[Resolved] rcp-Smitfraud-C/Zlob/ISTbar infection

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Resolved] rcp-Smitfraud-C/Zlob/ISTbar infection

Options

claypot View Member Profile	Aug 13 2008, 11:35 AM Post #1
New Member Group: New Member Posts: 7 Joined: 10-August 08 Member No.: 80,865 Operating System: XP	On night of 8/7 while on web looking for athsma drug info I started receiving multiple hits on my firewall(Zonealarm). I thought I denied them all but something got thru and first symptom was blue and yellow screen with message, "Warning! Spyware detected on your computer. Install an antivirus or spyware remover to clean your computer." After this several incidents occurred where I would search web and choose to see a certain site and a different site would appear. I use Computer Associates software from SBC-Yahoo for anti-virus and anti-spy and Zone Alarm for firewall. I had Spyware Eliminator on the computer and ran it. It indicated a problem file named 'BACKDOOR.W32.Delf.SCV'. I could not tell if it did anything as it kept putting up a message that svchost.exe could not be stopped. I went into Task Manager and stopped all svchost.exe sessions but couldn't see any results. I downloaded Spybot and ran it several times. It identified several problem items at different times: Smitfraud=C.bs, Zlob.downloader.rib, virtumonde.dll.bs, and two Microsoft Windows Systems items. I clicked Repair and the best I can tell it removes the offending items but they are immediately re-installed. I was able to remove the blue/yellow screen one time by changing the Desktop theme back to XP default but on next startup it came back and I can no longer remove it this way. Is the problem learning.? I did a System Recovery to a previous week but a message said a 'System recovery could not be done.' After work most of the day with the above, I received a message from the anti-virus program that it had detected a virus. I failed to write down the name but I will scan again to see it it picks it up. By the end of a day of working with this and reading thru the web, I believe I need some knowledgeable assistance. The automatic programs are not working. I have some questions. What is the infection, what is it doing, and what can it do? It seems to learn to stop a fix after I have tried it once. Also, when it stops or re-directs an action, if I try several times it finally works correctly. Will it infect any or all of my other files? If I use a thumb-drive to transfer files to the infected computer, what is the probability the thumb-drive could be infected? What precautions should be taken to contain this thing? I have downloaded HijackThis from your site(I was surprised it let me) and have run it. I ran a Computer Assoc spyware scan just before tho' so I need to run again. I will very much appreciate any assistance you can give, This post has been edited by claypot: Aug 17 2008, 12:48 PM

ken545 View Member Profile	Aug 19 2008, 11:44 AM Post #2
SuperHelper Group: Malware Expert Posts: 7,062 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP3/ Vista Home Premium SP1	Hello claypot Welcome to the Whatthetech Malware Removal Forum Sorry for the delay in responding but with the amount of people posting with infected computers there are not enough hours in the day Don't really know what your infected with until we see a Hijackthis log. And yes there are infections going around that can infect your thumb drive. Download Trendmicros Hijackthis to your desktop. Double click it to install Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe Open HJT Scan and Save a Log File, it will open in Notepad Go to Format and make sure Wordwrap is Unchecked Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread. DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

claypot View Member Profile	Aug 19 2008, 09:30 PM Post #3
New Member Group: New Member Posts: 7 Joined: 10-August 08 Member No.: 80,865 Operating System: XP	ken545, thank you for the response. Below is the HiJackThis log for my computer. I have not kept the operating system up to date. If you can walk me thru this one like it is a lesson as I intend to take the training after this is fixed. I imagine there are many people who need assistance and after my experience I would be glad to help out. dickp Logfile of HijackThis v1.99.1 Scan saved at 9:59:26 PM, on 8/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe C:\WINDOWS\system32\wuauclt.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\VTTimer.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Hijackthis\HijackThis.exe C:\Program Files\Yahoo!\Antivirus\autodown.exe C:\Program Files\Yahoo!\Antivirus\cafix.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdstu.exe] C:\WINDOWS\system32\kdstu.exe O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [SpybotDeletingC5510] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA465] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKLM\..\RunOnce: [SpybotDeletingC9058] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKLM\..\RunOnce: [SpybotDeletingA6455] command /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKLM\..\RunOnce: [SpybotDeletingC4859] cmd /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB6625] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" O4 - HKCU\..\RunOnce: [SpybotDeletingD9953] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" O4 - HKCU\..\RunOnce: [SpybotDeletingB5183] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKCU\..\RunOnce: [SpybotDeletingD1660] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKCU\..\RunOnce: [SpybotDeletingB6334] command /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD3725] cmd /c del "C:\WINDOWS\system32\kdstu.exe" O4 - Global Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

claypot View Member Profile	Aug 19 2008, 09:58 PM Post #4
New Member Group: New Member Posts: 7 Joined: 10-August 08 Member No.: 80,865 Operating System: XP	ken545, here is same HiJackThis log with WORDWRAP off. dp Logfile of HijackThis v1.99.1 Scan saved at 9:59:26 PM, on 8/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe C:\WINDOWS\system32\wuauclt.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\VTTimer.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Hijackthis\HijackThis.exe C:\Program Files\Yahoo!\Antivirus\autodown.exe C:\Program Files\Yahoo!\Antivirus\cafix.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdstu.exe] C:\WINDOWS\system32\kdstu.exe O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [SpybotDeletingC5510] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA465] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKLM\..\RunOnce: [SpybotDeletingC9058] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKLM\..\RunOnce: [SpybotDeletingA6455] command /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKLM\..\RunOnce: [SpybotDeletingC4859] cmd /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB6625] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" O4 - HKCU\..\RunOnce: [SpybotDeletingD9953] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" O4 - HKCU\..\RunOnce: [SpybotDeletingB5183] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKCU\..\RunOnce: [SpybotDeletingD1660] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKCU\..\RunOnce: [SpybotDeletingB6334] command /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD3725] cmd /c del "C:\WINDOWS\system32\kdstu.exe" O4 - Global Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

ken545 View Member Profile	Aug 20 2008, 02:44 AM Post #5
SuperHelper Group: Malware Expert Posts: 7,062 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP3/ Vista Home Premium SP1	Claypot, First thing you need to do if you want to take some training for removing this garbage is to read and follow the instructions, I gave you a link for the latest version of Hijackthis with instructions on how to install it and you posted an outdated version that may not be showing everything. Drag this copy of HJT to the trash and download and install the latest version by Trendmicro per my previous post. Your infected with a Backdoor Trojan that could be letting more of this garbage in. Please download OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): QUOTE C:\Program Files\WinDates Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste. Yellow Window Click the red Moveit! button. Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply. Close OTMoveIt If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected.<-- Don't forget this When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply along with a New Hijackthis log. I need to see the OTMoveIt log, the Malwarebytes log and a new Hijackthis log from Trendmicro please

claypot View Member Profile	Aug 20 2008, 10:00 AM Post #6
New Member Group: New Member Posts: 7 Joined: 10-August 08 Member No.: 80,865 Operating System: XP	ken545, let's see if I did better this time. Here are the three items requested. What avenue does a 'backdoor trojan' use to infect the computer? thank you, dp OTMOVEIT2 LOG C:\Program Files\WinDates\BACKUP moved successfully. C:\Program Files\WinDates moved successfully. OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08202008_101349 ANTI-MALWARE LOG Malwarebytes' Anti-Malware 1.25 Database version: 1072 Windows 5.1.2600 Service Pack 2 10:32:32 AM 8/20/2008 mbam-log-08-20-2008 (10-32-32).txt Scan type: Quick Scan Objects scanned: 46707 Time elapsed: 7 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 19 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\blphc1vcj0e15p.scr.ren (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\phc1vcj0e15p.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Quarantined and deleted successfully. HIJACKTHIS LOG OTMOVEIT2 LOG C:\Program Files\WinDates\BACKUP moved successfully. C:\Program Files\WinDates moved successfully. OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08202008_101349 ANTI-MALWARE LOG Malwarebytes' Anti-Malware 1.25 Database version: 1072 Windows 5.1.2600 Service Pack 2 10:32:32 AM 8/20/2008 mbam-log-08-20-2008 (10-32-32).txt Scan type: Quick Scan Objects scanned: 46707 Time elapsed: 7 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 19 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\blphc1vcj0e15p.scr.ren (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\phc1vcj0e15p.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Quarantined and deleted successfully. HIJACKTHIS LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:43:55 AM, on 8/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\VTTimer.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Yahoo!\Antivirus\VetMsg.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdstu.exe] C:\WINDOWS\system32\kdstu.exe O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [SpybotDeletingC5510] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA465] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKLM\..\RunOnce: [SpybotDeletingC9058] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKLM\..\RunOnce: [SpybotDeletingA6455] command /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKLM\..\RunOnce: [SpybotDeletingC4859] cmd /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB6625] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" O4 - HKCU\..\RunOnce: [SpybotDeletingD9953] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" O4 - HKCU\..\RunOnce: [SpybotDeletingB5183] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKCU\..\RunOnce: [SpybotDeletingD1660] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" O4 - HKCU\..\RunOnce: [SpybotDeletingB6334] command /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD3725] cmd /c del "C:\WINDOWS\system32\kdstu.exe" O4 - Global Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe -- End of file - 6529 bytes

ken545 View Member Profile	Aug 20 2008, 10:19 AM Post #7
SuperHelper Group: Malware Expert Posts: 7,062 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP3/ Vista Home Premium SP1	Claypot, A backdoor trojan has the ability to download other garbage to your system while your online. Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdstu.exe] C:\WINDOWS\system32\kdstu.exe O4 - HKLM\..\RunOnce: [SpybotDeletingC5510] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" G O4 - HKLM\..\RunOnce: [SpybotDeletingA465] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" G O4 - HKLM\..\RunOnce: [SpybotDeletingC9058] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" G O4 - HKLM\..\RunOnce: [SpybotDeletingA6455] command /c del "C:\WINDOWS\system32\kdstu.exe" G O4 - HKLM\..\RunOnce: [SpybotDeletingC4859] cmd /c del "C:\WINDOWS\system32\kdstu.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingB6625] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" G O4 - HKCU\..\RunOnce: [SpybotDeletingD9953] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr_old" G O4 - HKCU\..\RunOnce: [SpybotDeletingB5183] command /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" G O4 - HKCU\..\RunOnce: [SpybotDeletingD1660] cmd /c del "C:\WINDOWS\system32\blphc1vcj0e15p.scr" G O4 - HKCU\..\RunOnce: [SpybotDeletingB6334] command /c del "C:\WINDOWS\system32\kdstu.exe" G O4 - HKCU\..\RunOnce: [SpybotDeletingD3725] cmd /c del "C:\WINDOWS\system32\kdstu.exe" G O4 - Global Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe Please download ATF Cleaner by Atribune to your desktop. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility. Download ComboFix from Here or Here to your Desktop. In the event you already have Combofix, this is a new version that I need you to download. It must be saved directly to your desktop. 1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Remember to re enable the protection again afterwards before connecting to the net 2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix. IF you have not already done so Combofix will disconnect your machine from the Internet when it starts. If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. 3. Now double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

claypot

Aug 20 2008, 01:00 PM

Post #8

New Member

Group: New Member
Posts: 7
Joined: 10-August 08
Member No.: 80,865
Operating System: XP

ken545, I don't think I did very well on this one. The first two items, HiJackThis Scan and Fix
and the ATF Cleaner seemed to go ok. Before the first run of Combofix I exited the Computer
Associates Protection software and the SpyBot software but during the Combofix run CA
indicated a virus and SpyBot started a scan at beginning which I cancelled and at the end of
run after the Combofix log was posted, SpyBot indicated several attempted registry changes.
Most of these were to change the default browser and search engine from Google to some
Microsoft.com/isapi.dll.....values. Also 'regedit.exe "%1" %*' and 'regedit.exe "%1" and
Autorun 'value' deleted and NT startup, value deleted, 'load'. To be safe I refused all the
changes. The log is RUN 1 below

Then, I went into Task Manager/processes and stopped all processes that looked like CA
anti-virus or SpyBot(TeaKettle). I ran Combofix again(RUN 2 below). The anti-virus warning
did not appear again but all the SpyBot actions did. Since the registry/system changes were
after Combofix appeared to be complete and log issued, I refused them again.

I ran and attached a new HJT scan below.

While starting up I noticed that the ZoneAlarm firewall does not start at startup like it should
and it does not allow me to check the box to start up at computer startup.

thank you, dp

RUN 1

ComboFix 08-08-19.02 - Compaq_Owner 2008-08-20 12:07:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.178 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\KWJWZ73U\interclick.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\KWJWZ73U\interclick.com\ud.sol
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\eWebControl.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-20 10:43 . 2008-08-20 10:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 10:21 . 2008-08-20 10:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 10:21 . 2008-08-20 10:21 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-08-20 10:21 . 2008-08-20 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-20 10:21 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 10:21 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-20 10:13 . 2008-08-20 10:13 <DIR> d-------- C:\_OTMoveIt
2008-08-20 02:51 . 2008-08-19 23:20 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 23:20 . 2008-08-20 08:21 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\.housecall6.6
2008-08-19 23:02 . 2008-08-19 23:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-19 23:02 . 2008-08-19 23:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-13 11:14 . 2008-08-20 11:59 <DIR> d-------- C:\hijackthis
2008-08-09 13:05 . 2008-08-09 13:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-09 13:05 . 2008-08-10 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 13:01 . 2008-08-09 13:02 <DIR> d-------- C:\spybot
2008-08-06 22:18 . 2008-08-06 22:18 <DIR> d-------- C:\Defraggler
2008-08-06 22:07 . 2008-08-06 22:10 <DIR> d-------- C:\ccleanertemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 19:45 3,380,736 ----a-w C:\WINDOWS\Internet Logs\xDB279.tmp
2008-08-08 04:38 888,320 ----a-w C:\WINDOWS\Internet Logs\xDB278.tmp
2008-08-08 04:37 3,398,144 ----a-w C:\WINDOWS\Internet Logs\xDB277.tmp
2008-08-07 21:12 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-07 03:54 359,424 ----a-w C:\WINDOWS\Internet Logs\xDB276.tmp
2008-08-07 03:54 3,377,152 ----a-w C:\WINDOWS\Internet Logs\xDB275.tmp
2008-08-06 04:44 1,810,432 ----a-w C:\WINDOWS\Internet Logs\xDB274.tmp
2008-08-06 04:42 3,373,056 ----a-w C:\WINDOWS\Internet Logs\xDB273.tmp
2008-08-05 04:40 862,208 ----a-w C:\WINDOWS\Internet Logs\xDB272.tmp
2008-08-05 04:38 3,373,056 ----a-w C:\WINDOWS\Internet Logs\xDB271.tmp
2008-08-04 03:08 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB270.tmp
2008-08-03 22:29 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB26E.tmp
2008-08-03 22:29 2,495,488 ----a-w C:\WINDOWS\Internet Logs\xDB26F.tmp
2008-08-01 03:40 471,552 ----a-w C:\WINDOWS\Internet Logs\xDB26D.tmp
2008-08-01 03:39 3,374,592 ----a-w C:\WINDOWS\Internet Logs\xDB26C.tmp
2008-07-31 04:11 576,000 ----a-w C:\WINDOWS\Internet Logs\xDB26B.tmp
2008-07-31 04:11 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB26A.tmp
2008-07-29 03:20 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB269.tmp
2008-07-29 02:24 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB267.tmp
2008-07-29 02:24 12,800 ----a-w C:\WINDOWS\Internet Logs\xDB268.tmp
2008-07-25 03:46 859,648 ----a-w C:\WINDOWS\Internet Logs\xDB266.tmp
2008-07-25 03:45 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB265.tmp
2008-07-24 03:56 300,032 ----a-w C:\WINDOWS\Internet Logs\xDB264.tmp
2008-07-24 03:55 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB263.tmp
2008-07-23 04:13 688,640 ----a-w C:\WINDOWS\Internet Logs\xDB262.tmp
2008-07-23 04:11 3,372,032 ----a-w C:\WINDOWS\Internet Logs\xDB261.tmp
2008-07-22 20:05 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB25F.tmp
2008-07-22 20:05 12,800 ----a-w C:\WINDOWS\Internet Logs\xDB260.tmp
2008-07-22 04:11 1,192,960 ----a-w C:\WINDOWS\Internet Logs\xDB25E.tmp
2008-07-22 04:10 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB25D.tmp
2008-07-21 04:18 1,975,296 ----a-w C:\WINDOWS\Internet Logs\xDB25C.tmp
2008-07-21 04:16 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB25B.tmp
2008-07-20 04:56 2,256,896 ----a-w C:\WINDOWS\Internet Logs\xDB25A.tmp
2008-07-20 04:54 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB259.tmp
2008-07-19 03:27 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB258.tmp
2008-07-18 07:45 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB257.tmp
2008-07-18 04:21 3,372,544 ----a-w C:\WINDOWS\Internet Logs\xDB256.tmp
2008-07-17 20:42 662,016 ----a-w C:\WINDOWS\Internet Logs\xDB255.tmp
2008-07-17 20:42 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB254.tmp
2008-07-17 03:41 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB253.tmp
2008-07-16 03:53 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB251.tmp
2008-07-16 03:53 1,520,640 ----a-w C:\WINDOWS\Internet Logs\xDB252.tmp
2008-07-15 03:53 1,571,328 ----a-w C:\WINDOWS\Internet Logs\xDB250.tmp
2008-07-15 03:52 3,372,544 ----a-w C:\WINDOWS\Internet Logs\xDB24F.tmp
2008-07-14 04:41 3,372,032 ----a-w C:\WINDOWS\Internet Logs\xDB24E.tmp
2008-07-13 04:21 2,117,632 ----a-w C:\WINDOWS\Internet Logs\xDB24D.tmp
2008-07-13 04:20 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB24C.tmp
2008-07-12 04:22 3,380,736 ----a-w C:\WINDOWS\Internet Logs\xDB24B.tmp
2008-07-11 04:24 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB24A.tmp
2008-07-10 06:32 79,872 ----a-w C:\WINDOWS\Internet Logs\xDB249.tmp
2008-07-10 06:31 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB248.tmp
2008-07-10 06:00 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB246.tmp
2008-07-10 06:00 13,312 ----a-w C:\WINDOWS\Internet Logs\xDB247.tmp
2008-07-10 05:57 620,032 ----a-w C:\WINDOWS\Internet Logs\xDB245.tmp
2008-07-10 05:57 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB244.tmp
2008-07-10 04:42 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB243.tmp
2008-07-09 03:08 346,112 ----a-w C:\WINDOWS\Internet Logs\xDB242.tmp
2008-07-09 03:07 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB241.tmp
2008-07-08 04:09 1,600,512 ----a-w C:\WINDOWS\Internet Logs\xDB240.tmp
2008-07-08 04:07 3,382,272 ----a-w C:\WINDOWS\Internet Logs\xDB23F.tmp
2008-07-06 04:44 770,560 ----a-w C:\WINDOWS\Internet Logs\xDB23E.tmp
2008-07-06 04:43 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB23D.tmp
2008-07-05 21:27 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB23C.tmp
2008-07-05 04:29 1,495,552 ----a-w C:\WINDOWS\Internet Logs\xDB23B.tmp
2008-07-05 04:28 3,373,056 ----a-w C:\WINDOWS\Internet Logs\xDB23A.tmp
2008-07-04 04:14 1,614,336 ----a-w C:\WINDOWS\Internet Logs\xDB239.tmp
2008-07-04 04:13 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB238.tmp
2008-07-03 03:56 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB236.tmp
2008-07-03 03:56 1,567,232 ----a-w C:\WINDOWS\Internet Logs\xDB237.tmp
2008-07-02 04:48 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB235.tmp
2008-06-30 04:53 224,256 ----a-w C:\WINDOWS\Internet Logs\xDB234.tmp
2008-06-30 04:51 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB233.tmp
2008-06-30 01:16 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB231.tmp
2008-06-30 01:16 1,804,800 ----a-w C:\WINDOWS\Internet Logs\xDB232.tmp
2008-06-29 04:19 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB230.tmp
2008-06-28 04:03 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB22F.tmp
2008-06-27 04:04 951,296 ----a-w C:\WINDOWS\Internet Logs\xDB22E.tmp
2008-06-27 04:03 3,383,296 ----a-w C:\WINDOWS\Internet Logs\xDB22D.tmp
2008-06-26 03:51 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB22C.tmp
2008-06-25 04:07 453,120 ----a-w C:\WINDOWS\Internet Logs\xDB22B.tmp
2008-06-25 04:07 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB22A.tmp
2008-06-24 03:54 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB229.tmp
2008-06-23 03:50 3,372,544 ----a-w C:\WINDOWS\Internet Logs\xDB227.tmp
2008-06-23 03:50 1,230,848 ----a-w C:\WINDOWS\Internet Logs\xDB228.tmp
2008-06-22 04:36 1,477,632 ----a-w C:\WINDOWS\Internet Logs\xDB226.tmp
2008-06-22 04:34 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB225.tmp
2008-06-21 03:34 2,633,216 ----a-w C:\WINDOWS\Internet Logs\xDB224.tmp
2008-06-21 03:33 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB223.tmp
2008-06-20 04:14 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB222.tmp
2008-06-17 03:52 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB221.tmp
2008-06-16 05:09 1,360,384 ----a-w C:\WINDOWS\Internet Logs\xDB220.tmp
2008-06-16 05:08 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB21F.tmp
2008-06-15 05:46 23,040 ----a-w C:\WINDOWS\Internet Logs\xDB21E.tmp
2008-06-15 04:16 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB21D.tmp
2008-06-14 04:12 1,532,416 ----a-w C:\WINDOWS\Internet Logs\xDB21C.tmp
2008-06-14 04:10 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB21B.tmp
2008-06-13 04:05 1,149,440 ----a-w C:\WINDOWS\Internet Logs\xDB21A.tmp
2008-06-13 04:04 3,372,032 ----a-w C:\WINDOWS\Internet Logs\xDB219.tmp
2008-06-12 03:54 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB217.tmp
2008-06-12 03:54 1,009,664 ----a-w C:\WINDOWS\Internet Logs\xDB218.tmp
2004-11-24 03:20 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2006-06-26 04:25 56 --sh--r C:\WINDOWS\system32\E41CAA6D8B.sys
2006-10-12 01:42 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 19:49 397312]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-01-01 12:39 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-01-01 12:39 185456]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-10 10:28 98304]
"VTTimer"="VTTimer.exe" [2004-10-22 12:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 MLPTDR_Q;MLPTDR_Q;C:\WINDOWS\system32\MLPTDR_Q.sys [2003-07-22 02:04]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2000-08-21 03:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0796b4e-e8dc-11dc-83c7-00112faa9163}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
*Newly Created Service* - PROCEXP90
*Newly Created Service* - TMCOMM
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\vygvqns9.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://forecast.weather.gov/MapClick.php?CityName=Orange&state=TX&site=LCH&textField1=30.1039&textField2=-93.7582|http://www.google.com/calendar/render?gsessionid=d6RBq063JtX7J6PJkCSGEA
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 12:16:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-20 12:21:29
ComboFix-quarantined-files.txt 2008-08-20 17:20:56

Pre-Run: 6,279,086,080 bytes free
Post-Run: 6,264,512,512 bytes free

201

RUN 2

ComboFix 08-08-19.02 - Compaq_Owner 2008-08-20 12:39:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-20 10:43 . 2008-08-20 10:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 10:21 . 2008-08-20 10:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 10:21 . 2008-08-20 10:21 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-08-20 10:21 . 2008-08-20 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-20 10:21 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 10:21 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-20 10:13 . 2008-08-20 10:13 <DIR> d-------- C:\_OTMoveIt
2008-08-20 02:51 . 2008-08-19 23:20 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 23:20 . 2008-08-20 08:21 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\.housecall6.6
2008-08-19 23:02 . 2008-08-19 23:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-19 23:02 . 2008-08-19 23:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-13 11:14 . 2008-08-20 12:27 <DIR> d-------- C:\hijackthis
2008-08-09 13:05 . 2008-08-09 13:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-09 13:05 . 2008-08-10 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 13:01 . 2008-08-09 13:02 <DIR> d-------- C:\spybot
2008-08-06 22:18 . 2008-08-06 22:18 <DIR> d-------- C:\Defraggler
2008-08-06 22:07 . 2008-08-06 22:10 <DIR> d-------- C:\ccleanertemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 19:45 3,380,736 ----a-w C:\WINDOWS\Internet Logs\xDB279.tmp
2008-08-08 04:38 888,320 ----a-w C:\WINDOWS\Internet Logs\xDB278.tmp
2008-08-08 04:37 3,398,144 ----a-w C:\WINDOWS\Internet Logs\xDB277.tmp
2008-08-07 21:12 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-07 03:54 359,424 ----a-w C:\WINDOWS\Internet Logs\xDB276.tmp
2008-08-07 03:54 3,377,152 ----a-w C:\WINDOWS\Internet Logs\xDB275.tmp
2008-08-06 04:44 1,810,432 ----a-w C:\WINDOWS\Internet Logs\xDB274.tmp
2008-08-06 04:42 3,373,056 ----a-w C:\WINDOWS\Internet Logs\xDB273.tmp
2008-08-05 04:40 862,208 ----a-w C:\WINDOWS\Internet Logs\xDB272.tmp
2008-08-05 04:38 3,373,056 ----a-w C:\WINDOWS\Internet Logs\xDB271.tmp
2008-08-04 03:08 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB270.tmp
2008-08-03 22:29 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB26E.tmp
2008-08-03 22:29 2,495,488 ----a-w C:\WINDOWS\Internet Logs\xDB26F.tmp
2008-08-01 03:40 471,552 ----a-w C:\WINDOWS\Internet Logs\xDB26D.tmp
2008-08-01 03:39 3,374,592 ----a-w C:\WINDOWS\Internet Logs\xDB26C.tmp
2008-07-31 04:11 576,000 ----a-w C:\WINDOWS\Internet Logs\xDB26B.tmp
2008-07-31 04:11 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB26A.tmp
2008-07-29 03:20 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB269.tmp
2008-07-29 02:24 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB267.tmp
2008-07-29 02:24 12,800 ----a-w C:\WINDOWS\Internet Logs\xDB268.tmp
2008-07-25 03:46 859,648 ----a-w C:\WINDOWS\Internet Logs\xDB266.tmp
2008-07-25 03:45 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB265.tmp
2008-07-24 03:56 300,032 ----a-w C:\WINDOWS\Internet Logs\xDB264.tmp
2008-07-24 03:55 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB263.tmp
2008-07-23 04:13 688,640 ----a-w C:\WINDOWS\Internet Logs\xDB262.tmp
2008-07-23 04:11 3,372,032 ----a-w C:\WINDOWS\Internet Logs\xDB261.tmp
2008-07-22 20:05 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB25F.tmp
2008-07-22 20:05 12,800 ----a-w C:\WINDOWS\Internet Logs\xDB260.tmp
2008-07-22 04:11 1,192,960 ----a-w C:\WINDOWS\Internet Logs\xDB25E.tmp
2008-07-22 04:10 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB25D.tmp
2008-07-21 04:18 1,975,296 ----a-w C:\WINDOWS\Internet Logs\xDB25C.tmp
2008-07-21 04:16 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB25B.tmp
2008-07-20 04:56 2,256,896 ----a-w C:\WINDOWS\Internet Logs\xDB25A.tmp
2008-07-20 04:54 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB259.tmp
2008-07-19 03:27 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB258.tmp
2008-07-18 07:45 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB257.tmp
2008-07-18 04:21 3,372,544 ----a-w C:\WINDOWS\Internet Logs\xDB256.tmp
2008-07-17 20:42 662,016 ----a-w C:\WINDOWS\Internet Logs\xDB255.tmp
2008-07-17 20:42 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB254.tmp
2008-07-17 03:41 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB253.tmp
2008-07-16 03:53 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB251.tmp
2008-07-16 03:53 1,520,640 ----a-w C:\WINDOWS\Internet Logs\xDB252.tmp
2008-07-15 03:53 1,571,328 ----a-w C:\WINDOWS\Internet Logs\xDB250.tmp
2008-07-15 03:52 3,372,544 ----a-w C:\WINDOWS\Internet Logs\xDB24F.tmp
2008-07-14 04:41 3,372,032 ----a-w C:\WINDOWS\Internet Logs\xDB24E.tmp
2008-07-13 04:21 2,117,632 ----a-w C:\WINDOWS\Internet Logs\xDB24D.tmp
2008-07-13 04:20 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB24C.tmp
2008-07-12 04:22 3,380,736 ----a-w C:\WINDOWS\Internet Logs\xDB24B.tmp
2008-07-11 04:24 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB24A.tmp
2008-07-10 06:32 79,872 ----a-w C:\WINDOWS\Internet Logs\xDB249.tmp
2008-07-10 06:31 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB248.tmp
2008-07-10 06:00 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB246.tmp
2008-07-10 06:00 13,312 ----a-w C:\WINDOWS\Internet Logs\xDB247.tmp
2008-07-10 05:57 620,032 ----a-w C:\WINDOWS\Internet Logs\xDB245.tmp
2008-07-10 05:57 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB244.tmp
2008-07-10 04:42 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDB243.tmp
2008-07-09 03:08 346,112 ----a-w C:\WINDOWS\Internet Logs\xDB242.tmp
2008-07-09 03:07 3,371,520 ----a-w C:\WINDOWS\Internet Logs\xDB241.tmp
2008-07-08 04:09 1,600,512 ----a-w C:\WINDOWS\Internet Logs\xDB240.tmp
2008-07-08 04:07 3,382,272 ----a-w C:\WINDOWS\Internet Logs\xDB23F.tmp
2008-07-06 04:44 770,56