PDA

View Full Version : Can't run S&D completely have virtumonde and other infections


vaney13
2008-09-16, 08:12
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:54 PM, on 9/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{6CAAD01B-0A6A-1033-0212-031007020001}] "C:\Program Files\Common Files\{6CAAD01B-0A6A-1033-0212-031007020001}\Update.exe" te-110-12-0000213
O4 - Global Startup: hp center UI.lnk.disabled
O4 - Global Startup: hp center.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.secondlife.com
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8687 bytes
pskelley
2008-09-17, 02:24
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I am not seeing a lot so I will have to assume it is Vundo, since that is what you see and proceed accordingly.

1) Please be sure Spybot S&D is up to date and fully immunized.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
(Spybot cannot remove this junk, but out of date versions freeze trying)

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
vaney13
2008-09-17, 10:52
Hello PSKELLY,

Thank you so much for your help and time. I will post the Combofix log in two separate posts due to it being too long to submit. Then the HJT log.


ComboFix 08-09-16.03 - Owner 2008-09-17 0:52:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.267 [GMT -7:00]
Running from: C:\Documents and Settings\Owner.YOUR-6JNHHU0520.003\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ELENA\Cookies\elena@ad.yieldmanager[1].txt
C:\Documents and Settings\ELENA\Cookies\elena@ads.pointroll[1].txt
C:\Documents and Settings\ELENA\Cookies\elena@fiction.fodors[2].txt
C:\Documents and Settings\Owner.YOUR-6JNHHU0520.003\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner.YOUR-6JNHHU0520.003\Cookies\owner@insightexpressai[1].txt
C:\Program Files\Common Files\{3CAAD~1
C:\Program Files\Common Files\{6CAAD~1
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE
C:\Program Files\MyWay\myBar\Cache\files.ini
C:\Program Files\WinBudget
C:\WINDOWS\cdmxtras
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\music\mainmenumusic.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\areabomb.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\beetlezap.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonusrow.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonustimer.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bucketfilled.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\clearpyramid.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1a.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1b.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1c.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2a.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2b.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2c.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\colorchain.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\dialogbox.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\drumbeat.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\fillrow.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\gateopen.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\helptip.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\powerup.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\rotateboardleft.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\timerup.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning2.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\artifacts-bb.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\bar.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber0.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber1.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\circledoor.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\full_screen_dialog.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_large.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_small.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_large.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_small.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hexfield.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hidden-artifact_icon.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\large_dialog.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\local-hs-bb.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\mainmenu.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\small_dialog.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\textfield.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\trifield.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetletatoo.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\dirt.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpost.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpostovr.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\tritop.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkdown.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkup.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknob.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknobover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderrail.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\anwar\look\pl0001.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\bast\look\bl0001.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\kristine\look\kl0001.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\crackedstopper.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\cursor.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\doorlights.txt
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\jackarmstrong.mvec
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\lithos.mvec
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\greybomb.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\arrowkeys.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\helptip.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\levels\levels.dat
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\disk.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\equilateraltriangle.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\flattri.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\pyramid.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\quad.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\rotatingpyramid.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\scarabpanel.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\p1icon.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-0.xml
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-1.xml
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-0-1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-1-1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scorecloud.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\setup.xml
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\areashockwave.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_starter.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_tail.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\flash.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\rubble.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\splash\playfirst_logo.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue0\snake_dirty.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\arm01_dirty.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\mask01_1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\statue01_dirty.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\stopper.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\timer.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\timerglow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\timericon.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\tm.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabomb.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabombrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\blue.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bluerollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\boardfill.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bricktip.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared5.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared6.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\green.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\greenrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-blue.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-bluerollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-green.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-greenrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-red.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-redrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellowrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\red.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\redrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wild.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wildrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellowrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image0.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image1.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image2.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image3.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\bluebucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\buckettriangle.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chainlink.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chaintip.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\genericbucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\greenbucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\redbucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallblue.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallgreen.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallred.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallyellow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnglow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnplatform.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\yellowbucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\warning.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\error.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\game.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\gameover.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscore.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoreinfo.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoresubmit.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\instructions.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\leveldesign.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\levelover.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainarcade.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainconfirm.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\maincontinue.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\maingames.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainpuzzle.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\maphelptip.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\options.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\pause.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\quitconfirm.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\start.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\storyplayer.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\style.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\upsell.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\strings.xml
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\TriJinx.exe
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\_000017_.tmp.dll
C:\WINDOWS\system32\_000023_.tmp.dll
C:\WINDOWS\system32\_000024_.tmp.dll
C:\WINDOWS\system32\_000025_.tmp.dll
C:\WINDOWS\system32\_000030_.tmp.dll
C:\WINDOWS\system32\_000063_.tmp.dll
C:\WINDOWS\system32\cache329
C:\WINDOWS\system32\cache329\B_329_0_0_106800.htm
C:\WINDOWS\system32\cache329\B_329_0_0_107400.htm
C:\WINDOWS\system32\cache329\B_329_0_1_512000.htm
C:\WINDOWS\system32\cache329\B_329_0_1_512000.swf
C:\WINDOWS\system32\cache329\B_329_0_1_514400.htm
C:\WINDOWS\system32\cache329\B_329_0_1_514400.swf
C:\WINDOWS\system32\cache329\B_329_0_1_515400.htm
C:\WINDOWS\system32\cache329\B_329_0_1_515400.swf
C:\WINDOWS\system32\cache329\B_329_0_1_517400.htm
C:\WINDOWS\system32\cache329\B_329_0_1_517400.swf
C:\WINDOWS\system32\cache329\B_329_0_1_518200.htm
C:\WINDOWS\system32\cache329\B_329_0_1_518200.swf
C:\WINDOWS\system32\cache329\B_329_0_1_518300.htm
C:\WINDOWS\system32\cache329\B_329_0_1_518300.swf
C:\WINDOWS\system32\cache329\B_329_0_1_520100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_520100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_520200.htm
C:\WINDOWS\system32\cache329\B_329_0_1_520200.swf
C:\WINDOWS\system32\cache329\B_329_0_1_520500.htm
C:\WINDOWS\system32\cache329\B_329_0_1_520500.swf
C:\WINDOWS\system32\cache329\B_329_0_1_521100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_521100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_522000.htm
C:\WINDOWS\system32\cache329\B_329_0_1_522000.swf
C:\WINDOWS\system32\cache329\B_329_0_1_523600.htm
C:\WINDOWS\system32\cache329\B_329_0_1_523600.swf
C:\WINDOWS\system32\cache329\B_329_0_1_526700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_526700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_526900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_526900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_527900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_527900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_529300.htm
C:\WINDOWS\system32\cache329\B_329_0_1_529300.swf
C:\WINDOWS\system32\cache329\B_329_0_1_529900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_529900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_530600.htm
C:\WINDOWS\system32\cache329\B_329_0_1_530600.swf
C:\WINDOWS\system32\cache329\B_329_0_1_531300.htm
C:\WINDOWS\system32\cache329\B_329_0_1_531300.swf
C:\WINDOWS\system32\cache329\B_329_0_1_531700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_531700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_531800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_531800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_534300.htm
C:\WINDOWS\system32\cache329\B_329_0_1_534300.swf
C:\WINDOWS\system32\cache329\B_329_0_1_544900.gif
C:\WINDOWS\system32\cache329\B_329_0_1_545900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_545900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_549000.htm
C:\WINDOWS\system32\cache329\B_329_0_1_549000.swf
C:\WINDOWS\system32\cache329\B_329_0_1_553100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_553100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_554500.htm
C:\WINDOWS\system32\cache329\B_329_0_1_554500.swf
C:\WINDOWS\system32\cache329\B_329_0_1_556900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_556900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_557500.htm
C:\WINDOWS\system32\cache329\B_329_0_1_557500.swf
C:\WINDOWS\system32\cache329\B_329_0_1_559500.htm
C:\WINDOWS\system32\cache329\B_329_0_1_559500.swf
C:\WINDOWS\system32\cache329\B_329_0_1_560400.htm
C:\WINDOWS\system32\cache329\B_329_0_1_560400.swf
C:\WINDOWS\system32\cache329\B_329_0_1_561500.htm
C:\WINDOWS\system32\cache329\B_329_0_1_561500.swf
C:\WINDOWS\system32\cache329\B_329_0_1_562700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_562700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_564700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_564700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_567900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_567900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_568400.htm
C:\WINDOWS\system32\cache329\B_329_0_1_568400.swf
C:\WINDOWS\system32\cache329\B_329_0_1_568900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_568900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_569900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_569900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_570100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_570100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_571100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_571100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_572700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_572700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_573100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_573100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_573200.htm
C:\WINDOWS\system32\cache329\B_329_0_1_573200.swf
C:\WINDOWS\system32\cache329\B_329_0_1_574200.htm
C:\WINDOWS\system32\cache329\B_329_0_1_574200.swf
C:\WINDOWS\system32\cache329\B_329_0_1_577900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_577900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_578100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_578100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_578500.htm
C:\WINDOWS\system32\cache329\B_329_0_1_578500.swf
C:\WINDOWS\system32\cache329\B_329_0_1_578700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_578700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_579700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_579700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_579800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_579800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_584700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_584700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_585000.htm
C:\WINDOWS\system32\cache329\B_329_0_1_585000.swf
C:\WINDOWS\system32\cache329\B_329_0_1_585600.htm
C:\WINDOWS\system32\cache329\B_329_0_1_585600.swf
C:\WINDOWS\system32\cache329\B_329_0_1_586100.gif
C:\WINDOWS\system32\cache329\B_329_0_1_587800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_587800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_588700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_588700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_589700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_589700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_590300.htm
C:\WINDOWS\system32\cache329\B_329_0_1_590300.swf
C:\WINDOWS\system32\cache329\B_329_0_1_591600.htm
C:\WINDOWS\system32\cache329\B_329_0_1_591600.swf
C:\WINDOWS\system32\cache329\B_329_0_1_593100.gif
C:\WINDOWS\system32\cache329\B_329_0_1_593900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_593900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_596600.htm
C:\WINDOWS\system32\cache329\B_329_0_1_596600.swf
C:\WINDOWS\system32\cache329\B_329_0_1_598200.htm
C:\WINDOWS\system32\cache329\B_329_0_1_598200.swf
C:\WINDOWS\system32\cache329\B_329_0_1_598700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_598700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_598800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_598800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_599300.gif
C:\WINDOWS\system32\cache329\B_329_0_1_600900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_600900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_601800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_601800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_602100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_602100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_602700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_602700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_603100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_603100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_605200.gif
C:\WINDOWS\system32\cache329\B_329_0_1_611400.htm
C:\WINDOWS\system32\cache329\B_329_0_1_611400.swf
C:\WINDOWS\system32\cache329\B_329_0_1_611600.htm
C:\WINDOWS\system32\cache329\B_329_0_1_611600.swf
C:\WINDOWS\system32\cache329\B_329_0_1_621600.htm
C:\WINDOWS\system32\cache329\B_329_0_1_621600.swf
C:\WINDOWS\system32\cache329\B_329_0_1_625300.htm
C:\WINDOWS\system32\cache329\B_329_0_1_625300.swf
C:\WINDOWS\system32\cache329\B_329_0_1_630700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_630700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_630800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_630800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_630900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_630900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_631100.htm
C:\WINDOWS\system32\cache329\B_329_0_1_631100.swf
C:\WINDOWS\system32\cache329\B_329_0_1_631500.htm
C:\WINDOWS\system32\cache329\B_329_0_1_631500.swf
C:\WINDOWS\system32\cache329\B_329_0_1_632000.htm
C:\WINDOWS\system32\cache329\B_329_0_1_632000.swf
C:\WINDOWS\system32\cache329\B_329_0_1_632700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_632700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_639000.htm
C:\WINDOWS\system32\cache329\B_329_0_1_639000.swf
C:\WINDOWS\system32\cache329\B_329_0_1_639200.htm
C:\WINDOWS\system32\cache329\B_329_0_1_639200.swf
C:\WINDOWS\system32\cache329\B_329_0_1_639500.htm
C:\WINDOWS\system32\cache329\B_329_0_1_639500.swf
C:\WINDOWS\system32\cache329\B_329_0_1_639700.gif
C:\WINDOWS\system32\cache329\B_329_0_1_640600.gif
C:\WINDOWS\system32\cache329\B_329_0_1_641200.gif
C:\WINDOWS\system32\cache329\B_329_0_1_653300.htm
C:\WINDOWS\system32\cache329\B_329_0_1_653300.swf
C:\WINDOWS\system32\cache329\B_329_0_1_653400.htm
C:\WINDOWS\system32\cache329\B_329_0_1_653400.swf
C:\WINDOWS\system32\cache329\B_329_0_1_659200.htm
C:\WINDOWS\system32\cache329\B_329_0_1_659200.swf
C:\WINDOWS\system32\cache329\B_329_0_1_659700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_659700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_659800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_659800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_660300.htm
C:\WINDOWS\system32\cache329\B_329_0_1_660300.swf
C:\WINDOWS\system32\cache329\B_329_0_1_660800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_660800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_661700.htm
C:\WINDOWS\system32\cache329\B_329_0_1_661700.swf
C:\WINDOWS\system32\cache329\B_329_0_1_661800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_661800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_662000.htm
C:\WINDOWS\system32\cache329\B_329_0_1_662000.swf
C:\WINDOWS\system32\cache329\B_329_0_1_662500.htm
C:\WINDOWS\system32\cache329\B_329_0_1_662500.swf
C:\WINDOWS\system32\cache329\B_329_0_1_662800.htm
C:\WINDOWS\system32\cache329\B_329_0_1_662800.swf
C:\WINDOWS\system32\cache329\B_329_0_1_662900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_662900.swf
C:\WINDOWS\system32\cache329\B_329_0_1_663000.htm
C:\WINDOWS\system32\cache329\B_329_0_1_663000.swf
C:\WINDOWS\system32\cache329\B_329_0_1_666900.htm
C:\WINDOWS\system32\cache329\B_329_0_1_666900.swf
C:\WINDOWS\system32\cache329\B_329_1_0_449200.htm
C:\WINDOWS\system32\cache329\B_329_1_0_454300.htm
C:\WINDOWS\system32\cache329\B_329_2_0_106800.htm
C:\WINDOWS\system32\cache329\B_329_2_0_107400.htm
C:\WINDOWS\system32\cache329\B_329_2_1_512000.htm
C:\WINDOWS\system32\cache329\B_329_2_1_512000.swf
C:\WINDOWS\system32\cache329\B_329_2_1_514400.htm
C:\WINDOWS\system32\cache329\B_329_2_1_514400.swf
C:\WINDOWS\system32\cache329\B_329_2_1_515400.htm
C:\WINDOWS\system32\cache329\B_329_2_1_515400.swf
C:\WINDOWS\system32\cache329\B_329_2_1_517400.htm
C:\WINDOWS\system32\cache329\B_329_2_1_517400.swf
C:\WINDOWS\system32\cache329\B_329_2_1_518200.htm
C:\WINDOWS\system32\cache329\B_329_2_1_518200.swf
C:\WINDOWS\system32\cache329\B_329_2_1_518300.htm
C:\WINDOWS\system32\cache329\B_329_2_1_518300.swf
C:\WINDOWS\system32\cache329\B_329_2_1_520100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_520100.swf
vaney13
2008-09-17, 10:53
Here is the other part.

C:\WINDOWS\system32\cache329\B_329_2_1_520200.htm
C:\WINDOWS\system32\cache329\B_329_2_1_520200.swf
C:\WINDOWS\system32\cache329\B_329_2_1_520500.htm
C:\WINDOWS\system32\cache329\B_329_2_1_520500.swf
C:\WINDOWS\system32\cache329\B_329_2_1_521100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_521100.swf
C:\WINDOWS\system32\cache329\B_329_2_1_522000.htm
C:\WINDOWS\system32\cache329\B_329_2_1_522000.swf
C:\WINDOWS\system32\cache329\B_329_2_1_523600.htm
C:\WINDOWS\system32\cache329\B_329_2_1_523600.swf
C:\WINDOWS\system32\cache329\B_329_2_1_526700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_526700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_526900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_526900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_527900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_527900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_529300.htm
C:\WINDOWS\system32\cache329\B_329_2_1_529300.swf
C:\WINDOWS\system32\cache329\B_329_2_1_529900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_529900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_530600.htm
C:\WINDOWS\system32\cache329\B_329_2_1_530600.swf
C:\WINDOWS\system32\cache329\B_329_2_1_531300.htm
C:\WINDOWS\system32\cache329\B_329_2_1_531300.swf
C:\WINDOWS\system32\cache329\B_329_2_1_531700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_531700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_531800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_531800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_534300.htm
C:\WINDOWS\system32\cache329\B_329_2_1_534300.swf
C:\WINDOWS\system32\cache329\B_329_2_1_535000.htm
C:\WINDOWS\system32\cache329\B_329_2_1_535000.swf
C:\WINDOWS\system32\cache329\B_329_2_1_544900.gif
C:\WINDOWS\system32\cache329\B_329_2_1_545900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_545900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_549000.htm
C:\WINDOWS\system32\cache329\B_329_2_1_549000.swf
C:\WINDOWS\system32\cache329\B_329_2_1_553100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_553100.swf
C:\WINDOWS\system32\cache329\B_329_2_1_554500.htm
C:\WINDOWS\system32\cache329\B_329_2_1_554500.swf
C:\WINDOWS\system32\cache329\B_329_2_1_556900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_556900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_557500.htm
C:\WINDOWS\system32\cache329\B_329_2_1_557500.swf
C:\WINDOWS\system32\cache329\B_329_2_1_559500.htm
C:\WINDOWS\system32\cache329\B_329_2_1_559500.swf
C:\WINDOWS\system32\cache329\B_329_2_1_560400.htm
C:\WINDOWS\system32\cache329\B_329_2_1_560400.swf
C:\WINDOWS\system32\cache329\B_329_2_1_561500.htm
C:\WINDOWS\system32\cache329\B_329_2_1_561500.swf
C:\WINDOWS\system32\cache329\B_329_2_1_562700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_562700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_564700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_564700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_567900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_567900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_568400.htm
C:\WINDOWS\system32\cache329\B_329_2_1_568400.swf
C:\WINDOWS\system32\cache329\B_329_2_1_568900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_568900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_569900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_569900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_570100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_570100.swf
C:\WINDOWS\system32\cache329\B_329_2_1_571100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_571100.swf
C:\WINDOWS\system32\cache329\B_329_2_1_572700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_572700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_573100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_573100.swf
C:\WINDOWS\system32\cache329\B_329_2_1_573200.htm
C:\WINDOWS\system32\cache329\B_329_2_1_573200.swf
C:\WINDOWS\system32\cache329\B_329_2_1_574200.htm
C:\WINDOWS\system32\cache329\B_329_2_1_574200.swf
C:\WINDOWS\system32\cache329\B_329_2_1_577900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_577900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_578100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_578100.swf
C:\WINDOWS\system32\cache329\B_329_2_1_578500.htm
C:\WINDOWS\system32\cache329\B_329_2_1_578500.swf
C:\WINDOWS\system32\cache329\B_329_2_1_578700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_578700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_579700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_579700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_579800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_579800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_584700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_584700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_585000.htm
C:\WINDOWS\system32\cache329\B_329_2_1_585000.swf
C:\WINDOWS\system32\cache329\B_329_2_1_585600.htm
C:\WINDOWS\system32\cache329\B_329_2_1_585600.swf
C:\WINDOWS\system32\cache329\B_329_2_1_586100.gif
C:\WINDOWS\system32\cache329\B_329_2_1_587800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_587800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_588700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_588700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_589700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_589700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_590300.htm
C:\WINDOWS\system32\cache329\B_329_2_1_590300.swf
C:\WINDOWS\system32\cache329\B_329_2_1_591600.htm
C:\WINDOWS\system32\cache329\B_329_2_1_591600.swf
C:\WINDOWS\system32\cache329\B_329_2_1_593100.gif
C:\WINDOWS\system32\cache329\B_329_2_1_593900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_593900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_596600.htm
C:\WINDOWS\system32\cache329\B_329_2_1_596600.swf
C:\WINDOWS\system32\cache329\B_329_2_1_598200.htm
C:\WINDOWS\system32\cache329\B_329_2_1_598200.swf
C:\WINDOWS\system32\cache329\B_329_2_1_598700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_598700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_598800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_598800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_599300.gif
C:\WINDOWS\system32\cache329\B_329_2_1_600900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_600900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_601800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_601800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_602100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_602100.swf
C:\WINDOWS\system32\cache329\B_329_2_1_602700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_602700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_603100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_603100.swf
C:\WINDOWS\system32\cache329\B_329_2_1_605200.gif
C:\WINDOWS\system32\cache329\B_329_2_1_611400.htm
C:\WINDOWS\system32\cache329\B_329_2_1_611400.swf
C:\WINDOWS\system32\cache329\B_329_2_1_611600.htm
C:\WINDOWS\system32\cache329\B_329_2_1_611600.swf
C:\WINDOWS\system32\cache329\B_329_2_1_621600.htm
C:\WINDOWS\system32\cache329\B_329_2_1_621600.swf
C:\WINDOWS\system32\cache329\B_329_2_1_625300.htm
C:\WINDOWS\system32\cache329\B_329_2_1_625300.swf
C:\WINDOWS\system32\cache329\B_329_2_1_630700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_630700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_630800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_630800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_630900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_630900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_631100.htm
C:\WINDOWS\system32\cache329\B_329_2_1_631100.swf
C:\WINDOWS\system32\cache329\B_329_2_1_631500.htm
C:\WINDOWS\system32\cache329\B_329_2_1_631500.swf
C:\WINDOWS\system32\cache329\B_329_2_1_632000.htm
C:\WINDOWS\system32\cache329\B_329_2_1_632000.swf
C:\WINDOWS\system32\cache329\B_329_2_1_632700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_632700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_639000.htm
C:\WINDOWS\system32\cache329\B_329_2_1_639000.swf
C:\WINDOWS\system32\cache329\B_329_2_1_639200.htm
C:\WINDOWS\system32\cache329\B_329_2_1_639200.swf
C:\WINDOWS\system32\cache329\B_329_2_1_639500.htm
C:\WINDOWS\system32\cache329\B_329_2_1_639500.swf
C:\WINDOWS\system32\cache329\B_329_2_1_639600.htm
C:\WINDOWS\system32\cache329\B_329_2_1_639600.swf
C:\WINDOWS\system32\cache329\B_329_2_1_639700.gif
C:\WINDOWS\system32\cache329\B_329_2_1_640600.gif
C:\WINDOWS\system32\cache329\B_329_2_1_641200.gif
C:\WINDOWS\system32\cache329\B_329_2_1_653300.htm
C:\WINDOWS\system32\cache329\B_329_2_1_653300.swf
C:\WINDOWS\system32\cache329\B_329_2_1_653400.htm
C:\WINDOWS\system32\cache329\B_329_2_1_653400.swf
C:\WINDOWS\system32\cache329\B_329_2_1_659200.htm
C:\WINDOWS\system32\cache329\B_329_2_1_659200.swf
C:\WINDOWS\system32\cache329\B_329_2_1_659700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_659700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_659800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_659800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_660300.htm
C:\WINDOWS\system32\cache329\B_329_2_1_660300.swf
C:\WINDOWS\system32\cache329\B_329_2_1_660800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_660800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_661700.htm
C:\WINDOWS\system32\cache329\B_329_2_1_661700.swf
C:\WINDOWS\system32\cache329\B_329_2_1_661800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_661800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_662000.htm
C:\WINDOWS\system32\cache329\B_329_2_1_662000.swf
C:\WINDOWS\system32\cache329\B_329_2_1_662500.htm
C:\WINDOWS\system32\cache329\B_329_2_1_662500.swf
C:\WINDOWS\system32\cache329\B_329_2_1_662800.htm
C:\WINDOWS\system32\cache329\B_329_2_1_662800.swf
C:\WINDOWS\system32\cache329\B_329_2_1_662900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_662900.swf
C:\WINDOWS\system32\cache329\B_329_2_1_663000.htm
C:\WINDOWS\system32\cache329\B_329_2_1_663000.swf
C:\WINDOWS\system32\cache329\B_329_2_1_666900.htm
C:\WINDOWS\system32\cache329\B_329_2_1_666900.swf
C:\WINDOWS\system32\cache329\B_329_2_2_535300.gif
C:\WINDOWS\system32\cache329\B_329_2_2_537900.htm
C:\WINDOWS\system32\cache329\B_329_2_2_537900.swf
C:\WINDOWS\system32\cache329\B_329_2_2_539100.htm
C:\WINDOWS\system32\cache329\B_329_2_2_539100.swf
C:\WINDOWS\system32\cache329\B_329_2_2_557400.htm
C:\WINDOWS\system32\cache329\B_329_2_2_557400.swf
C:\WINDOWS\system32\cache329\B_329_2_2_557700.htm
C:\WINDOWS\system32\cache329\B_329_2_2_557700.swf
C:\WINDOWS\system32\cache329\B_329_2_2_574100.htm
C:\WINDOWS\system32\cache329\B_329_2_2_574100.swf
C:\WINDOWS\system32\cache329\B_329_2_2_586300.htm
C:\WINDOWS\system32\cache329\B_329_2_2_586300.swf
C:\WINDOWS\system32\cache329\B_329_2_2_599500.gif
C:\WINDOWS\system32\cache329\B_329_2_2_599600.htm
C:\WINDOWS\system32\cache329\B_329_2_2_599600.swf
C:\WINDOWS\system32\cache329\B_329_2_2_600800.gif
C:\WINDOWS\system32\cache329\B_329_2_2_633100.htm
C:\WINDOWS\system32\cache329\B_329_2_2_633100.swf
C:\WINDOWS\system32\cache329\B_329_2_2_644300.htm
C:\WINDOWS\system32\cache329\B_329_2_2_644300.swf
C:\WINDOWS\system32\cache329\B_329_2_2_658500.gif
C:\WINDOWS\system32\cache329\B_329_2_2_660300.htm
C:\WINDOWS\system32\cache329\B_329_2_2_660300.swf
C:\WINDOWS\system32\cache329\B_329_2_2_668500.htm
C:\WINDOWS\system32\cache329\B_329_2_2_668500.swf
C:\WINDOWS\system32\cache329\B_329_2_2_674300.htm
C:\WINDOWS\system32\cache329\B_329_2_2_674300.swf
C:\WINDOWS\system32\cache329\B_329_2_2_775900.htm
C:\WINDOWS\system32\cache329\B_329_2_2_775900.swf
C:\WINDOWS\system32\cache329\B_329_2_3_647100.htm
C:\WINDOWS\system32\cache329\B_329_2_3_647300.htm
C:\WINDOWS\system32\cache329\B_329_2_3_647900.htm
C:\WINDOWS\system32\cache329\B_329_2_3_648200.htm
C:\WINDOWS\system32\cache329\B_329_2_3_648800.htm
C:\WINDOWS\system32\cache329\B_329_2_3_649000.htm
C:\WINDOWS\system32\cache329\B_329_2_3_649100.htm
C:\WINDOWS\system32\cache329\B_329_2_3_649300.htm
C:\WINDOWS\system32\cache329\B_329_2_3_650000.htm
C:\WINDOWS\system32\cache329\B_329_2_3_650200.htm
C:\WINDOWS\system32\cache329\B_329_2_3_651300.htm
C:\WINDOWS\system32\cache329\B_329_3_0_106800.htm
C:\WINDOWS\system32\cache329\B_329_3_0_107400.htm
C:\WINDOWS\system32\cache329\B_329_3_1_503800.gif
C:\WINDOWS\system32\cache329\B_329_3_1_512000.htm
C:\WINDOWS\system32\cache329\B_329_3_1_512000.swf
C:\WINDOWS\system32\cache329\B_329_3_1_514400.htm
C:\WINDOWS\system32\cache329\B_329_3_1_514400.swf
C:\WINDOWS\system32\cache329\B_329_3_1_517400.htm
C:\WINDOWS\system32\cache329\B_329_3_1_517400.swf
C:\WINDOWS\system32\cache329\B_329_3_1_518200.htm
C:\WINDOWS\system32\cache329\B_329_3_1_518200.swf
C:\WINDOWS\system32\cache329\B_329_3_1_518300.htm
C:\WINDOWS\system32\cache329\B_329_3_1_518300.swf
C:\WINDOWS\system32\cache329\B_329_3_1_520100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_520100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_520500.htm
C:\WINDOWS\system32\cache329\B_329_3_1_520500.swf
C:\WINDOWS\system32\cache329\B_329_3_1_521100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_521100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_526900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_526900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_527900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_527900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_529300.htm
C:\WINDOWS\system32\cache329\B_329_3_1_529300.swf
C:\WINDOWS\system32\cache329\B_329_3_1_529900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_529900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_530600.htm
C:\WINDOWS\system32\cache329\B_329_3_1_530600.swf
C:\WINDOWS\system32\cache329\B_329_3_1_531300.htm
C:\WINDOWS\system32\cache329\B_329_3_1_531300.swf
C:\WINDOWS\system32\cache329\B_329_3_1_531700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_531700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_531800.htm
C:\WINDOWS\system32\cache329\B_329_3_1_531800.swf
C:\WINDOWS\system32\cache329\B_329_3_1_534300.htm
C:\WINDOWS\system32\cache329\B_329_3_1_534300.swf
C:\WINDOWS\system32\cache329\B_329_3_1_544900.gif
C:\WINDOWS\system32\cache329\B_329_3_1_545900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_545900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_549000.htm
C:\WINDOWS\system32\cache329\B_329_3_1_549000.swf
C:\WINDOWS\system32\cache329\B_329_3_1_549400.htm
C:\WINDOWS\system32\cache329\B_329_3_1_549400.swf
C:\WINDOWS\system32\cache329\B_329_3_1_553100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_553100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_554500.htm
C:\WINDOWS\system32\cache329\B_329_3_1_554500.swf
C:\WINDOWS\system32\cache329\B_329_3_1_559500.htm
C:\WINDOWS\system32\cache329\B_329_3_1_559500.swf
C:\WINDOWS\system32\cache329\B_329_3_1_560400.htm
C:\WINDOWS\system32\cache329\B_329_3_1_560400.swf
C:\WINDOWS\system32\cache329\B_329_3_1_562700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_562700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_564700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_564700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_567900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_567900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_568400.htm
C:\WINDOWS\system32\cache329\B_329_3_1_568400.swf
C:\WINDOWS\system32\cache329\B_329_3_1_568900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_568900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_569900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_569900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_570100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_570100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_571100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_571100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_572700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_572700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_574200.htm
C:\WINDOWS\system32\cache329\B_329_3_1_574200.swf
C:\WINDOWS\system32\cache329\B_329_3_1_577900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_577900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_578100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_578100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_578500.htm
C:\WINDOWS\system32\cache329\B_329_3_1_578500.swf
C:\WINDOWS\system32\cache329\B_329_3_1_578700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_578700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_579700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_579700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_579800.htm
C:\WINDOWS\system32\cache329\B_329_3_1_579800.swf
C:\WINDOWS\system32\cache329\B_329_3_1_584700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_584700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_586100.gif
C:\WINDOWS\system32\cache329\B_329_3_1_589700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_589700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_590300.htm
C:\WINDOWS\system32\cache329\B_329_3_1_590300.swf
C:\WINDOWS\system32\cache329\B_329_3_1_591600.htm
C:\WINDOWS\system32\cache329\B_329_3_1_591600.swf
C:\WINDOWS\system32\cache329\B_329_3_1_593100.gif
C:\WINDOWS\system32\cache329\B_329_3_1_593900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_593900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_598200.htm
C:\WINDOWS\system32\cache329\B_329_3_1_598200.swf
C:\WINDOWS\system32\cache329\B_329_3_1_598700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_598700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_598800.htm
C:\WINDOWS\system32\cache329\B_329_3_1_598800.swf
C:\WINDOWS\system32\cache329\B_329_3_1_599300.gif
C:\WINDOWS\system32\cache329\B_329_3_1_600900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_600900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_601800.htm
C:\WINDOWS\system32\cache329\B_329_3_1_601800.swf
C:\WINDOWS\system32\cache329\B_329_3_1_602100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_602100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_603100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_603100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_611400.htm
C:\WINDOWS\system32\cache329\B_329_3_1_611400.swf
C:\WINDOWS\system32\cache329\B_329_3_1_611600.htm
C:\WINDOWS\system32\cache329\B_329_3_1_611600.swf
C:\WINDOWS\system32\cache329\B_329_3_1_621600.htm
C:\WINDOWS\system32\cache329\B_329_3_1_621600.swf
C:\WINDOWS\system32\cache329\B_329_3_1_625300.htm
C:\WINDOWS\system32\cache329\B_329_3_1_625300.swf
C:\WINDOWS\system32\cache329\B_329_3_1_630700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_630700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_630800.htm
C:\WINDOWS\system32\cache329\B_329_3_1_630800.swf
C:\WINDOWS\system32\cache329\B_329_3_1_630900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_630900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_631100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_631100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_631500.htm
C:\WINDOWS\system32\cache329\B_329_3_1_631500.swf
C:\WINDOWS\system32\cache329\B_329_3_1_632000.htm
C:\WINDOWS\system32\cache329\B_329_3_1_632000.swf
C:\WINDOWS\system32\cache329\B_329_3_1_632700.htm
C:\WINDOWS\system32\cache329\B_329_3_1_632700.swf
C:\WINDOWS\system32\cache329\B_329_3_1_637100.htm
C:\WINDOWS\system32\cache329\B_329_3_1_637100.swf
C:\WINDOWS\system32\cache329\B_329_3_1_639000.htm
C:\WINDOWS\system32\cache329\B_329_3_1_639000.swf
C:\WINDOWS\system32\cache329\B_329_3_1_639200.htm
C:\WINDOWS\system32\cache329\B_329_3_1_639200.swf
C:\WINDOWS\system32\cache329\B_329_3_1_639500.htm
C:\WINDOWS\system32\cache329\B_329_3_1_639500.swf
C:\WINDOWS\system32\cache329\B_329_3_1_639700.gif
C:\WINDOWS\system32\cache329\B_329_3_1_640600.gif
C:\WINDOWS\system32\cache329\B_329_3_1_641200.gif
C:\WINDOWS\system32\cache329\B_329_3_1_653400.htm
C:\WINDOWS\system32\cache329\B_329_3_1_653400.swf
C:\WINDOWS\system32\cache329\B_329_3_1_660300.htm
C:\WINDOWS\system32\cache329\B_329_3_1_660300.swf
C:\WINDOWS\system32\cache329\B_329_3_1_661800.htm
C:\WINDOWS\system32\cache329\B_329_3_1_661800.swf
C:\WINDOWS\system32\cache329\B_329_3_1_662000.htm
C:\WINDOWS\system32\cache329\B_329_3_1_662000.swf
C:\WINDOWS\system32\cache329\B_329_3_1_662500.htm
C:\WINDOWS\system32\cache329\B_329_3_1_662500.swf
C:\WINDOWS\system32\cache329\B_329_3_1_663000.htm
C:\WINDOWS\system32\cache329\B_329_3_1_663000.swf
C:\WINDOWS\system32\cache329\B_329_3_1_666900.htm
C:\WINDOWS\system32\cache329\B_329_3_1_666900.swf
C:\WINDOWS\system32\cache329\B_329_3_1_699800.htm
C:\WINDOWS\system32\cache329\B_329_3_1_699800.swf
C:\WINDOWS\system32\cache329\B_329_4_0_111600.htm
C:\WINDOWS\system32\cache329\B_329_4_0_152400.htm
C:\WINDOWS\system32\cache329\B_329_4_0_155300.htm
C:\WINDOWS\system32\cache329\B_329_4_0_164100.htm
C:\WINDOWS\system32\cache329\B_329_4_1_563600.htm
C:\WINDOWS\system32\cache329\B_329_4_1_563600.swf
C:\WINDOWS\system32\cache329\B_329_4_1_571700.htm
C:\WINDOWS\system32\cache329\B_329_4_1_571700.swf
C:\WINDOWS\system32\cache329\B_329_4_1_573000.htm
C:\WINDOWS\system32\cache329\B_329_4_1_573000.swf
C:\WINDOWS\system32\cache329\B_329_4_1_574000.htm
C:\WINDOWS\system32\cache329\B_329_4_1_574000.swf
C:\WINDOWS\system32\cache329\B_329_4_1_581800.htm
C:\WINDOWS\system32\cache329\B_329_4_1_586200.gif
C:\WINDOWS\system32\cache329\B_329_4_1_586200.htm
C:\WINDOWS\system32\cache329\B_329_4_1_589800.htm
C:\WINDOWS\system32\cache329\B_329_4_1_589800.swf
C:\WINDOWS\system32\cache329\B_329_4_1_601500.gif
C:\WINDOWS\system32\cache329\B_329_4_1_601500.htm
C:\WINDOWS\system32\cache329\B_329_4_1_603400.gif
C:\WINDOWS\system32\cache329\B_329_4_1_603400.htm
C:\WINDOWS\system32\cache329\B_329_4_1_610600.htm
C:\WINDOWS\system32\cache329\B_329_4_1_610600.swf
C:\WINDOWS\system32\cache329\B_329_4_1_622600.gif
C:\WINDOWS\system32\cache329\B_329_4_1_622600.htm
C:\WINDOWS\system32\cache329\B_329_4_1_624500.htm
C:\WINDOWS\system32\cache329\B_329_4_1_624500.jpg
C:\WINDOWS\system32\cache329\B_329_4_1_624700.gif
C:\WINDOWS\system32\cache329\B_329_4_1_624700.htm
C:\WINDOWS\system32\cache329\B_329_4_1_642400.htm
C:\WINDOWS\system32\cache329\B_329_4_1_653000.htm
C:\WINDOWS\system32\cache329\B_329_4_1_653000.swf
C:\WINDOWS\system32\cache329\B_329_4_1_659300.htm
C:\WINDOWS\system32\cache329\B_329_4_1_683100.gif
C:\WINDOWS\system32\cache329\B_329_4_1_683100.htm
C:\WINDOWS\system32\cache329\B_329_4_2_514600.htm
C:\WINDOWS\system32\cache329\B_329_4_2_530300.htm
C:\WINDOWS\system32\cache329\B_329_4_2_551200.htm
C:\WINDOWS\system32\cache329\B_329_4_2_552400.htm
C:\WINDOWS\system32\cache329\B_329_4_2_552400.swf
C:\WINDOWS\system32\cache329\B_329_4_2_552600.htm
C:\WINDOWS\system32\cache329\B_329_4_2_552600.swf
C:\WINDOWS\system32\cache329\B_329_4_2_553200.htm
C:\WINDOWS\system32\cache329\B_329_4_2_553200.swf
C:\WINDOWS\system32\cache329\B_329_4_2_553400.gif
C:\WINDOWS\system32\cache329\B_329_4_2_553400.htm
C:\WINDOWS\system32\cache329\B_329_4_2_576700.gif
C:\WINDOWS\system32\cache329\B_329_4_2_576700.htm
C:\WINDOWS\system32\cache329\B_329_4_2_578000.htm
C:\WINDOWS\system32\cache329\B_329_4_2_578000.swf
C:\WINDOWS\system32\cache329\B_329_4_2_579200.htm
C:\WINDOWS\system32\cache329\B_329_4_2_581800.htm
C:\WINDOWS\system32\cache329\B_329_4_2_584700.gif
C:\WINDOWS\system32\cache329\B_329_4_2_584700.htm
C:\WINDOWS\system32\cache329\B_329_4_2_599400.htm
C:\WINDOWS\system32\cache329\B_329_4_2_607000.htm
C:\WINDOWS\system32\cache329\B_329_4_2_613600.gif
C:\WINDOWS\system32\cache329\B_329_4_2_613600.htm
C:\WINDOWS\system32\cache329\B_329_4_2_614800.htm
C:\WINDOWS\system32\cache329\B_329_4_2_614800.jpg
C:\WINDOWS\system32\cache329\B_329_4_2_615400.htm
C:\WINDOWS\system32\cache329\B_329_4_2_615400.jpg
C:\WINDOWS\system32\cache329\B_329_4_2_617600.htm
C:\WINDOWS\system32\cache329\B_329_4_2_623900.htm
C:\WINDOWS\system32\cache329\B_329_4_2_623900.jpg
C:\WINDOWS\system32\cache329\B_329_4_2_624100.htm
C:\WINDOWS\system32\cache329\B_329_4_2_637500.gif
C:\WINDOWS\system32\cache329\B_329_4_2_637500.htm
C:\WINDOWS\system32\cache329\B_329_4_2_638100.gif
C:\WINDOWS\system32\cache329\B_329_4_2_638100.htm
C:\WINDOWS\system32\cache329\B_329_4_2_642300.htm
C:\WINDOWS\system32\cache329\B_329_4_2_645200.htm
C:\WINDOWS\system32\cache329\B_329_4_2_648700.htm
C:\WINDOWS\system32\cache329\B_329_4_2_659900.htm
C:\WINDOWS\system32\cache329\B_329_4_2_659900.swf
C:\WINDOWS\system32\cache329\B_329_4_2_673800.htm
C:\WINDOWS\system32\cache329\B_329_4_2_673800.swf
C:\WINDOWS\system32\cache329\B_329_4_2_673900.htm
C:\WINDOWS\system32\cache329\B_329_4_2_673900.swf
C:\WINDOWS\system32\cache329\B_329_4_2_711400.htm
C:\WINDOWS\system32\cache329\B_329_4_2_711400.jpg
C:\WINDOWS\system32\cache329\B_329_4_2_711500.gif
C:\WINDOWS\system32\cache329\B_329_4_2_711500.htm
C:\WINDOWS\system32\cache329\B_329_4_2_712100.htm
C:\WINDOWS\system32\cache329\B_329_4_3_563400.htm
C:\WINDOWS\system32\cache329\B_329_4_3_563400.jpg
C:\WINDOWS\system32\cache329\B_329_4_3_577600.htm
C:\WINDOWS\system32\cache329\B_329_4_3_577600.jpg
C:\WINDOWS\system32\cache329\B_329_4_3_580500.htm
C:\WINDOWS\system32\cache329\B_329_4_3_580500.jpg
C:\WINDOWS\system32\cache329\B_329_4_3_585400.htm
C:\WINDOWS\system32\cache329\B_329_4_3_585400.swf
C:\WINDOWS\system32\cache329\B_329_4_3_588000.htm
C:\WINDOWS\system32\cache329\B_329_4_3_588000.jpg
C:\WINDOWS\system32\cache329\B_329_4_3_599400.htm
C:\WINDOWS\system32\cache329\B_329_4_3_602500.htm
C:\WINDOWS\system32\cache329\B_329_4_3_602500.swf
C:\WINDOWS\system32\cache329\B_329_4_3_602700.htm
C:\WINDOWS\system32\cache329\B_329_4_3_602700.swf
C:\WINDOWS\system32\cache329\B_329_4_3_613600.gif
C:\WINDOWS\system32\cache329\B_329_4_3_613600.htm
C:\WINDOWS\system32\cache329\B_329_4_3_614800.htm
C:\WINDOWS\system32\cache329\B_329_4_3_614800.jpg
C:\WINDOWS\system32\cache329\B_329_4_3_615400.htm
C:\WINDOWS\system32\cache329\B_329_4_3_615400.jpg
C:\WINDOWS\system32\cache329\B_329_4_3_619000.htm
C:\WINDOWS\system32\cache329\B_329_4_3_624700.gif
C:\WINDOWS\system32\cache329\B_329_4_3_624700.htm
C:\WINDOWS\system32\cache329\B_329_4_3_627800.gif
C:\WINDOWS\system32\cache329\B_329_4_3_627800.htm
C:\WINDOWS\system32\cache329\B_329_4_3_631000.gif
C:\WINDOWS\system32\cache329\B_329_4_3_631000.htm
C:\WINDOWS\system32\cache329\B_329_4_3_632300.htm
C:\WINDOWS\system32\cache329\B_329_4_3_642300.htm
C:\WINDOWS\system32\cache329\B_329_4_3_652500.gif
C:\WINDOWS\system32\cache329\B_329_4_3_652500.htm
C:\WINDOWS\system32\cache329\B_329_4_3_653900.htm
C:\WINDOWS\system32\cache329\B_329_4_3_653900.swf
C:\WINDOWS\system32\cache329\B_329_4_3_712100.htm
C:\WINDOWS\system32\cache329\B_329_4_4_512500.htm
C:\WINDOWS\system32\cache329\B_329_4_4_617600.htm
C:\WINDOWS\system32\cache329\B_329_4_4_638600.gif
C:\WINDOWS\system32\cache329\B_329_4_4_638600.htm
C:\WINDOWS\system32\cache329\B_513400.htm
C:\WINDOWS\system32\cache329\B_517800.htm
C:\WINDOWS\system32\cache329\B_524800.htm
C:\WINDOWS\system32\cache329\B_525100.htm
C:\WINDOWS\system32\cache329\B_527100.htm
C:\WINDOWS\system32\cache329\B_528500.htm
C:\WINDOWS\system32\cache329\B_530800.htm
C:\WINDOWS\system32\cache329\B_548400.htm
C:\WINDOWS\system32\cache329\B_548500.htm
C:\WINDOWS\system32\cache329\B_550500.htm
C:\WINDOWS\system32\cache329\B_551700.htm
C:\WINDOWS\system32\cache329\B_553500.htm
C:\WINDOWS\system32\cache329\B_554000.htm
C:\WINDOWS\system32\cache329\B_555300.htm
C:\WINDOWS\system32\cache329\B_555600.htm
C:\WINDOWS\system32\cache329\B_555700.htm
C:\WINDOWS\system32\cache329\B_555800.htm
C:\WINDOWS\system32\cache329\B_561000.htm
C:\WINDOWS\system32\cache329\B_569300.htm
C:\WINDOWS\system32\cache329\B_587800.htm
C:\WINDOWS\system32\cache329\B_588700.htm
C:\WINDOWS\system32\cache329\B_591300.htm
C:\WINDOWS\system32\cache329\B_595500.htm
C:\WINDOWS\system32\cache329\B_604700.htm
C:\WINDOWS\system32\cache329\B_633300.htm
C:\WINDOWS\system32\cache329\B_633600.htm
C:\WINDOWS\system32\cache329\B_633900.htm
C:\WINDOWS\system32\cache329\B_634500.htm
C:\WINDOWS\system32\cache329\B_634700.htm
C:\WINDOWS\system32\cache329\B_634800.htm
C:\WINDOWS\system32\cache329\B_634900.htm
C:\WINDOWS\system32\cache329\B_636500.htm
C:\WINDOWS\system32\cache329\B_637600.htm
C:\WINDOWS\system32\cache329\B_642100.htm
C:\WINDOWS\system32\cache329\B_654000.htm
C:\WINDOWS\system32\cache329\B_679800.htm
C:\WINDOWS\system32\cache329\B_704700.htm
C:\WINDOWS\system32\cache329\B_704800.htm
C:\WINDOWS\system32\cache329\B_705100.htm
C:\WINDOWS\system32\cache329\t_B_329_0_0_106800.htm
C:\WINDOWS\system32\cache329\t_B_329_0_0_107400.htm
C:\WINDOWS\system32\cache329\t_B_329_1_0_449200.htm
C:\WINDOWS\system32\cache329\t_B_329_1_0_454300.htm
C:\WINDOWS\system32\cache329\t_B_329_2_0_106800.htm
C:\WINDOWS\system32\cache329\t_B_329_2_0_107400.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_647100.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_647300.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_647900.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_648200.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_648800.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_649000.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_649100.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_649300.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_650000.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_650200.htm
C:\WINDOWS\system32\cache329\t_B_329_2_3_651300.htm
C:\WINDOWS\system32\cache329\t_B_329_3_0_106800.htm
C:\WINDOWS\system32\cache329\t_B_329_3_0_107400.htm
C:\WINDOWS\system32\cache329\t_B_329_4_0_111600.htm
C:\WINDOWS\system32\cache329\t_B_329_4_0_152400.htm
C:\WINDOWS\system32\cache329\t_B_329_4_0_155300.htm
C:\WINDOWS\system32\cache329\t_B_329_4_0_164100.htm
C:\WINDOWS\system32\cache329\t_B_329_4_1_581800.htm
C:\WINDOWS\system32\cache329\t_B_329_4_1_642400.htm
C:\WINDOWS\system32\cache329\t_B_329_4_1_659300.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_514600.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_530300.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_551200.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_579200.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_581800.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_599400.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_607000.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_617600.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_624100.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_642300.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_645200.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_648700.htm
C:\WINDOWS\system32\cache329\t_B_329_4_2_712100.htm
C:\WINDOWS\system32\cache329\t_B_329_4_3_599400.htm
C:\WINDOWS\system32\cache329\t_B_329_4_3_619000.htm
C:\WINDOWS\system32\cache329\t_B_329_4_3_632300.htm
C:\WINDOWS\system32\cache329\t_B_329_4_3_642300.htm
C:\WINDOWS\system32\cache329\t_B_329_4_3_712100.htm
C:\WINDOWS\system32\cache329\t_B_329_4_4_512500.htm
C:\WINDOWS\system32\cache329\t_B_329_4_4_617600.htm
C:\WINDOWS\system32\cache329\t_B_513400.htm
C:\WINDOWS\system32\cache329\t_B_517800.htm
C:\WINDOWS\system32\cache329\t_B_524800.htm
C:\WINDOWS\system32\cache329\t_B_525100.htm
C:\WINDOWS\system32\cache329\t_B_527100.htm
C:\WINDOWS\system32\cache329\t_B_528500.htm
C:\WINDOWS\system32\cache329\t_B_530800.htm
C:\WINDOWS\system32\cache329\t_B_548400.htm
C:\WINDOWS\system32\cache329\t_B_548500.htm
C:\WINDOWS\system32\cache329\t_B_550500.htm
C:\WINDOWS\system32\cache329\t_B_551700.htm
C:\WINDOWS\system32\cache329\t_B_553500.htm
C:\WINDOWS\system32\cache329\t_B_554000.htm
C:\WINDOWS\system32\cache329\t_B_555300.htm
C:\WINDOWS\system32\cache329\t_B_555600.htm
C:\WINDOWS\system32\cache329\t_B_555700.htm
C:\WINDOWS\system32\cache329\t_B_555800.htm
C:\WINDOWS\system32\cache329\t_B_561000.htm
C:\WINDOWS\system32\cache329\t_B_569300.htm
C:\WINDOWS\system32\cache329\t_B_587800.htm
C:\WINDOWS\system32\cache329\t_B_588700.htm
C:\WINDOWS\system32\cache329\t_B_591300.htm
C:\WINDOWS\system32\cache329\t_B_595500.htm
C:\WINDOWS\system32\cache329\t_B_604700.htm
C:\WINDOWS\system32\cache329\t_B_633300.htm
C:\WINDOWS\system32\cache329\t_B_633600.htm
C:\WINDOWS\system32\cache329\t_B_633900.htm
C:\WINDOWS\system32\cache329\t_B_634500.htm
C:\WINDOWS\system32\cache329\t_B_634700.htm
C:\WINDOWS\system32\cache329\t_B_634800.htm
C:\WINDOWS\system32\cache329\t_B_634900.htm
C:\WINDOWS\system32\cache329\t_B_636500.htm
C:\WINDOWS\system32\cache329\t_B_637600.htm
C:\WINDOWS\system32\cache329\t_B_642100.htm
C:\WINDOWS\system32\cache329\t_B_654000.htm
C:\WINDOWS\system32\cache329\t_B_679800.htm
C:\WINDOWS\system32\cache329\t_B_704700.htm
C:\WINDOWS\system32\cache329\t_B_704800.htm
C:\WINDOWS\system32\cache329\t_B_705100.htm
C:\WINDOWS\system32\cache329\Thumbs.db
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))
.

2008-09-16 02:03 . 2008-09-16 02:03 <DIR> d-------- C:\Program Files\Avira
2008-09-16 02:03 . 2008-09-16 02:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-15 23:07 . 2008-09-15 23:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-15 01:35 . 2002-10-28 11:57 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-6JNHHU0520.001\Application Data\VERITAS
2008-09-15 01:35 . 2008-09-15 13:03 <DIR> d---s---- C:\Documents and Settings\Administrator.YOUR-6JNHHU0520.001
2008-09-15 01:18 . 2008-09-15 01:18 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-09-15 01:17 . 2008-09-15 13:03 <DIR> d-------- C:\Program Files\AVG(2)
2008-09-14 22:26 . 2008-09-16 07:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-14 22:26 . 2008-09-15 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-14 21:13 . 2008-09-14 21:13 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-6JNHHU0520.003\Application Data\MSN6
2008-09-14 20:20 . 2008-09-15 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-14 20:13 . 2008-09-14 20:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-14 20:04 . 2008-09-14 20:04 <DIR> d-------- C:\Documents and Settings\ELENA\Application Data\Lavasoft
2008-08-27 12:20 . 2008-08-27 12:44 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-25 00:20 . 2008-08-25 00:20 <DIR> d---s---- C:\Documents and Settings\ELENA\UserData
2008-08-23 09:36 . 2008-08-23 09:36 <DIR> drah----- C:\Documents and Settings\ELENA\Application Data\yahoo!
2008-08-22 22:12 . 2002-10-28 12:21 <DIR> d-------- C:\Documents and Settings\ELENA\WINDOWS
2008-08-22 22:12 . 2002-10-28 11:57 <DIR> d-------- C:\Documents and Settings\ELENA\Application Data\VERITAS
2008-08-22 22:12 . 2002-10-28 11:50 <DIR> d-------- C:\Documents and Settings\ELENA\Application Data\Share-to-Web Upload Folder
2008-08-22 22:12 . 2002-10-28 12:30 <DIR> d-------- C:\Documents and Settings\ELENA\Application Data\SampleView
2008-08-22 22:12 . 2002-10-28 12:13 <DIR> d-------- C:\Documents and Settings\ELENA\Application Data\InterTrust
2008-08-22 22:12 . 2008-09-15 13:06 <DIR> d-------- C:\Documents and Settings\ELENA
2008-08-22 22:12 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-17 17:13 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-09-15 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-08-24 17:03 --------- d-----w C:\Program Files\Google
2008-08-23 17:56 --------- d-----w C:\Program Files\Knowledge Adventure
2008-07-24 03:57 --------- d-----w C:\Program Files\Sun
2008-07-24 03:56 --------- d-----w C:\Program Files\Java
2008-07-20 22:06 --------- d-----w C:\Documents and Settings\Owner.YOUR-6JNHHU0520.003\Application Data\Ludia
2008-07-19 03:05 --------- d-----w C:\Program Files\TryMedia
2008-07-19 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2003-04-21 05:49 32 --sha-w C:\WINDOWS\{2AFC114E-64C8-455C-8CD1-AD17EC10EA19}.dat
2006-10-24 02:48 32 --sha-w C:\WINDOWS\{CE638E70-09C6-427B-85D8-79289381CB53}.dat
2003-04-21 05:49 32 --sha-w C:\WINDOWS\system32\{27F2BB3C-8572-4527-9420-BA58F237DC74}.dat
2006-10-24 02:48 32 --sha-w C:\WINDOWS\system32\{6A80B146-1281-4C9B-A9A1-9B042F526F95}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Owner.YOUR-6JNHHU0520\Start Menu\Programs\Startup\
Registration Prince of Persia T2T.LNK.disabled [2006-09-29 1218]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center UI.lnk.disabled [2008-04-05 869]
hp center.lnk.disabled [2004-07-06 1811]
Quicken Scheduled Updates.lnk.disabled [2002-10-28 675]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NVIEW"=rundll32.exe nview.dll,nViewLoadHook
"Aim6"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"Share-to-Web Namespace Daemon"=c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"nwiz"=nwiz.exe /installquiet /keeploaded
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"AutoTBar"=C:\hp\bin\autotbar.exe
"BlockTracker"=c:\hp\bin\BlockTracker.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\SecondLife\\SecondLife.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-07-14 65536]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-07-14 1527887]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BlockTracker - c:\hp\bin\BlockTracker.exe
HKCU-Explorer_Run-{6CAAD01B-0A6A-1033-0212-031007020001} - C:\Program Files\Common Files\{6CAAD01B-0A6A-1033-0212-031007020001}\Update.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://srch-us7.hpwis.com/
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com
R0 -: HKLM-Main,Search Bar = hxxp://srch-us7.hpwis.com/
R1 -: HKCU-Internet Settings,ProxyOverride = localhost;*.local
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O8 -: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 -: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 -: {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 01:08:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-17 1:27:10 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-17 08:26:07

Pre-Run: 71,401,398,272 bytes free
Post-Run: 72,772,788,224 bytes free

1265 --- E O F --- 2008-09-10 10:05:27
vaney13
2008-09-17, 10:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:39 AM, on 9/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: hp center UI.lnk.disabled
O4 - Global Startup: hp center.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.secondlife.com
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8651 bytes
pskelley
2008-09-17, 14:35
No problem, use what space you need. combofix found a lot of junk, follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(damaged)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Global Startup: hp center UI.lnk.disabled
O4 - Global Startup: hp center.lnk.disabled

(if you installed the next two, you may leave them)
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

How is the computer running now?

Thanks
vaney13
2008-09-18, 23:18
Hello Pskelly,

ok I followed all the steps and here are the logs:
*oh and I have not had my computer on the internet only when we are doing fixes. Is it ok to use the internet yet. But so far my comp has been better, noy starting up and shutting down often and freezing. Thank you so very much again and again.


Malwarebytes' Anti-Malware 1.28
Database version: 1169
Windows 5.1.2600 Service Pack 2

9/18/2008 2:10:06 PM
mbam-log-2008-09-18 (14-10-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 257764
Time elapsed: 2 hour(s), 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 78

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\downloader.downloaderctrl.1 (Adware.2020search) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\debugf.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\hp.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\theLogFile.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\angelsoft2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\budweiser.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\buildabear2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\butterfinger.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\carlsjr.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\carlsjrburger.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\chapstick.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\colgatepb.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\easymac.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\everyoneshero.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\football2006.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\freeride.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\gatoradefierce.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\glade.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\gmcsoccer.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\grudge2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\hondafit.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\jcpenney.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\kyocera.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\maybellinelash.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\myphoto.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\navy.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\nordstrom2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\nordstrom3.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\nordstrom5.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\overthehedge.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\pepsiringtones.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\poptartsotc.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\ptchocolate.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\sirius.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\sonyericsson.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\travelocity.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\verizon.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\vwchocolate.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\walmart.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\wellsfargo.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\xmen3.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rox\Local Settings\Temp\ysmash.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\baseball.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\baseballbutton.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\beyonce.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\chess.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\chocopromo.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\cingular.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\colgate.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\dilbert.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\eetern.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\fifa.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\freakyfriday.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\fructis.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\hellokitty.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\holes.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\hotchick.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\hulk.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\jeep.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\juicyfruitus.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\lizziemcguire.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\mentos.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\milk.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\nemo.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\oxy.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\panasonic.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\peanuts.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\pirates.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\polo.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\purinacats.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\purinadogs.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\purinadogs2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\sbcyahoo.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\search.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\swat.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\t3.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\tmac.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\tmobile.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\xmen.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:32 PM, on 9/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.secondlife.com
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8025 bytes
pskelley
2008-09-19, 01:31
Thanks for returning your information and the feedback. Everything looks good:bigthumb: let's do this:

Remove combofix from your computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

To be sure, clean System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update and run MBAM again to make sure we missed none of the junk, there is no need to post a clean scan result.

Update your antivirus program and scan your system to be sure it is running right and scanning clean. Let me know all is well at this point and I will close your topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
vaney13
2008-09-19, 22:20
Hi Pskelly,

Well I updated the antivirus and ran a scan there are about 10 viruses found and 9 warnings. Should I delete these. I believe they are in quarantine???

here is the scan report:



Avira AntiVir Personal
Report file date: Friday, September 19, 2008 11:21

Scanning for 1626815 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: YOUR-6JNHHU0520

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 17:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 22:54:15
ANTIVIR2.VDF : 7.0.6.153 3341312 Bytes 9/12/2008 09:04:42
ANTIVIR3.VDF : 7.0.6.187 216576 Bytes 9/19/2008 18:20:25
Engineversion : 8.1.1.34
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 18:58:21
AESCRIPT.DLL : 8.1.0.76 319867 Bytes 9/18/2008 20:08:12
AESCN.DLL : 8.1.0.23 119156 Bytes 7/10/2008 21:44:49
AERDL.DLL : 8.1.1.2 438644 Bytes 9/18/2008 20:08:10
AEPACK.DLL : 8.1.2.1 364917 Bytes 7/15/2008 21:58:35
AEOFFICE.DLL : 8.1.0.25 196986 Bytes 9/18/2008 20:08:09
AEHEUR.DLL : 8.1.0.59 1438071 Bytes 9/18/2008 20:08:08
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/10/2008 21:44:48
AEGEN.DLL : 8.1.0.36 315764 Bytes 9/16/2008 09:04:48
AEEMU.DLL : 8.1.0.7 430452 Bytes 7/31/2008 17:33:21
AECORE.DLL : 8.1.1.11 172406 Bytes 9/16/2008 09:04:46
AEBB.DLL : 8.1.0.1 53617 Bytes 7/10/2008 21:44:48
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 9/16/2008 09:04:43
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 22:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, September 19, 2008 11:21

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'hpgs2wnf.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'fbserver.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'fbguard.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\yahoo!\Norton Spyware Scan\UPDATES\symwt-en-10352-f.sbr.sgn.unsgn
[WARNING] An exception has been identified!
[WARNING] In the module 'aecore.dll' an exception occured.
Calling the function AVEPROC_TestFile in file: \\?\C:\Documents and Settings\All Users\Application Data\yahoo!\Norton Spyware Scan\UPDATES\symwt-en-10352-f.sbr.sgn.unsgn
Error description:ACCESS_VIOLATION
EAX = 07B92248 EBX = 0135FBD8
ECX = 07B92224 EDX = 00000264
ESI = 0720557C EDI = 0135fbd4
EIP = 0155C8C3 EBP = 08330068
ESP = 01B8E530 Flg = 00010283
CS = 00000023 SS = 0000001B
C:\Documents and Settings\Owner\Local Settings\Temp\ymsgr2
[0] Archive type: CAB (Microsoft)
--> imvcache\leaves\1.gif
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Owner\Local Settings\Temp\ymsgr6
[0] Archive type: CAB (Microsoft)
--> imvcache\xmen\\c.gif
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0XIVKXAR\powerscan[1].exe
[DETECTION] Is the TR/IstBar.J Trojan
[NOTE] The file was moved to '494af036.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1MJC96F\fsc2k[1].htm
[DETECTION] Is the TR/Dldr.Cobase.A Trojan
[NOTE] The file was moved to '4936f050.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E9G783UZ\adcycle[2]
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4936f04b.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHAJKXU7\AppWrap[1].exe
[DETECTION] Contains recognition pattern of the DR/Small.OF.F dropper
[NOTE] The file was moved to '4943f05f.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHAJKXU7\AppWrap[3].exe
[DETECTION] Contains recognition pattern of the DR/Small.OF.F dropper
[NOTE] The file was moved to '4943f063.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KPABGXUZ\install[1].exe
[DETECTION] Is the TR/SecndThought.C.4 Trojan
[NOTE] The file was moved to '4946f073.qua'!
C:\Documents and Settings\Owner.YOUR-6JNHHU0520\Application Data\ArcSoft\ShowBiz\1.3.2\ShowBiz_1.3.2.13_1.3.2.37_Update_E.exe
[0] Archive type: CAB SFX (self extracting)
--> \Disk1\data1.hdr
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1\A0000014.exe
[DETECTION] Is the TR/IstBar.J Trojan
[NOTE] The file was moved to '49040012.qua'!
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1\A0000015.exe
[DETECTION] Contains recognition pattern of the DR/Small.OF.F dropper
[NOTE] The file was moved to '49040016.qua'!
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1\A0000016.exe
[DETECTION] Contains recognition pattern of the DR/Small.OF.F dropper
[NOTE] The file was moved to '4904001a.qua'!
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1\A0000017.exe
[DETECTION] Is the TR/SecndThought.C.4 Trojan
[NOTE] The file was moved to '4904001f.qua'!
Begin scan in 'D:\' <HP_RECOVERY>


End of the scan: Friday, September 19, 2008 13:14
Used time: 1:53:06 Hour(s)

The scan has been done completely.

15011 Scanning directories
742867 Files were scanned
10 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
10 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
742854 Files not concerned
21855 Archives were scanned
9 Warnings
10 Notes
vaney13
2008-09-22, 20:30
hi Pskelly,

Sorry to post again, just wondering if it's safe to delete those warnings/infections that in quaratine...I see it says they are in the system volume area..I just don't want to mess up or delete something I need??? Thank you so much...other than that the computer seems to be doing ok
pskelley
2008-09-22, 20:47
I posted instructions for cleaning those files, not once, but twice:

To be sure, clean System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

If you followed the directions in the order I posted them, those infected files would not have been there for the antivirus program to find.
vaney13
2008-09-22, 21:12
Hello Pskelly,

I actually did follow the instructions prior on 2008-09-19, 13:20, but Avira still picked these infections up. I turned off System Restore again a minute ago and followed your instructions...as I am posting this I am running a scan and already there are 7 warnings...hopefully the major infections will be cleared this time...but if for some reason they don't is it ok to delete them?
pskelley
2008-09-22, 21:23
You can if you want to but those are protected Windows files and the only way I know to clean them is how I have posted for you?
vaney13
2008-09-24, 05:09
hello Pskelly,

Sorry but the comp is having the same problem...I can't fix the problems that spybot finds the program freezes... also can't download updates again. I've tried to remove them in safe mode also and no luck.
pskelley
2008-09-24, 12:49
We will look more for the reason. Does the computer "freeze" when you run any other program besides Spybot? Are you receiving any error messages? Usually this symptom will also have an error message indicating what is occuring. If so please post the error word for word.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)

Post then, the results of the KOS, the uninstall list and a new HJT log.

Thanks
vaney13
2008-09-27, 04:32
Hi Pskelly,
I believe these are the logs you asked for thank you. Oh and I have not had any other freezing problems with other programs. No error messages either.


KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 26, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 26, 2008 05:18:32
Records in database: 1262315


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics
Files scanned 136121
Threat name 4
Infected objects 4
Suspicious objects 0
Duration of the scan 03:22:54

File name Threat name Threats count
C:\dist.exe Infected: Trojan-Clicker.Win32.Agent.alg 1

C:\dist.exe Infected: Trojan-Downloader.Win32.Braidupdate.c 1

C:\WINDOWS\Downloaded Program Files\button.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.be 1

C:\WINDOWS\Downloaded Program Files\turbo.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.as 1

The selected area was scanned.

HJT:

Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe® Photoshop® Album Starter Edition 3.0
ArcSoft Software Suite
Avira AntiVir Personal - Free Antivirus
Betty Bad
Blackhawk Striker
Blasterball 2
Blasterball Wild
Bonjour
Charter High Speed Internet Self-Installation Wizard
Dark Orbit
Dell Photo Printer 720
Detto IntelliMover Demo
easy Internet sign-up
Firebird 1.5.1.4481
Freedom Security & Privacy
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
hp center
HP Digital Imaging Album Printing 1.0
HP Instant Support
HP Photo and Imaging 1.1 - Photosmart Cameras
hp toolkit
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel(R) 82845G Graphics Driver Software
InterVideo WinDVD 4
iTunes
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
KBD
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.14.12
Malwarebytes' Anti-Malware
MarketBrowser
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH Jukebox
MyDVD
Mystic Inn
Mystic Inn
NVIDIA Windows 2000/XP Display Drivers
OpenOffice.org Installer 1.0
PC-Doctor for Windows
PigPen
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
QuickTime
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
Safari
SAM3 (remove only)
SecondLife (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
ShowBiz
Simple Backup for My Pictures
Simple Installer - Multilanguage Version
Skype 3.1
Skype add-on for IE
Skype Plugin Manager
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
The Sims 2
Viewpoint Media Player
Virtual Warfare
WildTangent Channel Manager
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 2
WordPerfect Productivity Pack
WordPerfect Productivity Pack
Yahoo! Internet Mail


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:42 PM, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.secondlife.com
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7167 bytes
pskelley
2008-09-27, 11:56
Thanks for returning your information, please proceed like this:

1) Kaspersky Online Scan (KOS)

C:\dist.exe <<< delete that file
C:\WINDOWS\Downloaded Program Files\button.inf <<< delete that file
C:\WINDOWS\Downloaded Program Files\turbo.inf <<< delete that file

2) Uninstall list: I look for security issues and malware, I suggest you look for programs you no longer use to uninstall and give your computer a break.

https://psi.secunia.com/ <<< read this information, the tool is free and you can turn it off in MSConfig so it does not run all of the time if you wish.

Adobe Reader 8.1.2 <<< I am aware this is being exploited by hackers and is out of date:
http://www.filehippo.com/download_adobe_reader/ <<< newest version
(I will guess that other Adobe programs are out of date also, psi will tell you this.

Firebird 1.5.1.4481 <<< out of date, if you are going to run the programs, you need to keep them up to date:
http://www.firebirdsql.org/

Java(TM) 6 Update 2 <<< uninstall these, see the link:
Java(TM) 6 Update 3
Java(TM) 6 Update 5
http://forums.spybot.info/showthread.php?t=34433

LimeWire 4.14.12 <<< uninstall see this information:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

MarketBrowser <<< if you did not install this, uninstall it.

Viewpoint Media Player <<< if you do not use this, uninstall it.

When the above has been completed, please report and any malware issues.

Thanks
vaney13
2008-09-28, 05:35
ok I am running another scan with kaspersky...then you said to delete a few files...is that through kaspersky or through another program please let me know. Thank you Pskelly....so much:)
pskelley
2008-09-28, 12:12
Right click Start then click Explore. Using the folders that open navigate to those files, point your mouse at them, then right click the mouse and choose delete. After the files have been deleted, right click the Recycle Bin on the Desktop and choose "Empty Recycle Bin".
vaney13
2008-09-28, 23:16
Hello Pskelly,

ok I think I was able to locate and delete C:\dist.exe this file, but I cannot locate the other two

C:\WINDOWS\Downloaded Program Files\button.inf
C:\WINDOWS\Downloaded Program Files\turbo.inf
pskelley
2008-09-28, 23:25
Did you try Search Companion? Start > Search > Files and folders > copy/paste the name into the search box and Search.
Allow a little time, a lot of files to search through. I would say if SC can not find one, it will not find the other.

How is the computer running? Any malware problems?

Thanks...Phil
vaney13
2008-10-01, 01:23
Hello Pskelly,

Yes I tried SC and to no avail did I find the last two files. The comp has been freezing a little. I continue to pick up items on ad aware and spybot??realmedia & wild tangent? avira will pick up warnings but I'm not sure if it deletes them automatically, cause I don't see an option to delete warnings??
pskelley
2008-10-01, 01:48
I do not do Ad-Aware, if you have questions about what it does or does not remove, post those here:
http://www.lavasoftsupport.com/

If you have problems with Spybot S&D finding malware it can not remove, post that question here:
http://forums.spybot.info/forumdisplay.php?f=4

The comp has been freezing a little.
Unless you can post an error message that occurs at the same time, I can't help you, there are countless reason why this happens.
http://www.google.com/search?hl=en&q=troubleshoot+computer+freezes&btnG=Google+Search&aq=f&oq=
http://kadaitcha.cx/ <<< good troubleshooting site

I have done about all I can do for this computer, you might want to consider:
http://www.google.com/search?hl=en&q=reinstall+xp&btnG=Search
http://www.google.com/search?hl=en&q=repair+xp&btnG=Search

Thanks