PDA

View Full Version : Virtumonde....Need your help...



iaxis
2007-11-16, 13:02
:red: My system is infected for a week now tried evrything that is available on the net

Here's my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:10 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TypingMaster\quickphrase\quickphrase.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.justdial.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [0831f802] rundll32.exe "C:\WINDOWS\system32\tgjedaht.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QuickPhrase] "C:\Program Files\TypingMaster\quickphrase\quickphrase.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A103CF46-C4E4-49BE-99FB-F832DD10FC85}: NameServer = 202.54.29.5,202.54.12.164
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3F88472-08E9-42B6-9711-A88DEB577A41}: NameServer = 202.54.29.5,202.54.12.164
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

--
End of file - 7558 bytes


Please Please give me your suggestions

Thanks

iaxis
2007-11-16, 13:51
:oops: Missed telling that I tried Vundofix..it did not find anything..

steamwiz
2007-11-18, 19:51
Hi

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-


1. SUPERAntiSpyware Scan Log
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)

steam

iaxis
2007-11-23, 21:13
Thanks a ton steam wiz!!!

I could not run combofix the 1st time I tried I managed today

Here's the first SUPERAntiSpyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/20/2007 at 03:48 PM

Application Version : 3.9.1008

Core Rules Database Version : 3347
Trace Rules Database Version: 1348

Scan type : Complete Scan
Total Scan Time : 01:07:54

Memory items scanned : 472
Memory threats detected : 5
Registry items scanned : 5159
Registry threats detected : 22
File items scanned : 48328
File threats detected : 326

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\RQRPONM.DLL
C:\WINDOWS\SYSTEM32\RQRPONM.DLL
C:\WINDOWS\SYSTEM32\PMKHH.DLL
C:\WINDOWS\SYSTEM32\PMKHH.DLL
HKLM\Software\Classes\CLSID\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}
HKCR\CLSID\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}
HKCR\CLSID\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}\InprocServer32
HKCR\CLSID\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQNKH.DLL
HKLM\Software\Classes\CLSID\{AA00C920-A81A-437B-B505-FF5494552328}
HKCR\CLSID\{AA00C920-A81A-437B-B505-FF5494552328}
HKCR\CLSID\{AA00C920-A81A-437B-B505-FF5494552328}\InprocServer32
HKCR\CLSID\{AA00C920-A81A-437B-B505-FF5494552328}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA00C920-A81A-437B-B505-FF5494552328}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{01CD0B31-9154-45F2-9414-F5D64B74EAF6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rqrponm
HKCR\CLSID\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
C:\WINDOWS\SYSTEM32\VTSQP.DLL
C:\WINDOWS\SYSTEM32\DDCAYVW.DLL
C:\WINDOWS\SYSTEM32\KHFFGEE.DLL
C:\WINDOWS\SYSTEM32\SSQNMKL.DLL

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\HGGFFGG.DLL
C:\WINDOWS\SYSTEM32\HGGFFGG.DLL
C:\WINDOWS\SYSTEM32\GEEEECY.DLL

Trojan.Downloader-Gen/Svchost-Fake
C:\WINDOWS\FONTS\SVCHOST.EXE
C:\WINDOWS\FONTS\SVCHOST.EXE
[Host Process] C:\WINDOWS\FONTS\SVCHOST.EXE
C:\WINDOWS\Prefetch\SVCHOST.EXE-17B62EB3.pf

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\WTDXKLWM.DLL
C:\WINDOWS\SYSTEM32\WTDXKLWM.DLL
C:\WINDOWS\SYSTEM32\JYNOWKIW.DLL
C:\WINDOWS\SYSTEM32\HJVMUJCF.DLL
C:\WINDOWS\SYSTEM32\UOAPOETI.DLL
C:\WINDOWS\SYSTEM32\KBBOOIYS.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C6AD429-8CF7-4B43-9AF7-D63FA277743A}\RP10\A0005525.DLL

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKU\S-1-5-21-1993962763-884357618-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{11A69AE4-FBED-4832-A2BF-45AF82825583}

iaxis
2007-11-23, 21:14
Adware.Tracking Cookie
C:\Documents and Settings\aa\Cookies\aa@bs.serving-sys[1].txt
C:\Documents and Settings\aa\Cookies\aa@yadro[1].txt
C:\Documents and Settings\aa\Cookies\aa@tacoda[2].txt
C:\Documents and Settings\aa\Cookies\aa@ads.techguy[2].txt
C:\Documents and Settings\aa\Cookies\aa@server.iad.liveperson[1].txt
C:\Documents and Settings\aa\Cookies\aa@richmedia.yahoo[2].txt
C:\Documents and Settings\aa\Cookies\aa@stats.cricinfo[1].txt
C:\Documents and Settings\aa\Cookies\aa@smileycentral[1].txt
C:\Documents and Settings\aa\Cookies\aa@bestsellerantivirus[1].txt
C:\Documents and Settings\aa\Cookies\aa@toplist[1].txt
C:\Documents and Settings\aa\Cookies\aa@specificclick[2].txt
C:\Documents and Settings\aa\Cookies\aa@questionmarket[2].txt
C:\Documents and Settings\aa\Cookies\aa@atdmt[2].txt
C:\Documents and Settings\aa\Cookies\aa@advertising[1].txt
C:\Documents and Settings\aa\Cookies\aa@1070963509[2].txt
C:\Documents and Settings\aa\Cookies\aa@19452074[2].txt
C:\Documents and Settings\aa\Cookies\aa@youporn[1].txt
C:\Documents and Settings\aa\Cookies\aa@ad[1].txt
C:\Documents and Settings\aa\Cookies\aa@revsci[2].txt
C:\Documents and Settings\aa\Cookies\aa@serving-sys[1].txt
C:\Documents and Settings\aa\Cookies\aa@tribalfusion[1].txt
C:\Documents and Settings\aa\Cookies\aa@2o7[1].txt
C:\Documents and Settings\aa\Cookies\aa@itxt.vibrantmedia[2].txt

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\VTSQO.DLL
C:\WINDOWS\SYSTEM32\PMKJI.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\MLJJH.DLL
C:\WINDOWS\SYSTEM32\PMKHF.DLL

Adware.Vundo-Variant
C:\WINDOWS\SYSTEM32\FWFPDEWD.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C6AD429-8CF7-4B43-9AF7-D63FA277743A}\RP5\A0002103.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C6AD429-8CF7-4B43-9AF7-D63FA277743A}\RP8\A0002351.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C6AD429-8CF7-4B43-9AF7-D63FA277743A}\RP9\A0003441.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C6AD429-8CF7-4B43-9AF7-D63FA277743A}\RP10\A0003463.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\HHKMP.INI

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO122.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO123.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO124.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO4.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO3.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO5.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO51.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO52.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO6.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO7.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO53.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO54.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO55.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO56.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO57.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO58.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO59.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO5A.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO2.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO8.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO50.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO4D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO4E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO4F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO5B.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO5C.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO5D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO5E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO5F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO60.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO9.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO61.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO75.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO10.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO11.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO12.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO62.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO63.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO64.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO65.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO66.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO67.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO68.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO69.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO6A.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO6B.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO6C.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO6D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO6E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO6F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO13.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO14.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO15.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO76.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO70.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO71.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO72.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO73.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO74.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO77.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO78.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO79.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO7A.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO7B.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO7C.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO7D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO7E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO7F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO80.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO81.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO82.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO83.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO84.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO85.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO86.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO87.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO88.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO8E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO8F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO89.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO8A.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO8B.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO8C.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO8D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO90.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO91.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO92.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO93.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO94.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO95.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO96.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO97.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO98.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO99.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO9A.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO9B.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO9C.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO16.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO17.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO18.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO19.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO9D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO9E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO9F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA0.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA1.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA2.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA3.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA4.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA5.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA6.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA7.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICODD.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICODE.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICODF.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE0.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE1.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA8.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOA9.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOAA.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOAB.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB3.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB4.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB5.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB6.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB7.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB8.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB9.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOBA.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOBB.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOBC.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOBE.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOBF.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC0.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC1.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC2.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOCE.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOCF.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC3.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC4.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC5.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC6.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC7.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD0.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD1.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD2.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD3.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD4.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD5.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD6.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD7.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD8.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOD9.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICODA.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICODB.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICODC.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE2.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE3.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE4.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE5.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE6.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOAC.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOAD.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOAE.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOAF.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB0.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1A.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC9.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOCA.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOCB.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOCC.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOCD.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1B.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO20.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO21.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO22.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO23.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO24.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO25.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB1.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOB2.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOBD.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOC8.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE7.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO26.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO27.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE8.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOE9.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOEA.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOEB.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOEC.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOED.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOEE.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOEF.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF0.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF1.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO28.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO29.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO2B.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO2C.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF2.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF3.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF4.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF5.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF6.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF9.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO2D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO2E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C7.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO130.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF7.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOF8.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOFA.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOFB.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOFC.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO131.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOFD.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOFE.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICOFF.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO100.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO101.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO102.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO103.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO104.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO105.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO106.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO125.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO109.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO10A.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO10B.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO10C.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO10D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO10E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO10F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO110.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO111.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO112.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO126.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO12D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO12E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO12F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO18C.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO18D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO18E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO18F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO190.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO19D.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO19E.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO19F.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1A0.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1A1.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1BD.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1BE.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1BF.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C0.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C1.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C2.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C3.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C4.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C5.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C6.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C8.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1C9.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1CA.TMP
C:\DOCUMENTS AND SETTINGS\AA\LOCAL SETTINGS\TEMP\ICO1CB.TMP

iaxis
2007-11-23, 21:16
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/23/2007 at 11:46 PM

Application Version : 3.9.1008

Core Rules Database Version : 3348
Trace Rules Database Version: 1349

Scan type : Complete Scan
Total Scan Time : 00:57:46

Memory items scanned : 417
Memory threats detected : 0
Registry items scanned : 5150
Registry threats detected : 1
File items scanned : 48005
File threats detected : 10

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}

Adware.Tracking Cookie
C:\Documents and Settings\aa\Cookies\aa@247realmedia[1].txt
C:\Documents and Settings\aa\Cookies\aa@bs.serving-sys[1].txt
C:\Documents and Settings\aa\Cookies\aa@tacoda[1].txt
C:\Documents and Settings\aa\Cookies\aa@usatoday1.112.2o7[1].txt
C:\Documents and Settings\aa\Cookies\aa@adserver[1].txt
C:\Documents and Settings\aa\Cookies\aa@questionmarket[1].txt
C:\Documents and Settings\aa\Cookies\aa@overture[2].txt
C:\Documents and Settings\aa\Cookies\aa@doubleclick[1].txt
C:\Documents and Settings\aa\Cookies\aa@revsci[2].txt
C:\Documents and Settings\aa\Cookies\aa@serving-sys[2].txt






ComboFix 07-11-19.3 - aa 2007-11-24 0:28:00.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.145 [GMT 5.5:30]
Running from: C:\Documents and Settings\aa\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\aa\Application Data\macromedia\Flash Player\#SharedObjects\WW648M4P\iforex.com
C:\Documents and Settings\aa\Application Data\macromedia\Flash Player\#SharedObjects\WW648M4P\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\aa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\aa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\svchost.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ldinfo.ldr

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-20 14:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-20 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-20 14:29 <DIR> d-------- C:\Documents and Settings\aa\Application Data\SUPERAntiSpyware.com
2007-11-20 11:47 294 ---hs---- C:\WINDOWS\system32\mwlkxdtw.ini
2007-11-20 11:46 260 --a------ C:\9103.bat
2007-11-19 11:37 294 ---hs---- C:\WINDOWS\system32\syioobbk.ini
2007-11-19 11:34 76,123 --a------ C:\WINDOWS\system32\xtnggikv.dll
2007-11-18 11:37 294 ---hs---- C:\WINDOWS\system32\iteopaou.ini
2007-11-17 23:49 294 ---hs---- C:\WINDOWS\system32\fcjumvjh.ini
2007-11-16 18:57 <DIR> d--hs---- C:\FOUND.001
2007-11-16 15:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 11:34 260 --a------ C:\1874.bat
2007-11-16 11:33 671,994 ---hs---- C:\WINDOWS\system32\wikwonyj.ini
2007-11-16 01:50 <DIR> d-------- C:\WINDOWS\speech
2007-11-16 01:50 <DIR> d-------- C:\WINDOWS\Lhsp
2007-11-15 13:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-15 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 10:18 111,529 --ahs---- C:\WINDOWS\system32\hhkmp.ini2
2007-11-15 10:13 260 --a------ C:\9907.bat
2007-11-14 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-14 19:02 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-11-14 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-14 18:49 <DIR> d-------- C:\Temp
2007-11-14 12:01 671,934 ---hs---- C:\WINDOWS\system32\thadejgt.ini
2007-11-13 09:07 130,227 --ahs---- C:\WINDOWS\system32\ybeeg.ini
2007-11-13 09:07 129,767 --ahs---- C:\WINDOWS\system32\ybeeg.ini2
2007-11-10 16:48 <DIR> d-------- C:\Program Files\Incomplete
2007-11-10 12:37 <DIR> d-------- C:\Documents and Settings\aa\Incomplete
2007-11-10 02:45 1,953,799 --a------ C:\STINGER.EXE
2007-11-10 01:13 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-10 01:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-08 09:34 <DIR> d--hs---- C:\FOUND.000
2007-11-07 20:25 <DIR> d-------- C:\Documents and Settings\aa\Application Data\TypingMaster7
2007-11-07 20:24 <DIR> dr------- C:\Program Files\TypingMaster
2007-11-07 09:35 4,012 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-07 00:47 12,665,736 --a------ C:\install_virtualdj_trial_v5[1].0.rev4.exe
2007-11-02 09:38 5,045,408 --a------ C:\TypingMasterENG.exe
2007-10-29 21:04 <DIR> d-------- C:\Cam videos
2007-10-29 21:02 <DIR> d-------- C:\camera photos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-09-27 11:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-09-26 13:39 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-03 17:12 10,692,954 ----a-w C:\install_virtualdj_trial_v5[1].0.exe
2007-08-27 15:06 8,415,790 ----a-w C:\StudioPro_Free.exe
2007-08-27 11:56 2,117,746 ----a-w C:\WINDOWS\3dfairies.scr
2007-08-26 05:39 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-08-23 19:49 13,411,824 ----a-w C:\Google_Earth_BZXV.exe
2007-06-07 00:52 1,606,064 ----a-w C:\Documents and Settings\All Users\googletalk-setup.exe
2007-01-10 06:45 839,694 ----a-w C:\WINDOWS\Fonts\Crack.exe
2003-08-27 06:19 3,424 ----a-w C:\WINDOWS\inf\OTHER\cmiainfo.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44c938e2-4395-49a0-a9b3-c85731fbd369}]
C:\WINDOWS\system32\sapryidw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87A9EE4D-9405-4D7F-88C5-33881E59ED15}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F7A0725-8580-48B9-AC07-6D8E4434A56B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA00C920-A81A-437B-B505-FF5494552328}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 10:02]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54]
"QuickPhrase"="C:\Program Files\TypingMaster\quickphrase\quickphrase.exe" [2007-08-03 16:27]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-12-23 16:27 C:\WINDOWS\soundman.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 11:52]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 11:49]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 11:53]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-26 11:09]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"0831f802"="C:\WINDOWS\system32\tgjedaht.dll" []
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-27 17:00:22]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh]
awtqnkh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrponm]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\ldcore.dll

R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
S3 W700bus;Sony Ericsson W700 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\W700bus.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 13:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 00:28:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 0:29:20
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:31, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TypingMaster\quickphrase\quickphrase.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.justdial.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: {963dbf13-758c-3b9a-0a94-59342e839c44} - {44c938e2-4395-49a0-a9b3-c85731fbd369} - C:\WINDOWS\system32\sapryidw.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {87A9EE4D-9405-4D7F-88C5-33881E59ED15} - (no file)
O2 - BHO: (no name) - {8F7A0725-8580-48B9-AC07-6D8E4434A56B} - (no file)
O2 - BHO: (no name) - {AA00C920-A81A-437B-B505-FF5494552328} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [0831f802] rundll32.exe "C:\WINDOWS\system32\tgjedaht.dll",b
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QuickPhrase] "C:\Program Files\TypingMaster\quickphrase\quickphrase.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A103CF46-C4E4-49BE-99FB-F832DD10FC85}: NameServer = 202.54.29.5,202.54.12.164
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3F88472-08E9-42B6-9711-A88DEB577A41}: NameServer = 202.54.29.5,202.54.12.164
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtqnkh - awtqnkh.dll (file missing)
O20 - Winlogon Notify: rqrponm - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

--
End of file - 8703 bytes

steamwiz
2007-11-23, 21:58
HI

you have a very dangerous backdoor/remote access trojan... SDbot trojan/worm

It has the ability to steal anything from your computer, passwords, bank details, creditcard details, Identify Theft.

Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you.

In cases like this the best option is to do a reformat/reinstall of the operating system ... we can clean all we can see, but we will never know if we have it all, or what damage has been done...

This is the trojan :-

C:\WINDOWS\Fonts\svchost.exe

& it can clearly be seen running in your running processes...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []

This is also part of it :-

2007-01-10 06:45 839,694 ----a-w C:\WINDOWS\Fonts\Crack.exe

But you will find there are possibly thousands more infected files in the C:\WINDOWS\Fonts folder

The very least you should do is not use this computer on the net, execpt to run the scans I asked for, then disconnect immediately while I give you your next instructions...

Should you decide to clean the computer ...

---

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode (http://www.computerhope.com/issues/chsafe.htm)

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.

--------
THEN ...

Go here to run an online scan from ESET.

http://www.eset.eu/online-scanner

Note: You will need to use Internet explorer for this scan

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is checkmarked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Copy and paste the log into your next reply

---
Then a new Combofix scan & a new hijackthis scan ... post those logs as well please ...

steam