmsvinnl.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [ASUS Probe] E:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Apps\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Apps\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Apps\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTSyncU.exe] "E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190284954735
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190285765076
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hfgjwjqe - E:\WINDOWS\SYSTEM32\adsldpcl.dll
O20 - Winlogon Notify: tt - E:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - E:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - e:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - E:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Apps\Nero 7\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Apps\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10197 bytes

SmitFraudFix Log v2.250

Scan done at 18:32:41.81, Sat 10/11/2007
Run from F:\My Stuff\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
127.0.0.1 www.newsleecher.com
127.0.0.1 newsleecher.com
127.0.0.1 www.aerosoft.com
127.0.0.1 aerosoft.com

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4149B8C5-6C03-4A0F-8BA1-C499F5170B86}: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4149B8C5-6C03-4A0F-8BA1-C499F5170B86}: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4149B8C5-6C03-4A0F-8BA1-C499F5170B86}: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.231.203.132 192.231.203.3

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

The 'smitfraud' is still there however, it still comes up with those annoying messages.

**shelf life** · 2007-11-14, 04:07

hi,

ok delete that old version of combofix;

start>run and type in Combofix /u
there is a space after the x.
if prompted select option 2
---------------------------------------------------------

get a new copy, because it gets it updated:

Please download ComboFix (by sUBs) from one of the following links:

http://www.techsupportforum.com/sect...s/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Please provide the contents of the ComboFix log in your reply--

shelf life

**Plutonus** · 2007-11-17, 08:50

ComboFix 07-11-08.1 - Matt2 2007-11-17 18:33:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1472 [GMT 11:00]
Running from: E:\Documents and Settings\Matt2\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\adsldpcl.dll
E:\WINDOWS\system32\adsldpcl.dll.bak
E:\WINDOWS\system32\dbmsvinnl.dll
E:\WINDOWS\system32\drivers\csvvcoje.dat
E:\WINDOWS\system32\drivers\drfupiwj.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FUTHWEJW
-------\LEGACY_NJHAIZAU
-------\futhwejw
-------\njhaizau

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-11 22:08 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\mIRC
2007-11-11 14:58 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\InstallShield
2007-11-10 18:32 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-11-10 18:32 1,814 --a------ E:\WINDOWS\system32\tmp.reg
2007-11-10 18:29 289,144 --a------ E:\WINDOWS\system32\VCCLSID.exe
2007-11-10 18:29 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-11-10 18:29 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-11-10 18:29 25,600 --a------ E:\WINDOWS\system32\WS2Fix.exe
2007-11-03 14:29 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-01 17:37 <DIR> d-------- E:\Program Files\Windows Live
2007-11-01 17:37 <DIR> d-------- E:\Program Files\Messenger Plus! Live
2007-10-31 15:11 <DIR> d-------- E:\Program Files\SUPERAntiSpyware
2007-10-31 15:11 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 15:11 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\SUPERAntiSpyware.com
2007-10-31 15:11 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-29 19:32 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\Locktime
2007-10-29 19:29 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Locktime
2007-10-22 18:58 139,264 --a------ E:\WINDOWS\system32\eax.dll
2007-10-22 18:34 319,488 -ra------ E:\WINDOWS\system32\MafiaSetup.exe
2007-10-19 21:16 51,200 --a------ E:\WINDOWS\NirCmd.exe
2007-10-18 17:28 <DIR> d-------- E:\Program Files\Canon
2007-10-18 17:28 921,600 --a------ E:\WINDOWS\system32\CNAP1NSK.DLL
2007-10-18 17:28 204,800 --a------ E:\WINDOWS\system32\CNAC6EMU.DLL
2007-10-18 17:28 102,453 --a------ E:\WINDOWS\system32\CNAC6SMK.DLL
2007-10-18 17:28 63,168 --a------ E:\WINDOWS\system32\CNAC6RPK.EXE
2007-10-18 17:28 32,821 --a------ E:\WINDOWS\system32\CNAC6LMK.DLL
2007-10-18 17:28 28,672 --a------ E:\WINDOWS\system32\CNAC6PTU.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 09:55 --------- d-----w E:\Program Files\Emirates TravelDesk
2007-11-11 12:49 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-11-11 12:49 --------- d-----w E:\Program Files\Common Files\InstallShield
2007-11-01 06:37 --------- d-----w E:\Program Files\MSN Messenger
2007-10-26 06:51 --------- d-----w E:\Program Files\SkyTeam Travel Timetable
2007-10-22 07:58 --------- d-----w E:\Program Files\Creative
2007-10-18 06:29 --------- d-----w E:\Documents and Settings\Matt2\Application Data\AdobeUM
2007-10-14 04:39 --------- d-----w E:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 04:36 --------- d-----w E:\Program Files\Trend Micro
2007-10-12 06:22 --------- d-----w E:\Program Files\McAfee
2007-10-11 23:58 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-11 12:28 --------- d-----w E:\Documents and Settings\All Users\Application Data\McAfee
2007-10-11 12:27 --------- d-----w E:\Program Files\McAfee.com
2007-10-11 12:27 --------- d-----w E:\Program Files\Common Files\McAfee
2007-10-11 12:24 --------- d-----w E:\Program Files\Common Files\Symantec Shared
2007-10-11 12:24 --------- d-----w E:\Documents and Settings\All Users\Application Data\Symantec
2007-10-10 17:32 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Symantec
2007-10-10 10:18 805 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-10 10:18 10,740 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-07 04:07 737,280 ----a-w E:\WINDOWS\iun6002.exe
2007-10-06 01:44 --------- d-----w E:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-03 13:24 --------- d-----w E:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-03 13:21 --------- d-----w E:\Program Files\Common Files\Adobe
2007-10-03 13:21 --------- d-----w E:\Program Files\Bonjour
2007-10-03 13:16 --------- d-----w E:\Program Files\Common Files\Macrovision Shared
2007-10-03 06:22 --------- d-----w E:\Documents and Settings\Matt2\Application Data\GlobalSCAPE
2007-10-02 01:12 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Apple Computer
2007-10-01 10:27 --------- d-----w E:\Program Files\Common Files\Adobe Systems Shared
2007-10-01 10:27 --------- d-----w E:\Documents and Settings\All Users\Application Data\Macrovision
2007-10-01 03:17 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Ahead
2007-09-29 09:36 356,352 ----a-w E:\WINDOWS\eSellerateEngine.dll
2007-09-29 09:31 12,400 ----a-w E:\WINDOWS\system32\drivers\secdrv.sys
2007-09-29 09:26 --------- d-----w E:\Program Files\rcv4
2007-09-29 04:52 --------- d-----w E:\Program Files\Common Files\Ahead
2007-09-29 04:52 --------- d-----w E:\Documents and Settings\All Users\Application Data\Ahead
2007-09-29 04:51 --------- d-----w E:\Documents and Settings\All Users\Application Data\Nero
2007-09-25 10:53 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Creative
2007-09-24 07:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2007-09-23 10:57 --------- d--h--r E:\Documents and Settings\Matt2\Application Data\SecuROM
2007-09-22 08:22 --------- d-----w E:\Program Files\Java
2007-09-22 08:21 --------- d-----w E:\Program Files\Common Files\Java
2007-09-21 13:43 --------- d-----w E:\Program Files\Apple Software Update
2007-09-21 13:43 --------- d-----w E:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-21 13:43 --------- d-----w E:\Documents and Settings\All Users\Application Data\Apple
2007-09-21 09:30 60,416 ----a-w E:\WINDOWS\ALCFDRTM.EXE
2007-09-21 09:22 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Logitech
2007-09-21 08:52 --------- d-----w E:\Program Files\Realtek AC97
2007-09-21 08:52 --------- d-----w E:\Program Files\AvRack
2007-09-21 07:48 81,920 ------r E:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
2007-09-21 07:46 --------- d-----w E:\Program Files\Logitech
2007-09-21 07:38 --------- d-----w E:\Program Files\Common Files\Logitech
2007-09-21 07:34 81,920 ------r E:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2007-09-21 07:31 --------- d-----w E:\Program Files\Winamp
2007-09-21 05:56 --------- d-----w E:\Program Files\MSBuild
2007-09-21 05:56 --------- d-----w E:\Program Files\Microsoft Works
2007-09-20 12:05 --------- d-----w E:\Documents and Settings\All Users\Application Data\Creative
2007-09-20 11:48 --------- d-----w E:\Program Files\Western Digital
2007-09-20 09:54 --------- d-----w E:\Program Files\Realtek Sound Manager
2007-09-20 09:35 --------- d-----w E:\Program Files\ASUS
2007-09-20 09:31 --------- d-----w E:\Program Files\Marvell
2007-09-20 09:12 --------- d-----w E:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="E:\Program Files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 17:07]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-06-29 01:43]
"nwiz"="nwiz.exe" [2007-06-29 01:43 E:\WINDOWS\system32\nwiz.exe]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"WinampAgent"="C:\Apps\Winamp\winampa.exe" [2007-05-15 09:22]
"Logitech Utility"="LOGI_MWX.EXE" [2002-11-08 20:50 E:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 13:31 E:\WINDOWS\KHALMNPR.Exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 22:42 E:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Apps\QuickTime\qttask.exe" [2007-06-29 07:24]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"DAEMON Tools-1033"="C:\Apps\D-Tools\daemon.exe" [2004-08-22 18:05]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 01:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 15:32]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56]
"LDM"="E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-09-21 18:48]
"Steam"="C:\Games\Steam\Steam.exe" [2007-11-15 17:55]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 20:03]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-01 21:26:36]
Logitech Desktop Messenger.lnk - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-09-21 18:48:55]
Logitech SetPoint.lnk - E:\Program Files\Logitech\SetPoint\KEM.exe [2007-09-21 18:46:42]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 nltdi;nltdi;\??\E:\WINDOWS\system32\drivers\nltdi.sys
R3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;E:\WINDOWS\system32\Drivers\LUsbKbd.Sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;E:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;E:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech Gaming USB Filter Driver;E:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;E:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;E:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 15:16:56 E:\WINDOWS\Tasks\McDefragTask.job"
- e:\program files\mcafee\mqc\QcConsol.exe
"2007-10-31 14:00:18 E:\WINDOWS\Tasks\McQcTask.job"
- e:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 18:40:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 18:46:42 - machine was rebooted
E:\ComboFix2.txt ... 2007-10-19 21:22
.
--- E O F ---

**shelf life** · 2007-11-18, 00:32

hi,

ok, lets do this:

go to one of these two website:

http://virusscan.jotti.org/
http://www.virustotal.com/

using the browse button, navigate to the system32 dir. and upload one at a time the following two files. they will be scanned by 10-12 antivirus scanners. please post the results in next reply.

E:\WINDOWS\system32\CNAC6RPK.EXE
E:\WINDOWS\system32\CNAC6PTU.DLL

shelf life

**Plutonus** · 2007-11-19, 01:15

Both files were "OK'" - nothing found by any of the virus scanners.

**Plutonus** · 2007-11-19, 01:16

Can't seem to edit so - I had a look at them, seems to be Canon Printing Drivers/Software - which ties in with what I had to install a month or so back.

**shelf life** · 2007-11-19, 03:40

hi,

thanks for the info. one more download to get and run:

http://download.bleepingcomputer.com/marckie/haxfix.exe

How to use HaxFix:
Double click on haxfix.exe to install the program. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch haxfix" is placed.
Click "Finish".

A red "dos window" (dos box) will open with options:
1. Make logfile
E. Exit Haxfix

Select option "1. Make logfile" by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile (c:\haxlog.txt) will open.

save the log file and copy/paste it in next reply.
exit haxfix by typing e at the prompt
-------------------------------------------
see if you can locate this .exe:
iun6002.exe

found here: E:\WINDOWS

upload it so it can be checked out:
http://www.virustotal.com/

shelf life

**Plutonus** · 2007-11-25, 10:06

HAXFIX logfile - by Marckie

version 4.58
Sun 25/11/2007 19:49:32.07

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found

--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected

--- Catchme logfile - thank you Gmer ---

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 19:49:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,90,9f,c4,fc,99,f2,1c,61,78,ec,53,c1,de,f0,de,53,e8,..
"hj34z0"=hex:7a,b4,76,68,d7,b1,45,b5,ff,bd,c9,27,7c,95,94,5a,b4,e5,d6,4b,b4,..
"hj34z1"=hex:b8,b4,76,68,af,b1,45,b5,fe,bd,c8,27,7d,95,94,5a,b4,e5,d6,4b,fb,..
"hj34z2"=hex:b8,b4,76,68,af,b1,45,b5,fe,bd,c8,27,7d,95,94,5a,b4,e5,d6,4b,fb,..
"hj34z3"=hex:b8,b4,76,68,af,b1,45,b5,fe,bd,c8,27,7d,95,94,5a,b4,e5,d6,4b,fb,..
"hj34z4"=hex:b8,b4,76,68,af,b1,45,b5,fe,bd,c8,27,7d,95,94,5a,b4,e5,d6,4b,fb,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000066
"TracesSuccessful"=dword:00000043

scanning hidden files ...

E:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\994C321A.TMP 0 bytes
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\tegzfrendz@hotmail.com\DFSR\Staging\CS{D8E17164-69C6-701A-1B00-E4DDFFB0BD5B}\01\15-{D8E17164-69C6-701A-1B00-E4DDFFB0BD5B}-v1-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\50\150-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v150-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v150-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1208 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\00\400-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v400-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v400-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 584 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\01\10-{9F3D7A35-1186-874C-EE15-4EBA4B65B231}-v1-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\01\601-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v601-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v601-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1920 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\02\602-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v602-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v602-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1592 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\03\603-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v603-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v603-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1624 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\04\604-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v604-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v604-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1952 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\05\605-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v605-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v605-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1880 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\06\606-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v606-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v606-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1856 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\11\11-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v11-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 948 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\11\11-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v11-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 120 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\12\12-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v12-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1326 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\12\12-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v12-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 152 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\13\13-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v13-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1002 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\13\13-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v13-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 112 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\13\513-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v513-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v513-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1856 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\14\14-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v14-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1398 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\14\14-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v14-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 144 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\16\16-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v16-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1002 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\16\16-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v16-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 112 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\17\17-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v17-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 606 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\17\17-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v17-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 80 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\18\18-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v18-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 858 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\18\18-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v18-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 104 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\21\21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 22260 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\21\21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1686 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\21\21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2488 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\22\22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 27840 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\22\22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 2028 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\22\22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 3048 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\23\23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 27318 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\23\23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1956 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\23\23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2992 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\24\24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 25104 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\24\24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1920 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\24\24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2800 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\27\27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 25950 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\27\27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1740 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\27\27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2888 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\28\28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 25374 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\28\28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1848 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\28\28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2824 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\35\535-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v535-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v535-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1792 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\36\19-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v536-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 13386 bytes hidden from API

Thread: Winlogon

Thread Tools

Display

Posting Permissions