Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91977 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]ácan not remove trojans


  • This topic is locked This topic is locked
17 replies to this topic

#1 stjohn

stjohn

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 13 November 2009 - 12:43 AM

ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/13 01:14 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF2FD5000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7AD4000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB992E000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fb94 #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29f586 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29f5da #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29f640 #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29f72e #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29f7ba #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29f84a #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29f980 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29f9d4 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fa3a #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fa8c #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fae4 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fb3c #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fbfa #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fc58 #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fcb6 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fd74 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fd08 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fdde #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fe30 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fe90 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba29fef4 ==EOF== DDS (Ver_09-06-26.01) - NTFSx86 Run by User at 1:00:08.20 on Fri 11/13/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.568 [GMT -5:00] FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\PC Tools Firewall Plus\FWService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\User\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uSearch Page = uSearch Bar = hxxp://www.google.com/ie mSearch Page = mStart Page = hxxp://www.wqxt.com uInternet Settings,ProxyOverride = *.local mSearchAssistant = hxxp://www.google.com BHO: AutorunsDisabled - No File BHO: : {1e5379a0-4d77-432b-85a1-d5105f89612e} - c:\windows\system32\eceosmb.dll uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242765404109 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab Notify: nhozmlgp - eceosmb.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\erz9nlou.default\ FF - prefs.js: browser.search.selectedEngine - eBay FF - prefs.js: browser.startup.homepage - hxxp://wqxt.com/ FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q= ============= SERVICES / DRIVERS =============== R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [1979-12-31 70784] R0 nevcgsxx;nevcgsxx;c:\windows\system32\drivers\nevcgsxx.sys [2006-9-27 23424] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-21 130936] R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [2008-10-11 10368] R1 cdrport;cdrport;c:\windows\system32\drivers\cdrport.sys [2008-10-11 4608] R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-6-21 159600] R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-6-21 73840] R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-8-17 146800] R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-8-17 95640] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;c:\cfusionmx\db\slserver52\bin\swagent.exe "coldfusion mx odbc agent" --> c:\cfusionmx\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?] S2 Microsoft System Management;Microsoft System Management; [x] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-6-21 64392] =============== Created Last 30 ================ 2009-11-06 14:39 840 a------- c:\windows\system32\drivers\kgpcpy.cfg 2009-11-06 13:17 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes 2009-11-06 13:16 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-06 13:16 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-11-06 13:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-11-06 13:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-11-06 13:12 4,045,544 a------- c:\program files\mbam-setup.exe 2009-11-06 11:52 <DIR> --d----- c:\docume~1\user\applic~1\ceifhrrw 2009-11-06 03:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard 2009-11-06 03:41 <DIR> --d----- c:\program files\common files\iS3 2009-11-06 03:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla! 2009-11-06 03:36 390,656 a------- c:\program files\STOPzilla_Setup.exe 2009-10-18 23:33 <DIR> --d----- c:\docume~1\user\applic~1\AVS4YOU 2009-10-18 23:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU 2009-10-18 23:31 <DIR> --d----- c:\program files\common files\AVSMedia 2009-10-18 23:31 1,700,352 a------- c:\windows\system32\GdiPlus.dll 2009-10-18 23:31 24,576 a------- c:\windows\system32\msxml3a.dll 2009-10-18 23:31 <DIR> --d----- c:\program files\AVS4YOU 2009-10-17 22:23 <DIR> --d----- c:\program files\Flash Player Pro 2009-10-17 22:22 3,456,313 a------- c:\program files\FlashMediaPlayer.exe 2009-10-17 22:00 46,323,904 a------- C:\AVSVideoConverter.exe ==================== Find3M ==================== 2009-11-11 22:26 138,376 ac------ c:\windows\system32\drivers\PnkBstrK.sys 2009-11-11 22:26 202,448 a------- c:\windows\system32\PnkBstrB.exe 2009-09-20 22:39 9,008,576 a------- c:\program files\windows-kb890830-v2.14.exe 2009-04-21 22:09 4,399,670 ac------ c:\program files\zen-cart-v1.3.8a-full-fileset-12112007.zip 2008-10-19 13:04 25,740,144 ac------ c:\program files\wmp11-windowsxp-x86-enu.exe 2008-10-12 14:41 20,355,856 ac------ c:\program files\sdsetup.exe 2008-08-31 17:03 1,077,448 ac------ c:\program files\RegCureSetup_1501_CB.exe 2008-08-29 19:25 12,413,440 ac------ c:\program files\avgas-setup-7.5.1.43.exe 2008-07-25 18:57 3,714,959 ac------ c:\program files\Stickman4.zip 2008-06-29 01:19 318,904 ac------ c:\program files\wmpfirefoxplugin.exe 2008-06-27 17:10 5,319,506 ac------ c:\program files\Stickman5.zip 2008-06-27 00:27 496,085 ac------ c:\program files\Pivot.zip 2008-05-18 00:39 9,722,720 ac------ c:\program files\spybotsd152.exe 2008-01-27 15:45 13,413,048 ac------ c:\program files\Google_Earth_BZXD.exe 2008-01-21 16:15 2,514,811 ac------ c:\program files\First_Spaceship_on_Venus.avi.torrent.exe 2008-01-18 22:44 837,811 ac------ c:\program files\AntilagXP.zip 2008-01-18 22:38 15,486,287 ac------ c:\program files\BZFMapPakII.exe 2008-01-17 19:32 6,026,816 ac------ c:\program files\Firefox Setup 2.0.0.11.exe 2008-01-16 00:34 1,491,592 ac------ c:\program files\install_flash_player.exe 2008-01-15 12:00 54,330,664 ac------ c:\program files\iTunesSetup.exe 2008-01-06 21:19 523,976 ac------ c:\program files\PopUpStopperFree.exe 2008-01-01 16:47 83,848 ac------ c:\program files\1394.zip 2008-01-01 15:49 5,103,056 ac------ c:\program files\DriverDetective.exe 2007-06-04 12:39 1,605,557 ac------ c:\program files\WIN32-MPEG2-cafecf94a20d.exe 2007-06-04 12:25 899,414 ac------ c:\program files\SetupDVDDecrypter_3.5.4.0.exe 2009-05-21 14:13 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat 2009-05-19 16:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051920090520\index.dat ============= FINISH: 1:00:27.87 ===============

Attached Files


    Advertisements

Register to Remove


#2 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 13 November 2009 - 01:20 PM

Hello stjohn! :wavey:

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

I am checking over your log , I will post back shortly with instructions.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#3 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 13 November 2009 - 03:08 PM

Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the following items in your next post:
1. The log that was produced after running ComboFix.
2. An update on how your computer is currently running.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#4 stjohn

stjohn

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 14 November 2009 - 11:03 AM

Thank you! My computer seems to be working perfectly. I have tried 2 other time to post this and it did not post? this is the only problem I have seen.

Here is the CC Log:

ComboFix 09-11-13.06 - User 11/13/2009 16:48.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.496 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2720290292-651727908-2887652067-500
c:\windows\system32\drivers\kgmnwtmu.sys
c:\windows\system32\drivers\nevcgsxx.sys
c:\windows\system32\eceosmb.dll
c:\windows\system32\ssdgnosf.dll
c:\windows\system32\ysbegti.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NEVCGSXX
-------\Service_nevcgsxx


((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-13 10:23 . 2009-11-13 10:23 165232 ---ha-w- c:\documents and settings\User\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-11-13 10:22 . 2009-11-13 10:22 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-11-13 10:16 . 2009-11-13 10:20 31884672 ----a-w- c:\program files\virtualpc2007.exe
2009-11-13 05:47 . 2009-11-13 05:47 -------- d-----w- c:\program files\ERUNT
2009-11-06 18:17 . 2009-11-06 18:17 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-11-06 18:16 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 18:16 . 2009-11-08 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 18:16 . 2009-11-06 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 18:16 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 18:12 . 2009-11-06 18:13 4045544 ----a-w- c:\program files\mbam-setup.exe
2009-11-06 16:52 . 2009-11-06 16:52 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\ceifhrrw
2009-11-06 16:52 . 2009-11-06 16:52 -------- d-----w- c:\documents and settings\User\Application Data\ceifhrrw
2009-11-06 08:42 . 2009-11-06 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-11-06 08:41 . 2009-11-06 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-11-06 08:41 . 2009-11-06 08:41 -------- d-----w- c:\program files\Common Files\iS3
2009-11-06 08:36 . 2009-11-06 08:36 390656 ----a-w- c:\program files\STOPzilla_Setup.exe
2009-11-06 07:24 . 2009-11-06 07:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ceifhrrw
2009-11-06 07:24 . 2009-11-06 07:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\ceifhrrw
2009-10-20 02:24 . 2009-10-20 02:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-19 04:33 . 2009-10-19 04:33 -------- d-----w- c:\documents and settings\User\Application Data\AVS4YOU
2009-10-19 04:33 . 2009-10-19 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-19 04:31 . 2009-10-19 04:33 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-19 04:31 . 2009-10-19 04:33 -------- d-----w- c:\program files\AVS4YOU
2009-10-19 04:31 . 2008-08-13 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-10-19 04:31 . 2008-08-13 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-18 03:23 . 2009-10-18 03:23 -------- d-----w- c:\program files\Flash Player Pro
2009-10-18 03:22 . 2009-10-18 03:22 3456313 ----a-w- c:\program files\FlashMediaPlayer.exe
2009-10-18 03:00 . 2009-10-18 03:09 46323904 ----a-w- C:\AVSVideoConverter.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 21:55 . 2008-08-30 22:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-12 04:09 . 2007-09-17 23:51 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2009-11-12 03:26 . 2008-09-05 01:23 138376 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-12 03:26 . 2008-09-05 01:23 202448 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-06 19:40 . 2009-11-06 19:39 840 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-14 22:37 . 2008-08-30 18:14 -------- d-----w- c:\program files\XoftSpySE
2009-09-21 03:39 . 2009-09-21 03:38 9008576 ----a-w- c:\program files\windows-kb890830-v2.14.exe
2009-04-22 03:09 . 2009-04-22 03:08 4399670 -c--a-w- c:\program files\zen-cart-v1.3.8a-full-fileset-12112007.zip
2008-10-19 18:04 . 2008-10-19 17:58 25740144 -c--a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2008-10-12 19:41 . 2008-10-12 19:37 20355856 -c--a-w- c:\program files\sdsetup.exe
2008-08-31 22:03 . 2008-08-31 22:02 1077448 -c--a-w- c:\program files\RegCureSetup_1501_CB.exe
2008-08-30 00:25 . 2008-08-23 21:57 12413440 -c--a-w- c:\program files\avgas-setup-7.5.1.43.exe
2008-07-25 23:57 . 2008-07-25 23:54 3714959 -c--a-w- c:\program files\Stickman4.zip
2008-06-29 06:19 . 2008-06-29 06:19 318904 -c--a-w- c:\program files\wmpfirefoxplugin.exe
2008-06-27 22:10 . 2008-06-27 22:07 5319506 -c--a-w- c:\program files\Stickman5.zip
2008-06-27 05:27 . 2008-06-27 05:27 496085 -c--a-w- c:\program files\Pivot.zip
2008-05-18 05:39 . 2008-05-18 05:37 9722720 -c--a-w- c:\program files\spybotsd152.exe
2008-01-27 20:45 . 2008-01-27 20:44 13413048 -c--a-w- c:\program files\Google_Earth_BZXD.exe
2008-01-21 21:15 . 2008-01-21 21:15 2514811 -c--a-w- c:\program files\First_Spaceship_on_Venus.avi.torrent.exe
2008-01-19 03:44 . 2008-01-19 03:44 837811 -c--a-w- c:\program files\AntilagXP.zip
2008-01-19 03:38 . 2008-01-19 03:38 15486287 -c--a-w- c:\program files\BZFMapPakII.exe
2008-01-18 00:32 . 2008-01-18 00:32 6026816 -c--a-w- c:\program files\Firefox Setup 2.0.0.11.exe
2008-01-16 05:34 . 2008-01-16 05:34 1491592 -c--a-w- c:\program files\install_flash_player.exe
2008-01-15 17:00 . 2008-01-11 00:39 54330664 -c--a-w- c:\program files\iTunesSetup.exe
2008-01-07 02:19 . 2008-01-07 02:19 523976 -c--a-w- c:\program files\PopUpStopperFree.exe
2008-01-01 21:47 . 2008-01-01 21:51 83848 -c--a-w- c:\program files\1394.zip
2008-01-01 20:49 . 2008-01-01 20:53 5103056 -c--a-w- c:\program files\DriverDetective.exe
2007-06-04 17:39 . 2008-02-10 15:40 1605557 -c--a-w- c:\program files\WIN32-MPEG2-cafecf94a20d.exe
2007-06-04 17:25 . 2008-01-26 00:14 899414 -c--a-w- c:\program files\SetupDVDDecrypter_3.5.4.0.exe
.

------- Sigcheck -------

[7] 2006-03-15 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-08-24 1181064]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\BlogTorrent\\btdownloadgui.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BZinstall14L\\bzone.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [12/31/1979 11:00 PM 70784]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/21/2009 11:27 AM 130936]
R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [10/11/2008 1:10 PM 10368]
R1 cdrport;cdrport;c:\windows\system32\drivers\cdrport.sys [10/11/2008 1:10 PM 4608]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/21/2009 11:27 AM 159600]
R2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;c:\cfusionmx\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent" --> c:\cfusionmx\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [6/21/2009 11:27 AM 73840]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [8/17/2009 10:57 PM 95640]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 Microsoft System Management;Microsoft System Management; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [6/21/2009 11:27 AM 64392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - NEVCGSXX
*Deregistered* - mbr
*Deregistered* - nevcgsxx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pfmeppja
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2006-09-28 09:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.wqxt.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\erz9nlou.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://wqxt.com/
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 16:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="karna.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3752)
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\cfusionmx\db\slserver52\bin\swagent.exe
c:\cfusionmx\db\slserver52\bin\swstrtr.exe
c:\cfusionmx\db\slserver52\bin\swsoc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-11-13 17:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-13 22:00

Pre-Run: 61,927,829,504 bytes free
Post-Run: 61,861,347,328 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1A10E2793EA4F55CE1B55EC84D29B8EF

#5 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 14 November 2009 - 04:17 PM

One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/can_not_remove_trojans_t108251.html&view=findpost&p=610655#entry610655

Collect::
C:\WINDOWS\system32\karna.dat

Folder::
c:\documents and settings\User\Local Settings\Application Data\ceifhrrw
c:\documents and settings\User\Application Data\ceifhrrw
c:\documents and settings\NetworkService\Local Settings\Application Data\ceifhrrw
c:\documents and settings\NetworkService\Application Data\ceifhrrw

FCopy::
c:\windows\system32\dllcache\beep.sys | c:\windows\system32\drivers\beep.sys

NetSvc::
pfmeppja

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

Registry::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"=""

DDS::
mStart Page = hxxp://www.wqxt.com

FireFox::
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\erz9nlou.default\
FF - prefs.js: browser.startup.homepage - hxxp://wqxt.com/

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please make sure you include the following items in your next post:
1. The log that was produced after running ComboFix.
2. An update on how your computer is currently running?

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#6 stjohn

stjohn

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 14 November 2009 - 09:07 PM

SweetTech, Thank you for your help.

I am not sure how my computer is running. It seems ok, but I am still suspicious. The combo fix found a lot of problems.

Here is the latest log:

ComboFix 09-11-15.01 - User 11/14/2009 21:36.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.536 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\ceifhrrw
c:\documents and settings\NetworkService\Application Data\ceifhrrw\profiles.ini
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\cert8.db
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\key3.db
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\parent.lock
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\places.sqlite-stmtjrnl
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\prefs.js
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\secmod.db
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\ceifhrrw\Profiles\qh7136b0.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\ceifhrrw
c:\documents and settings\NetworkService\Local Settings\Application Data\ceifhrrw\Profiles\qh7136b0.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\ceifhrrw\Profiles\qh7136b0.default\XPC.mfl
c:\documents and settings\User\Application Data\ceifhrrw
c:\documents and settings\User\Application Data\ceifhrrw\profiles.ini
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\cert8.db
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\compatibility.ini
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\compreg.dat
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\cookies.sqlite
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\formhistory.sqlite
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\key3.db
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\localstore.rdf
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\permissions.sqlite
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\places.sqlite-journal
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\places.sqlite
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\pluginreg.dat
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\prefs.js
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\secmod.db
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\webappsstore.sqlite
c:\documents and settings\User\Application Data\ceifhrrw\Profiles\760nqlxc.default\xpti.dat
c:\documents and settings\User\Local Settings\Application Data\ceifhrrw
c:\documents and settings\User\Local Settings\Application Data\ceifhrrw\Profiles\760nqlxc.default\urlclassifier3.sqlite
c:\documents and settings\User\Local Settings\Application Data\ceifhrrw\Profiles\760nqlxc.default\XPC.mfl

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\beep.sys --> c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

2009-11-15 02:36 . 2006-03-15 09:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-11-15 02:36 . 2006-03-15 09:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-11-13 10:23 . 2009-11-13 10:23 165232 ---ha-w- c:\documents and settings\User\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-11-13 10:22 . 2009-11-13 10:22 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-11-13 10:16 . 2009-11-13 10:20 31884672 ----a-w- c:\program files\virtualpc2007.exe
2009-11-13 05:47 . 2009-11-13 05:47 -------- d-----w- c:\program files\ERUNT
2009-11-06 18:17 . 2009-11-06 18:17 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-11-06 18:16 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 18:16 . 2009-11-08 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 18:16 . 2009-11-06 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 18:16 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 18:12 . 2009-11-06 18:13 4045544 ----a-w- c:\program files\mbam-setup.exe
2009-11-06 08:42 . 2009-11-06 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-11-06 08:41 . 2009-11-06 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-11-06 08:41 . 2009-11-06 08:41 -------- d-----w- c:\program files\Common Files\iS3
2009-11-06 08:36 . 2009-11-06 08:36 390656 ----a-w- c:\program files\STOPzilla_Setup.exe
2009-10-20 02:24 . 2009-10-20 02:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-19 04:33 . 2009-10-19 04:33 -------- d-----w- c:\documents and settings\User\Application Data\AVS4YOU
2009-10-19 04:33 . 2009-10-19 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-19 04:31 . 2009-10-19 04:33 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-19 04:31 . 2009-10-19 04:33 -------- d-----w- c:\program files\AVS4YOU
2009-10-19 04:31 . 2008-08-13 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-10-19 04:31 . 2008-08-13 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-18 03:23 . 2009-10-18 03:23 -------- d-----w- c:\program files\Flash Player Pro
2009-10-18 03:22 . 2009-10-18 03:22 3456313 ----a-w- c:\program files\FlashMediaPlayer.exe
2009-10-18 03:00 . 2009-10-18 03:09 46323904 ----a-w- C:\AVSVideoConverter.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 02:31 . 2008-08-30 22:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-15 02:16 . 2009-06-07 21:56 -------- d-----w- c:\program files\CCleaner
2009-11-15 00:52 . 2007-09-17 23:51 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2009-11-15 00:41 . 2008-09-05 01:23 138376 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-15 00:41 . 2008-09-05 01:23 202448 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-06 19:40 . 2009-11-06 19:39 840 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-14 22:37 . 2008-08-30 18:14 -------- d-----w- c:\program files\XoftSpySE
2009-09-21 03:39 . 2009-09-21 03:38 9008576 ----a-w- c:\program files\windows-kb890830-v2.14.exe
2009-04-22 03:09 . 2009-04-22 03:08 4399670 -c--a-w- c:\program files\zen-cart-v1.3.8a-full-fileset-12112007.zip
2008-10-19 18:04 . 2008-10-19 17:58 25740144 -c--a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2008-10-12 19:41 . 2008-10-12 19:37 20355856 -c--a-w- c:\program files\sdsetup.exe
2008-08-31 22:03 . 2008-08-31 22:02 1077448 -c--a-w- c:\program files\RegCureSetup_1501_CB.exe
2008-08-30 00:25 . 2008-08-23 21:57 12413440 -c--a-w- c:\program files\avgas-setup-7.5.1.43.exe
2008-07-25 23:57 . 2008-07-25 23:54 3714959 -c--a-w- c:\program files\Stickman4.zip
2008-06-29 06:19 . 2008-06-29 06:19 318904 -c--a-w- c:\program files\wmpfirefoxplugin.exe
2008-06-27 22:10 . 2008-06-27 22:07 5319506 -c--a-w- c:\program files\Stickman5.zip
2008-06-27 05:27 . 2008-06-27 05:27 496085 -c--a-w- c:\program files\Pivot.zip
2008-05-18 05:39 . 2008-05-18 05:37 9722720 -c--a-w- c:\program files\spybotsd152.exe
2008-01-27 20:45 . 2008-01-27 20:44 13413048 -c--a-w- c:\program files\Google_Earth_BZXD.exe
2008-01-21 21:15 . 2008-01-21 21:15 2514811 -c--a-w- c:\program files\First_Spaceship_on_Venus.avi.torrent.exe
2008-01-19 03:44 . 2008-01-19 03:44 837811 -c--a-w- c:\program files\AntilagXP.zip
2008-01-19 03:38 . 2008-01-19 03:38 15486287 -c--a-w- c:\program files\BZFMapPakII.exe
2008-01-18 00:32 . 2008-01-18 00:32 6026816 -c--a-w- c:\program files\Firefox Setup 2.0.0.11.exe
2008-01-16 05:34 . 2008-01-16 05:34 1491592 -c--a-w- c:\program files\install_flash_player.exe
2008-01-15 17:00 . 2008-01-11 00:39 54330664 -c--a-w- c:\program files\iTunesSetup.exe
2008-01-07 02:19 . 2008-01-07 02:19 523976 -c--a-w- c:\program files\PopUpStopperFree.exe
2008-01-01 21:47 . 2008-01-01 21:51 83848 -c--a-w- c:\program files\1394.zip
2008-01-01 20:49 . 2008-01-01 20:53 5103056 -c--a-w- c:\program files\DriverDetective.exe
2007-06-04 17:39 . 2008-02-10 15:40 1605557 -c--a-w- c:\program files\WIN32-MPEG2-cafecf94a20d.exe
2007-06-04 17:25 . 2008-01-26 00:14 899414 -c--a-w- c:\program files\SetupDVDDecrypter_3.5.4.0.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\BlogTorrent\\btdownloadgui.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BZinstall14L\\bzone.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [12/31/1979 11:00 PM 70784]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/21/2009 11:27 AM 130936]
R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [10/11/2008 1:10 PM 10368]
R1 cdrport;cdrport;c:\windows\system32\drivers\cdrport.sys [10/11/2008 1:10 PM 4608]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/21/2009 11:27 AM 159600]
R2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;c:\cfusionmx\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent" --> c:\cfusionmx\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [6/21/2009 11:27 AM 73840]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 Microsoft System Management;Microsoft System Management; [x]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [8/17/2009 10:57 PM 95640]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [6/21/2009 11:27 AM 64392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - NEVCGSXX
*Deregistered* - mbr
*Deregistered* - nevcgsxx
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2006-09-28 09:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\erz9nlou.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
AddRemove-Spyware Doctor - c:\program files\Spyware Doctor\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"=""
.
Completion time: 2009-11-14 21:45
ComboFix-quarantined-files.txt 2009-11-15 02:45
ComboFix2.txt 2009-11-13 22:00

Pre-Run: 61,924,524,032 bytes free
Post-Run: 61,870,346,240 bytes free

- - End Of File - - B6BE7C38ACFDA806DAF23CB352772D2B

#7 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 14 November 2009 - 11:07 PM

No Anti-Virus Present
Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform full scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Kaspersky Online Scanner
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

Note:
It is recommended to disable on board Anti-Virus program and Anti-Spyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident Anti-Virus protection along with whatever Anti-Spyware app you use.



Please do a scan with Kaspersky Online Scanner or from Here.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
  • Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop
  • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.

Please make sure you include the following items in your next post:
1. The log that was produced after running MalwareBytes' Anti-Malware.
2. The log that was produced after running Kaspersky Online Scanner.
3. Are you experiencing any outstanding issues with your computer?

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#8 stjohn

stjohn

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 15 November 2009 - 04:55 PM

.siht nees reve evah uoy emit tsrif eht si siht teb

Bet this is the first time you have seen this.
All my key entries are backwards when I try to post. I had to paste the text from a notepad so you can read this.

I have installed the recommended anti-virus Avast.

Ran Malwarebytes.

Had a big problem trying to run Kaspersky.

The first link:
The on line scan, Kaspersky will not run. It started one time after I got past the java security warning. The Java warning did not fully appear. I had to try 3 time till I could part of it so I could tell java to run. After that, Kaspersky ran part way and got another error. ôUpdate has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: Scanning could not be started. [0x80004005]]ö I did all this and got the same error immediately.

The second link will not see files when you browse.

When I try to open the java from the control panel to check settings, I get a hard crash.

I copied the log from Kasperskyhere from the 1 time it ran part way:

The program is starting. Please wait...
Updates source is selected: http://www.kaspersky.com
File download: packages/kos-bin-winnt-redist.jar
File download: packages/kos-bin-winnt-engine.jar
File download: packages/kos-bin-winnt.jar
File download: packages/kos-extras.jar
The program is started.

Updating the anti-virus database. Please wait...
Updates source is selected: http://downloads1.kaspersky-labs.com/
File download: index/master.xml.klz
File download: bases/five/avc/kavset.xml.klz
File download: bases/five/upd/updcfg.xml
File download: bases/five/avc/black.lst
File download: bases/five/avc/kernel.avc
File download: bases/five/avc/krnun001.avc
File download: bases/five/avc/krnun002.avc
File download: bases/five/avc/krnun003.avc
File download: bases/five/avc/krnun004.avc
File download: bases/five/avc/krnexe.avc
File download: bases/five/avc/krnmacro.avc
File download: bases/five/avc/krnjava.avc
File download: bases/five/avc/krndos.avc
File download: bases/five/avc/krngen.avc
File download: bases/five/avc/krnexe32.avc
File download: bases/five/avc/krnengn.avc
File download: bases/five/avc/krn001.avc
File download: bases/five/avc/krn002.avc
File download: bases/five/avc/krn003.avc
File download: bases/five/avc/krn004.avc
File download: bases/five/avc/krn005.avc
File download: bases/five/avc/krn006.avc
File download: bases/five/avc/smart.avc
File download: bases/five/avc/ocr.avc
File download: bases/five/avc/chuka.avc
File download: bases/five/avc/fa001.avc
File download: bases/five/avc/base001c.avc
File download: bases/five/avc/base002c.avc
File download: bases/five/avc/base003c.avc
File download: bases/five/avc/base004c.avc
File download: bases/five/avc/base005c.avc
File download: bases/five/avc/base006c.avc
File download: bases/five/avc/base007c.avc
File download: bases/five/avc/base008c.avc
File download: bases/five/avc/base009c.avc
File download: bases/five/avc/base010c.avc
File download: bases/five/avc/base011c.avc
File download: bases/five/avc/base012c.avc
File download: bases/five/avc/base013c.avc
File download: bases/five/avc/base014c.avc
File download: bases/five/avc/base015c.avc
File download: bases/five/avc/base016c.avc
File download: bases/five/avc/base017c.avc
File download: bases/five/avc/base018c.avc
File download: bases/five/avc/base019c.avc
File download: bases/five/avc/base020c.avc
File download: bases/five/avc/base021c.avc
File download: bases/five/avc/base022c.avc
File download: bases/five/avc/base023c.avc
File download: bases/five/avc/base024c.avc
File download: bases/five/avc/base025c.avc
File download: bases/five/avc/base026c.avc
File download: bases/five/avc/base027c.avc
File download: bases/five/avc/base028c.avc
File download: bases/five/avc/base029c.avc
File download: bases/five/avc/base030c.avc
File download: bases/five/avc/base031c.avc
File download: bases/five/avc/base032c.avc
File download: bases/five/avc/base033c.avc
File download: bases/five/avc/base034c.avc
File download: bases/five/avc/base035c.avc
File download: bases/five/avc/base036c.avc
File download: bases/five/avc/base037c.avc
File download: bases/five/avc/base038c.avc
File download: bases/five/avc/base039c.avc
File download: bases/five/avc/base040c.avc
File download: bases/five/avc/base041c.avc
File download: bases/five/avc/base042c.avc
File download: bases/five/avc/base043c.avc
File download: bases/five/avc/base044c.avc
File download: bases/five/avc/base045c.avc
File download: bases/five/avc/base046c.avc
File download: bases/five/avc/base047c.avc
File download: bases/five/avc/base048c.avc
File download: bases/five/avc/base049c.avc
File download: bases/five/avc/base050c.avc
File download: bases/five/avc/base051c.avc
File download: bases/five/avc/base052c.avc
File download: bases/five/avc/base053c.avc
File download: bases/five/avc/base054c.avc
File download: bases/five/avc/base055c.avc
File download: bases/five/avc/base056c.avc
File download: bases/five/avc/base057c.avc
File download: bases/five/avc/base058c.avc
File download: bases/five/avc/base059c.avc
File download: bases/five/avc/base060c.avc
File download: bases/five/avc/base061c.avc
File download: bases/five/avc/base062c.avc
File download: bases/five/avc/base063c.avc
File download: bases/five/avc/base064c.avc
File download: bases/five/avc/base065c.avc
File download: bases/five/avc/base066c.avc
File download: bases/five/avc/base067c.avc
File download: bases/five/avc/base068c.avc
File download: bases/five/avc/base069c.avc
File download: bases/five/avc/base070c.avc
File download: bases/five/avc/base071c.avc
File download: bases/five/avc/base072c.avc
File download: bases/five/avc/base073c.avc
File download: bases/five/avc/base074c.avc
File download: bases/five/avc/base075c.avc
File download: bases/five/avc/base076c.avc
File download: bases/five/avc/base077c.avc
File download: bases/five/avc/base078c.avc
File download: bases/five/avc/base079c.avc
File download: bases/five/avc/base080c.avc
File download: bases/five/avc/base081c.avc
File download: bases/five/avc/base082c.avc
File download: bases/five/avc/base083c.avc
File download: bases/five/avc/base084c.avc
File download: bases/five/avc/base085c.avc
File download: bases/five/avc/base086c.avc
File download: bases/five/avc/base087c.avc
File download: bases/five/avc/base088c.avc
File download: bases/five/avc/base089c.avc
File download: bases/five/avc/base090c.avc
File download: bases/five/avc/base091c.avc
File download: bases/five/avc/base092c.avc
File download: bases/five/avc/base093c.avc
File download: bases/five/avc/base094c.avc
File download: bases/five/avc/base095c.avc
File download: bases/five/avc/base096c.avc
File download: bases/five/avc/base097c.avc
File download: bases/five/avc/base098c.avc
File download: bases/five/avc/base099c.avc
File download: bases/five/avc/base100c.avc
File download: bases/five/avc/base101c.avc
File download: bases/five/avc/base102c.avc
File download: bases/five/avc/base103c.avc
File download: bases/five/avc/base104c.avc
File download: bases/five/avc/base105c.avc
File download: bases/five/avc/base106c.avc
File download: bases/five/avc/base107c.avc
File download: bases/five/avc/base108c.avc
File download: bases/five/avc/base109c.avc
File download: bases/five/avc/base110c.avc
File download: bases/five/avc/base111c.avc
File download: bases/five/avc/base112c.avc
File download: bases/five/avc/base113c.avc
File download: bases/five/avc/base114c.avc
File download: bases/five/avc/base115c.avc
File download: bases/five/avc/base116c.avc
File download: bases/five/avc/base117c.avc
File download: bases/five/avc/base118c.avc
File download: bases/five/avc/base119c.avc
File download: bases/five/avc/base120c.avc
File download: bases/five/avc/base121c.avc
File download: bases/five/avc/base122c.avc
File download: bases/five/avc/base123c.avc
File download: bases/five/avc/base124c.avc
File download: bases/five/avc/base125c.avc
File download: bases/five/avc/base126c.avc
File download: bases/five/avc/base127c.avc
File download: bases/five/avc/base128c.avc
File download: bases/five/avc/base129c.avc
File download: bases/five/avc/base130c.avc
File download: bases/five/avc/base131c.avc
File download: bases/five/avc/base132c.avc
File download: bases/five/avc/base133c.avc
File download: bases/five/avc/base134c.avc
File download: bases/five/avc/base135c.avc
File download: bases/five/avc/base136c.avc
File download: bases/five/avc/base137c.avc
File download: bases/five/avc/base138c.avc
File download: bases/five/avc/base139c.avc
File download: bases/five/avc/base140c.avc
File download: bases/five/avc/base141c.avc
File download: bases/five/avc/base142c.avc
File download: bases/five/avc/base143c.avc
File download: bases/five/avc/base144c.avc
File download: bases/five/avc/base145c.avc
File download: bases/five/avc/base146c.avc
File download: bases/five/avc/base147c.avc
File download: bases/five/avc/base148c.avc
File download: bases/five/avc/base149c.avc
File download: bases/five/avc/base150c.avc
File download: bases/five/avc/base151c.avc
File download: bases/five/avc/base152c.avc
File download: bases/five/avc/base153c.avc
File download: bases/five/avc/base154c.avc
File download: bases/five/avc/base155c.avc
File download: bases/five/avc/base156c.avc
File download: bases/five/avc/base157c.avc
File download: bases/five/avc/base158c.avc
File download: bases/five/avc/base159c.avc
File download: bases/five/avc/base160c.avc
File download: bases/five/avc/base161c.avc
File download: bases/five/avc/base162c.avc
File download: bases/five/avc/base163c.avc
File download: bases/five/avc/base164c.avc
File download: bases/five/avc/base165c.avc
File download: bases/five/avc/base166c.avc
File download: bases/five/avc/base167c.avc
File download: bases/five/avc/base168c.avc
File download: bases/five/avc/base169c.avc
File download: bases/five/avc/base170c.avc
File download: bases/five/avc/base171c.avc
File download: bases/five/avc/base172c.avc
File download: bases/five/avc/base173c.avc
File download: bases/five/avc/base174c.avc
File download: bases/five/avc/base175c.avc
File download: bases/five/avc/base176c.avc
File download: bases/five/avc/base177c.avc
File download: bases/five/avc/base178c.avc
File download: bases/five/avc/base179c.avc
File download: bases/five/avc/base180c.avc
File download: bases/five/avc/base181c.avc
File download: bases/five/avc/base182c.avc
File download: bases/five/avc/base183c.avc
File download: bases/five/avc/base184c.avc
File download: bases/five/avc/base185c.avc
File download: bases/five/avc/base186c.avc
File download: bases/five/avc/base187c.avc
File download: bases/five/avc/base188c.avc
File download: bases/five/avc/base189c.avc
File download: bases/five/avc/base190c.avc
File download: bases/five/avc/base191c.avc
File download: bases/five/avc/base192c.avc
File download: bases/five/avc/base193c.avc
File download: bases/five/avc/base194c.avc
File download: bases/five/avc/base195c.avc
File download: bases/five/avc/base196c.avc
File download: bases/five/avc/base197c.avc
File download: bases/five/avc/base198c.avc
File download: bases/five/avc/base199c.avc
File download: bases/five/avc/base200c.avc
File download: bases/five/avc/base201c.avc
File download: bases/five/avc/base202c.avc
File download: bases/five/avc/base203c.avc
File download: bases/five/avc/base204c.avc
File download: bases/five/avc/base205c.avc
File download: bases/five/avc/base206c.avc
File download: bases/five/avc/base207c.avc
File download: bases/five/avc/base208c.avc
File download: bases/five/avc/base209c.avc
File download: bases/five/avc/base210c.avc
File download: bases/five/avc/base211c.avc
File download: bases/five/avc/base212c.avc
File download: bases/five/avc/base213c.avc
File download: bases/five/avc/base214c.avc
File download: bases/five/avc/base215c.avc
File download: bases/five/avc/base216c.avc
File download: bases/five/avc/base217c.avc
File download: bases/five/avc/base218c.avc
File download: bases/five/avc/base219c.avc
File download: bases/five/avc/base220c.avc
File download: bases/five/avc/base221c.avc
File download: bases/five/avc/base222c.avc
File download: bases/five/avc/base223c.avc
File download: bases/five/avc/base224c.avc
File download: bases/five/avc/base225c.avc
File download: bases/five/avc/base226c.avc
File download: bases/five/avc/base227c.avc
File download: bases/five/avc/base228c.avc
File download: bases/five/avc/base229c.avc
File download: bases/five/avc/base230c.avc
File download: bases/five/avc/base231c.avc
File download: bases/five/avc/base232c.avc
File download: bases/five/avc/base233c.avc
File download: bases/five/avc/base234c.avc
File download: bases/five/avc/base235c.avc
File download: bases/five/avc/base236c.avc
File download: bases/five/avc/base237c.avc
File download: bases/five/avc/base238c.avc
File download: bases/five/avc/base239c.avc
File download: bases/five/avc/base240c.avc
File download: bases/five/avc/base241c.avc
File download: bases/five/avc/base242c.avc
File download: bases/five/avc/base243c.avc
File download: bases/five/avc/base244c.avc
File download: bases/five/avc/base245c.avc
File download: bases/five/avc/base246c.avc
File download: bases/five/avc/base247c.avc
File download: bases/five/avc/base248c.avc
File download: bases/five/avc/base249c.avc
File download: bases/five/avc/base250c.avc
File download: bases/five/avc/base251c.avc
File download: bases/five/avc/base252c.avc
File download: bases/five/avc/base253c.avc
File download: bases/five/avc/base254c.avc
File download: bases/five/avc/base255c.avc
File download: bases/five/avc/base256c.avc
File download: bases/five/avc/base257c.avc
File download: bases/five/avc/base258c.avc
File download: bases/five/avc/base259c.avc
File download: bases/five/avc/base260c.avc
File download: bases/five/avc/base261c.avc
File download: bases/five/avc/base262c.avc
File download: bases/five/avc/base263c.avc
File download: bases/five/avc/base264c.avc
File download: bases/five/avc/base265c.avc
File download: bases/five/avc/base266c.avc
File download: bases/five/avc/base267c.avc
File download: bases/five/avc/base268c.avc
File download: bases/five/avc/base269c.avc
File download: bases/five/avc/base270c.avc
File download: bases/five/avc/base271c.avc
File download: bases/five/avc/base272c.avc
File download: bases/five/avc/base273c.avc
File download: bases/five/avc/base274c.avc
File download: bases/five/avc/base275c.avc
File download: bases/five/avc/base276c.avc
File download: bases/five/avc/base277c.avc
File download: bases/five/avc/base278c.avc
File download: bases/five/avc/base279c.avc
File download: bases/five/avc/base280c.avc
File download: bases/five/avc/base281c.avc
File download: bases/five/avc/base282c.avc
File download: bases/five/avc/base283c.avc
File download: bases/five/avc/base284c.avc
File download: bases/five/avc/base285c.avc
File download: bases/five/avc/base286c.avc
File download: bases/five/avc/base287c.avc
File download: bases/five/avc/base288c.avc
File download: bases/five/avc/base289c.avc
File download: bases/five/avc/base290c.avc
File download: bases/five/avc/base291c.avc
File download: bases/five/avc/base292c.avc
File download: bases/five/avc/base293c.avc
File download: bases/five/avc/base294c.avc
File download: bases/five/avc/base295c.avc
File download: bases/five/avc/base296c.avc
File download: bases/five/avc/base297c.avc
File download: bases/five/avc/base298c.avc
File download: bases/five/avc/base299c.avc
File download: bases/five/avc/base300c.avc
File download: bases/five/avc/base301c.avc
File download: bases/five/avc/base302c.avc
File download: bases/five/avc/base303c.avc
File download: bases/five/avc/base304c.avc
File download: bases/five/avc/base305c.avc
File download: bases/five/avc/base306c.avc
File download: bases/five/avc/base307c.avc
File download: bases/five/avc/base308c.avc
File download: bases/five/avc/base309c.avc
File download: bases/five/avc/base310c.avc
File download: bases/five/avc/base311c.avc
File download: bases/five/avc/base312c.avc
File download: bases/five/avc/base313c.avc
File download: bases/five/avc/base314c.avc
File download: bases/five/avc/base315c.avc
File download: bases/five/avc/base316c.avc
File download: bases/five/avc/base317c.avc
File download: bases/five/avc/base318c.avc
File download: bases/five/avc/base319c.avc
File download: bases/five/avc/base320c.avc
File download: bases/five/avc/base321c.avc
File download: bases/five/avc/base322c.avc
File download: bases/five/avc/base323c.avc
File download: bases/five/avc/base324c.avc
File download: bases/five/avc/base325c.avc
File download: bases/five/avc/base326c.avc
File download: bases/five/avc/base327c.avc
File download: bases/five/avc/base328c.avc
File download: bases/five/avc/base329c.avc
File download: bases/five/avc/base330c.avc
File download: bases/five/avc/base331c.avc
File download: bases/five/avc/base332c.avc
File download: bases/five/avc/base333c.avc
File download: bases/five/avc/base334c.avc
File download: bases/five/avc/base335c.avc
File download: bases/five/avc/base336c.avc
File download: bases/five/avc/base337c.avc
File download: bases/five/avc/base338c.avc
File download: bases/five/avc/base339c.avc
File download: bases/five/avc/base340c.avc
File download: bases/five/avc/base341c.avc
File download: bases/five/avc/base342c.avc
File download: bases/five/avc/base343c.avc
File download: bases/five/avc/base344c.avc
File download: bases/five/avc/base345c.avc
File download: bases/five/avc/base346c.avc
File download: bases/five/avc/base347c.avc
File download: bases/five/avc/base348c.avc
File download: bases/five/avc/base349c.avc
File download: bases/five/avc/base350c.avc
File download: bases/five/avc/base351c.avc
File download: bases/five/avc/base352c.avc
File download: bases/five/avc/base353c.avc
File download: bases/five/avc/base354c.avc
File download: bases/five/avc/base355c.avc
File download: bases/five/avc/base356c.avc
File download: bases/five/avc/base357c.avc
File download: bases/five/avc/base358c.avc
File download: bases/five/avc/base359c.avc
File download: bases/five/avc/base360c.avc
File download: bases/five/avc/base361c.avc
File download: bases/five/avc/base362c.avc
File download: bases/five/avc/base363c.avc
File download: bases/five/avc/base364c.avc
File download: bases/five/avc/base365c.avc
File download: bases/five/avc/base366c.avc
File download: bases/five/avc/base367c.avc
File download: bases/five/avc/base368c.avc
File download: bases/five/avc/base369c.avc
File download: bases/five/avc/base370c.avc
File download: bases/five/avc/base371c.avc
File download: bases/five/avc/base372c.avc
File download: bases/five/avc/base373c.avc
File download: bases/five/avc/base374c.avc
File download: bases/five/avc/base375c.avc
File download: bases/five/avc/base376c.avc
File download: bases/five/avc/base377c.avc
File download: bases/five/avc/base378c.avc
File download: bases/five/avc/base379c.avc
File download: bases/five/avc/base380c.avc
File download: bases/five/avc/base381c.avc
File download: bases/five/avc/base382c.avc
File download: bases/five/avc/base383c.avc
File download: bases/five/avc/base384c.avc
File download: bases/five/avc/base385c.avc
File download: bases/five/avc/base386c.avc
File download: bases/five/avc/base387c.avc
File download: bases/five/avc/base388c.avc
File download: bases/five/avc/base389c.avc
File download: bases/five/avc/base390c.avc
File download: bases/five/avc/base391c.avc
File download: bases/five/avc/base392c.avc
File download: bases/five/avc/base393c.avc
File download: bases/five/avc/base394c.avc
File download: bases/five/avc/base395c.avc
File download: bases/five/avc/base396c.avc
File download: bases/five/avc/base397c.avc
File download: bases/five/avc/base398c.avc
File download: bases/five/avc/base399c.avc
File download: bases/five/avc/base400c.avc
File download: bases/five/avc/base401c.avc
File download: bases/five/avc/base402c.avc
File download: bases/five/avc/base403c.avc
File download: bases/five/avc/base404c.avc
File download: bases/five/avc/base405c.avc
File download: bases/five/avc/base406c.avc
File download: bases/five/avc/base407c.avc
File download: bases/five/avc/base408c.avc
File download: bases/five/avc/base409c.avc
File download: bases/five/avc/base410c.avc
File download: bases/five/avc/base411c.avc
File download: bases/five/avc/base412c.avc
File download: bases/five/avc/base413c.avc
File download: bases/five/avc/base414c.avc
File download: bases/five/avc/base415c.avc
File download: bases/five/avc/base416c.avc
File download: bases/five/avc/base417c.avc
File download: bases/five/avc/base418c.avc
File download: bases/five/avc/base419c.avc
File download: bases/five/avc/base420c.avc
File download: bases/five/avc/base421c.avc
File download: bases/five/avc/base422c.avc
File download: bases/five/avc/base423c.avc
File download: bases/five/avc/base424c.avc
File download: bases/five/avc/base425c.avc
File download: bases/five/avc/base426c.avc
File download: bases/five/avc/base427c.avc
File download: bases/five/avc/base428c.avc
File download: bases/five/avc/base429c.avc
File download: bases/five/avc/base430c.avc
File download: bases/five/avc/base431c.avc
File download: bases/five/avc/base432c.avc
File download: bases/five/avc/base433c.avc
File download: bases/five/avc/base434c.avc
File download: bases/five/avc/base435c.avc
File download: bases/five/avc/base436c.avc
File download: bases/five/avc/base437c.avc
File download: bases/five/avc/base438c.avc
File download: bases/five/avc/base439c.avc
File download: bases/five/avc/base440c.avc
File download: bases/five/avc/base441c.avc
File download: bases/five/avc/base442c.avc
File download: bases/five/avc/base443c.avc
File download: bases/five/avc/base444c.avc
File download: bases/five/avc/base445c.avc
File download: bases/five/avc/base446c.avc
File download: bases/five/avc/base447c.avc
File download: bases/five/avc/base448c.avc
File download: bases/five/avc/base449c.avc
File download: bases/five/avc/base450c.avc
File download: bases/five/avc/base451c.avc
File download: bases/five/avc/base452c.avc
File download: bases/five/avc/base453c.avc
File download: bases/five/avc/base454c.avc
File download: bases/five/avc/base455c.avc
File download: bases/five/avc/base456c.avc
File download: bases/five/avc/base457c.avc
File download: bases/five/avc/base458c.avc
File download: bases/five/avc/base459c.avc
File download: bases/five/avc/base460c.avc
File download: bases/five/avc/base461c.avc
File download: bases/five/avc/base462c.avc
File download: bases/five/avc/base463c.avc
File download: bases/five/avc/base464c.avc
File download: bases/five/avc/base465c.avc
File download: bases/five/avc/base466c.avc
File download: bases/five/avc/base467c.avc
File download: bases/five/avc/base468c.avc
File download: bases/five/avc/base469c.avc
File download: bases/five/avc/base470c.avc
File download: bases/five/avc/base471c.avc
File download: bases/five/avc/base472c.avc
File download: bases/five/avc/base473c.avc
File download: bases/five/avc/base474c.avc
File download: bases/five/avc/base475c.avc
File download: bases/five/avc/base476c.avc
File download: bases/five/avc/base477c.avc
File download: bases/five/avc/base478c.avc
File download: bases/five/avc/base479c.avc
File download: bases/five/avc/base480c.avc
File download: bases/five/avc/base481c.avc
File download: bases/five/avc/base482c.avc
File download: bases/five/avc/base483c.avc
File download: bases/five/avc/base484c.avc
File download: bases/five/avc/base485c.avc
File download: bases/five/avc/base486c.avc
File download: bases/five/avc/base487c.avc
File download: bases/five/avc/base488c.avc
File download: bases/five/avc/base489c.avc
File download: bases/five/avc/base490c.avc
File download: bases/five/avc/base491c.avc
File download: bases/five/avc/base492c.avc
File download: bases/five/avc/base493c.avc
File download: bases/five/avc/base494c.avc
File download: bases/five/avc/base495c.avc
File download: bases/five/avc/base496c.avc
File download: bases/five/avc/base497c.avc
File download: bases/five/avc/base498c.avc
File download: bases/five/avc/base499c.avc
File download: bases/five/avc/base500c.avc
File download: bases/five/avc/base501c.avc
File download: bases/five/avc/base502c.avc
File download: bases/five/avc/base503c.avc
File download: bases/five/avc/base504c.avc
File download: bases/five/avc/base505c.avc
File download: bases/five/avc/base506c.avc
File download: bases/five/avc/base507c.avc
File download: bases/five/avc/base508c.avc
File download: bases/five/avc/base509c.avc
File download: bases/five/avc/base510c.avc
File download: bases/five/avc/base511c.avc
File download: bases/five/avc/base512c.avc
File download: bases/five/avc/base513c.avc
File download: bases/five/avc/base514c.avc
File download: bases/five/avc/base515c.avc
File download: bases/five/avc/base516c.avc
File download: bases/five/avc/base517c.avc
File download: bases/five/avc/base518c.avc
File download: bases/five/avc/base519c.avc
File download: bases/five/avc/base520c.avc
File download: bases/five/avc/base521c.avc
File download: bases/five/avc/base522c.avc
File download: bases/five/avc/base523c.avc
File download: bases/five/avc/base524c.avc
File download: bases/five/avc/base525c.avc
File download: bases/five/avc/base526c.avc
File download: bases/five/avc/base527c.avc
File download: bases/five/avc/base528c.avc
File download: bases/five/avc/base529c.avc
File download: bases/five/avc/base530c.avc
File download: bases/five/avc/base531c.avc
File download: bases/five/avc/base532c.avc
File download: bases/five/avc/base533c.avc
File download: bases/five/avc/base534c.avc
File download: bases/five/avc/base535c.avc
File download: bases/five/avc/base536c.avc
File download: bases/five/avc/base537c.avc
File download: bases/five/avc/base538c.avc
File download: bases/five/avc/base539c.avc
File download: bases/five/avc/base540c.avc
File download: bases/five/avc/base541c.avc
File download: bases/five/avc/base542c.avc
File download: bases/five/avc/base543c.avc
File download: bases/five/avc/base544c.avc
File download: bases/five/avc/base545c.avc
File download: bases/five/avc/base546c.avc
File download: bases/five/avc/base547c.avc
File download: bases/five/avc/base548c.avc
File download: bases/five/avc/base549c.avc
File download: bases/five/avc/base550c.avc
File download: bases/five/avc/base551c.avc
File download: bases/five/avc/base552c.avc
File download: bases/five/avc/base553c.avc
File download: bases/five/avc/base554c.avc
File download: bases/five/avc/base555c.avc
File download: bases/five/avc/base556c.avc
File download: bases/five/avc/base557c.avc
File download: bases/five/avc/base558c.avc
File download: bases/five/avc/base559c.avc
File download: bases/five/avc/base560c.avc
File download: bases/five/avc/base561c.avc
File download: bases/five/avc/base562c.avc
File download: bases/five/avc/base563c.avc
File download: bases/five/avc/base564c.avc
File download: bases/five/avc/base565c.avc
File download: bases/five/avc/base566c.avc
File download: bases/five/avc/base567c.avc
File download: bases/five/avc/base568c.avc
File download: bases/five/avc/base569c.avc
File download: bases/five/avc/base570c.avc
File download: bases/five/avc/base571c.avc
File download: bases/five/avc/base572c.avc
File download: bases/five/avc/base573c.avc
File download: bases/five/avc/base574c.avc
File download: bases/five/avc/base575c.avc
File download: bases/five/avc/base576c.avc
File download: bases/five/avc/base577c.avc
File download: bases/five/avc/base578c.avc
File download: bases/five/avc/base579c.avc
File download: bases/five/avc/base580c.avc
File download: bases/five/avc/base581c.avc
File download: bases/five/avc/base582c.avc
File download: bases/five/avc/base583c.avc
File download: bases/five/avc/base584c.avc
File download: bases/five/avc/base585c.avc
File download: bases/five/avc/base586c.avc
File download: bases/five/avc/base587c.avc
File download: bases/five/avc/base588c.avc
File download: bases/five/avc/base589c.avc
File download: bases/five/avc/base590c.avc
File download: bases/five/avc/base591c.avc
File download: bases/five/avc/base592c.avc
File download: bases/five/avc/base593c.avc
File download: bases/five/avc/base594c.avc
File download: bases/five/avc/base595c.avc
File download: bases/five/avc/base596c.avc
File download: bases/five/avc/base597c.avc
File download: bases/five/avc/base598c.avc
File download: bases/five/avc/base599c.avc
File download: bases/five/avc/base600c.avc
File download: bases/five/avc/base601c.avc
File download: bases/five/avc/base602c.avc
File download: bases/five/avc/base603c.avc
File download: bases/five/avc/base604c.avc
File download: bases/five/avc/base605c.avc
File download: bases/five/avc/base606c.avc
File download: bases/five/avc/base607c.avc
File download: bases/five/avc/base608c.avc
File download: bases/five/avc/base609c.avc
File download: bases/five/avc/base610c.avc
File download: bases/five/avc/base611c.avc
File download: bases/five/avc/base612c.avc
File download: bases/five/avc/base613c.avc
File download: bases/five/avc/base614c.avc
File download: bases/five/avc/base615c.avc
File download: bases/five/avc/base616c.avc
File download: bases/five/avc/base617c.avc
File download: bases/five/avc/base618c.avc
File download: bases/five/avc/base619c.avc
File download: bases/five/avc/base620c.avc
File download: bases/five/avc/base621c.avc
File download: bases/five/avc/base622c.avc
File download: bases/five/avc/base623c.avc
File download: bases/five/avc/base624c.avc
File download: bases/five/avc/base625c.avc
File download: bases/five/avc/base626c.avc
File download: bases/five/avc/base627c.avc
File download: bases/five/avc/base628c.avc
File download: bases/five/avc/base629c.avc
File download: bases/five/avc/base630c.avc
File download: bases/five/avc/base631c.avc
File download: bases/five/avc/base632c.avc
File download: bases/five/avc/base633c.avc
File download: bases/five/avc/base634c.avc
File download: bases/five/avc/base635c.avc
File download: bases/five/avc/base636c.avc
File download: bases/five/avc/base637c.avc
File download: bases/five/avc/base638c.avc
File download: bases/five/avc/base639c.avc
File download: bases/five/avc/base640c.avc
File download: bases/five/avc/base641c.avc
File download: bases/five/avc/base642c.avc
File download: bases/five/avc/base643c.avc
File download: bases/five/avc/base644c.avc
File download: bases/five/avc/base645c.avc
File download: bases/five/avc/base646c.avc
File download: bases/five/avc/base647c.avc
File download: bases/five/avc/base648c.avc
File download: bases/five/avc/base649c.avc
File download: bases/five/avc/base650c.avc
File download: bases/five/avc/base651c.avc
File download: bases/five/avc/base652c.avc
File download: bases/five/avc/base653c.avc
File download: bases/five/avc/base654c.avc
File download: bases/five/avc/base655c.avc
File download: bases/five/avc/base656c.avc
File download: bases/five/avc/base657c.avc
File download: bases/five/avc/base658c.avc
File download: bases/five/avc/base659c.avc
File download: bases/five/avc/base660c.avc
File download: bases/five/avc/base661c.avc
File download: bases/five/avc/base662c.avc
File download: bases/five/avc/base663c.avc
File download: bases/five/avc/base664c.avc
File download: bases/five/avc/base665c.avc
File download: bases/five/avc/base666c.avc
File download: bases/five/avc/base667c.avc
File download: bases/five/avc/base668c.avc
File download: bases/five/avc/base669c.avc
File download: bases/five/avc/base670c.avc
File download: bases/five/avc/base671c.avc
File download: bases/five/avc/base672c.avc
File download: bases/five/avc/base673c.avc
File download: bases/five/avc/base674c.avc
File download: bases/five/avc/base675c.avc
File download: bases/five/avc/base676c.avc
File download: bases/five/avc/base677c.avc
File download: bases/five/avc/base678c.avc
File download: bases/five/avc/base679c.avc
File download: bases/five/avc/base680c.avc
File download: bases/five/avc/base681c.avc
File download: bases/five/avc/base682c.avc
File download: bases/five/avc/base683c.avc
File download: bases/five/avc/base684c.avc
File download: bases/five/avc/base685c.avc
File download: bases/five/avc/base686c.avc
File download: bases/five/avc/base687c.avc
File download: bases/five/avc/base688c.avc
File download: bases/five/avc/base689c.avc
File download: bases/five/avc/base690c.avc
File download: bases/five/avc/base691c.avc
File download: bases/five/avc/base692c.avc
File download: bases/five/avc/base693c.avc
File download: bases/five/avc/base694c.avc
File download: bases/five/avc/base695c.avc
File download: bases/five/avc/base696c.avc
File download: bases/five/avc/base697c.avc
File download: bases/five/avc/base698c.avc
File download: bases/five/avc/base699c.avc
File download: bases/five/avc/base700c.avc
File download: bases/five/avc/base701c.avc
File download: bases/five/avc/base702c.avc
File download: bases/five/avc/base703c.avc
File download: bases/five/avc/base704c.avc
File download: bases/five/avc/base705c.avc
File download: bases/five/avc/base706c.avc
File download: bases/five/avc/base707c.avc
File download: bases/five/avc/base708c.avc
File download: bases/five/avc/base709c.avc
File download: bases/five/avc/base710c.avc
File download: bases/five/avc/base711c.avc
File download: bases/five/avc/base712c.avc
File download: bases/five/avc/base713c.avc
File download: bases/five/avc/base714c.avc
File download: bases/five/avc/base715c.avc
File download: bases/five/avc/base716c.avc
File download: bases/five/avc/base717c.avc
File download: bases/five/avc/base718c.avc
File download: bases/five/avc/base719c.avc
File download: bases/five/avc/base720c.avc
File download: bases/five/avc/base721c.avc
File download: bases/five/avc/base722c.avc
File download: bases/five/avc/base723c.avc
File download: bases/five/avc/base724c.avc
File download: bases/five/avc/base725c.avc
File download: bases/five/avc/base726c.avc
File download: bases/five/avc/base727c.avc
File download: bases/five/avc/base728c.avc
File download: bases/five/avc/base729c.avc
File download: bases/five/avc/base730c.avc
File download: bases/five/avc/base731c.avc
File download: bases/five/avc/base732c.avc
File download: bases/five/avc/base733c.avc
File download: bases/five/avc/base734c.avc
File download: bases/five/avc/base735c.avc
File download: bases/five/avc/base736c.avc
File download: bases/five/avc/base737c.avc
File download: bases/five/avc/base738c.avc
File download: bases/five/avc/base739c.avc
File download: bases/five/avc/base740c.avc
File download: bases/five/avc/base741c.avc
File download: bases/five/avc/base742c.avc
File download: bases/five/avc/base743c.avc
File download: bases/five/avc/base744c.avc
File download: bases/five/avc/base745c.avc
File download: bases/five/avc/base746c.avc
File download: bases/five/avc/base747c.avc
File download: bases/five/avc/base748c.avc
File download: bases/five/avc/base749c.avc
File download: bases/five/avc/base750c.avc
File download: bases/five/avc/base751c.avc
File download: bases/five/avc/base752c.avc
File download: bases/five/avc/base753c.avc
File download: bases/five/avc/base754c.avc
File download: bases/five/avc/base755c.avc
File download: bases/five/avc/base756c.avc
File download: bases/five/avc/base757c.avc
File download: bases/five/avc/base758c.avc
File download: bases/five/avc/base759c.avc
File download: bases/five/avc/base760c.avc
File download: bases/five/avc/base761c.avc
File download: bases/five/avc/base762c.avc
File download: bases/five/avc/base763c.avc
File download: bases/five/avc/base764c.avc
File download: bases/five/avc/base765c.avc
File download: bases/five/avc/base766c.avc
File download: bases/five/avc/base767c.avc
File download: bases/five/avc/base768c.avc
File download: bases/five/avc/base769c.avc
File download: bases/five/avc/base770c.avc
File download: bases/five/avc/base771c.avc
File download: bases/five/avc/base772c.avc
File download: bases/five/avc/base773c.avc
File download: bases/five/avc/base774c.avc
File download: bases/five/avc/base775c.avc
File download: bases/five/avc/base776c.avc
File download: bases/five/avc/base777c.avc
File download: bases/five/avc/base778c.avc
File download: bases/five/avc/base779c.avc
File download: bases/five/avc/base780c.avc
File download: bases/five/avc/base781c.avc
File download: bases/five/avc/base782c.avc
File download: bases/five/avc/base783c.avc
File download: bases/five/avc/base784c.avc
File download: bases/five/avc/base785c.avc
File download: bases/five/avc/base786c.avc
File download: bases/five/avc/base787c.avc
File download: bases/five/avc/base788c.avc
File download: bases/five/avc/base789c.avc
File download: bases/five/avc/base790c.avc
File download: bases/five/avc/base791c.avc
File download: bases/five/avc/base792c.avc
File download: bases/five/avc/base793c.avc
File download: bases/five/avc/base794c.avc
File download: bases/five/avc/base795c.avc
File download: bases/five/avc/base796c.avc
File download: bases/five/avc/base797c.avc
File download: bases/five/avc/base798c.avc
File download: bases/five/avc/base799c.avc
File download: bases/five/avc/base800c.avc
File download: bases/five/avc/base801c.avc
File download: bases/five/avc/base802c.avc
File download: bases/five/avc/base803c.avc
File download: bases/five/avc/base804c.avc
File download: bases/five/avc/base805c.avc
File download: bases/five/avc/base806c.avc
File download: bases/five/avc/base807c.avc
File download: bases/five/avc/base808c.avc
File download: bases/five/avc/base809c.avc
File download: bases/five/avc/base810c.avc
File download: bases/five/avc/base811c.avc
File download: bases/five/avc/base812c.avc
File download: bases/five/avc/base813c.avc
File download: bases/five/avc/base814c.avc
File download: bases/five/avc/base815c.avc
File download: bases/five/avc/base816c.avc
File download: bases/five/avc/base817c.avc
File download: bases/five/avc/base818c.avc
File download: bases/five/avc/base819c.avc
File download: bases/five/avc/base820c.avc
File download: bases/five/avc/base821c.avc
File download: bases/five/avc/base822c.avc
File download: bases/five/avc/base823c.avc
File download: bases/five/avc/base824c.avc
File download: bases/five/avc/base825c.avc
File download: bases/five/avc/base826c.avc
File download: bases/five/avc/base827c.avc
File download: bases/five/avc/base828c.avc
File download: bases/five/avc/base829c.avc
File download: bases/five/avc/base830c.avc
File download: bases/five/avc/base831c.avc
File download: bases/five/avc/base832c.avc
File download: bases/five/avc/base833c.avc
File download: bases/five/avc/base834c.avc
File download: bases/five/avc/base835c.avc
File download: bases/five/avc/base836c.avc
File download: bases/five/avc/base837c.avc
File download: bases/five/avc/base838c.avc
File download: bases/five/avc/base839c.avc
File download: bases/five/avc/base840c.avc
File download: bases/five/avc/base841c.avc
File download: bases/five/avc/base842c.avc
File download: bases/five/avc/base843c.avc
File download: bases/five/avc/base844c.avc
File download: bases/five/avc/base845c.avc
File download: bases/five/avc/base846c.avc
File download: bases/five/avc/base847c.avc
File download: bases/five/avc/base848c.avc
File download: bases/five/avc/base849c.avc
File download: bases/five/avc/base850c.avc
File download: bases/five/avc/base851c.avc
File download: bases/five/avc/base852c.avc
File download: bases/five/avc/base853c.avc
File download: bases/five/avc/base854c.avc
File download: bases/five/avc/base855c.avc
File download: bases/five/avc/base856c.avc
File download: bases/five/avc/base857c.avc
File download: bases/five/avc/base858c.avc
File download: bases/five/avc/base859c.avc
File download: bases/five/avc/base860c.avc
File download: bases/five/avc/base861c.avc
File download: bases/five/avc/base862c.avc
File download: bases/five/avc/base863c.avc
File download: bases/five/avc/base864c.avc
File download: bases/five/avc/base865c.avc
File download: bases/five/avc/base866c.avc
File download: bases/five/avc/base867c.avc
File download: bases/five/avc/base868c.avc
File download: bases/five/avc/base869c.avc
File download: bases/five/avc/base870c.avc
File download: bases/five/avc/base871c.avc
File download: bases/five/avc/base872c.avc
File download: bases/five/avc/base873c.avc
File download: bases/five/avc/base874c.avc
File download: bases/five/avc/base875c.avc
File download: bases/five/avc/base876c.avc
File download: bases/five/avc/base877c.avc
File download: bases/five/avc/base878c.avc
File download: bases/five/avc/base879c.avc
File download: bases/five/avc/base880c.avc
File download: bases/five/avc/base881c.avc
File download: bases/five/avc/base882c.avc
File download: bases/five/avc/base883c.avc
File download: bases/five/avc/base884c.avc
File download: bases/five/avc/base885c.avc
File download: bases/five/avc/base886c.avc
File download: bases/five/avc/base887c.avc
File download: bases/five/avc/base888c.avc
File download: bases/five/avc/base889c.avc
File download: bases/five/avc/base890c.avc
File download: bases/five/avc/base891c.avc
File download: bases/five/avc/base892c.avc
File download: bases/five/avc/base893c.avc
File download: bases/five/avc/base894c.avc
File download: bases/five/avc/base895c.avc
File download: bases/five/avc/base896c.avc
File download: bases/five/avc/base897c.avc
File download: bases/five/avc/base898c.avc
File download: bases/five/avc/base899c.avc
File download: bases/five/avc/base900c.avc
File download: bases/five/avc/base901c.avc
File download: bases/five/avc/base902c.avc
File download: bases/five/avc/base903c.avc
File download: bases/five/avc/base904c.avc
File download: bases/five/avc/base905c.avc
File download: bases/five/avc/base906c.avc
File download: bases/five/avc/base907c.avc
File download: bases/five/avc/base908c.avc
File download: bases/five/avc/base909c.avc
File download: bases/five/avc/base910c.avc
File download: bases/five/avc/base911c.avc
File download: bases/five/avc/base912c.avc
File download: bases/five/avc/base913c.avc
File download: bases/five/avc/base914c.avc
File download: bases/five/avc/base915c.avc
File download: bases/five/avc/base916c.avc
File download: bases/five/avc/base917c.avc
File download: bases/five/avc/base918c.avc
File download: bases/five/avc/base919c.avc
File download: bases/five/avc/base920c.avc
File download: bases/five/avc/base921c.avc
File download: bases/five/avc/base922c.avc
File download: bases/five/avc/base923c.avc
File download: bases/five/avc/base924c.avc
File download: bases/five/avc/base925c.avc
File download: bases/five/avc/base926c.avc
File download: bases/five/avc/base927c.avc
File download: bases/five/avc/base928c.avc
File download: bases/five/avc/base929c.avc
File download: bases/five/avc/base930c.avc
File download: bases/five/avc/base931c.avc
File download: bases/five/avc/base932c.avc
File download: bases/five/avc/base933c.avc
File download: bases/five/avc/base934c.avc
File download: bases/five/avc/base935c.avc
File download: bases/five/avc/base936c.avc
File download: bases/five/avc/base937c.avc
File download: bases/five/avc/base938c.avc
File download: bases/five/avc/base939c.avc
File download: bases/five/avc/base940c.avc
File download: bases/five/avc/base941c.avc
File download: bases/five/avc/base942c.avc
File download: bases/five/avc/base943c.avc
File download: bases/five/avc/base944c.avc
File download: bases/five/avc/base945c.avc
File download: bases/five/avc/base946c.avc
File download: bases/five/avc/base947c.avc
File download: bases/five/avc/base948c.avc
File download: bases/five/avc/base949c.avc
File download: bases/five/avc/base950c.avc
File download: bases/five/avc/base951c.avc
File download: bases/five/avc/base952c.avc
File download: bases/five/avc/base953c.avc
File download: bases/five/avc/base954c.avc
File download: bases/five/avc/base955c.avc
File download: bases/five/avc/base956c.avc
File download: bases/five/avc/base957c.avc
File download: bases/five/avc/base958c.avc
File download: bases/five/avc/base959c.avc
File download: bases/five/avc/base960c.avc
File download: bases/five/avc/base961c.avc
File download: bases/five/avc/base962c.avc
File download: bases/five/avc/base963c.avc
File download: bases/five/avc/base964c.avc
File download: bases/five/avc/base965c.avc
File download: bases/five/avc/base966c.avc
File download: bases/five/avc/base967c.avc
File download: bases/five/avc/base968c.avc
File download: bases/five/avc/base969c.avc
File download: bases/five/avc/base970c.avc
File download: bases/five/avc/base971c.avc
File download: bases/five/avc/base972c.avc
File download: bases/five/avc/base973c.avc
File download: bases/five/avc/base974c.avc
File download: bases/five/avc/base975c.avc
File download: bases/five/avc/base976c.avc
File download: bases/five/avc/base977c.avc
File download: bases/five/avc/base978c.avc
File download: bases/five/avc/base979c.avc
File download: bases/five/avc/base980c.avc
File download: bases/five/avc/base981c.avc
File download: bases/five/avc/base982c.avc
File download: bases/five/avc/base983c.avc
File download: bases/five/avc/base984c.avc
File download: bases/five/avc/base985c.avc
File download: bases/five/avc/base986c.avc
File download: bases/five/avc/base987c.avc
File download: bases/five/avc/base988c.avc
File download: bases/five/avc/base989c.avc
File download: bases/five/avc/base990c.avc
File download: bases/five/avc/base991c.avc
File download: bases/five/avc/base992c.avc
File download: bases/five/avc/base993c.avc
File download: bases/five/avc/base994c.avc
File download: bases/five/avc/base995c.avc
File download: bases/five/avc/base996c.avc
File download: bases/five/avc/base997c.avc
File download: bases/five/avc/base998c.avc
File download: bases/five/avc/base99ac.avc
File download: bases/five/avc/base99bc.avc
File download: bases/five/avc/base99cc.avc
File download: bases/five/avc/base99dc.avc
File download: bases/five/avc/base99ec.avc
File download: bases/five/avc/base99fc.avc
File download: bases/five/avc/base9a0c.avc
File download: bases/five/avc/base9a1c.avc
File download: bases/five/avc/base9a2c.avc
File download: bases/five/avc/base9a3c.avc
File download: bases/five/avc/base9a4c.avc
File download: bases/five/avc/base9a5c.avc
File download: bases/five/avc/base9a6c.avc
File download: bases/five/avc/base9a7c.avc
File download: bases/five/avc/base9a8c.avc
File download: bases/five/avc/base9a9c.avc
File download: bases/five/avc/base9aac.avc
File download: bases/five/avc/base9abc.avc
File download: bases/five/avc/base9acc.avc
File download: bases/five/avc/base9adc.avc
File download: bases/five/avc/base9aec.avc
File download: bases/five/avc/base9afc.avc
File download: bases/five/avc/base9b0c.avc
File download: bases/five/avc/base9b1c.avc
File download: bases/five/avc/base9b2c.avc
File download: bases/five/avc/base9b3c.avc
File download: bases/five/avc/base9b4c.avc
File download: bases/five/avc/base9b5c.avc
File download: bases/five/avc/base9b6c.avc
File download: bases/five/avc/base9b7c.avc
File download: bases/five/avc/base9b8c.avc
File download: bases/five/avc/base9b9c.avc
File download: bases/five/avc/base9bac.avc
File download: bases/five/avc/base9bbc.avc
File download: bases/five/avc/base9bcc.avc
File download: bases/five/avc/base9bdc.avc
File download: bases/five/avc/base9bec.avc
File download: bases/five/avc/base9bfc.avc
File download: bases/five/avc/base9c0c.avc
File download: bases/five/avc/base9c1c.avc
File download: bases/five/avc/base9c2c.avc
File download: bases/five/avc/base9c3c.avc
File download: bases/five/avc/base9c4c.avc
File download: bases/five/avc/base9c5c.avc
File download: bases/five/avc/base9c6c.avc
File download: bases/five/avc/base9c7c.avc
File download: bases/five/avc/base9c8c.avc
File download: bases/five/avc/base9c9c.avc
File download: bases/five/avc/base9cac.avc
File download: bases/five/avc/base9cbc.avc
File download: bases/five/avc/base9ccc.avc
File download: bases/five/avc/base9cdc.avc
File download: bases/five/avc/base9cec.avc
File download: bases/five/avc/base9cfc.avc
File download: bases/five/avc/base9d0c.avc
File download: bases/five/avc/base9d1c.avc
File download: bases/five/avc/base9d2c.avc
File download: bases/five/avc/base9d3c.avc
File download: bases/five/avc/base9d4c.avc
File download: bases/five/avc/base9d5c.avc
File download: bases/five/avc/base9d6c.avc
File download: bases/five/avc/base9d7c.avc
File download: bases/five/avc/base9d8c.avc
File download: bases/five/avc/base9d9c.avc
File download: bases/five/avc/base9dac.avc
File download: bases/five/avc/base9dbc.avc
File download: bases/five/avc/base9dcc.avc
File download: bases/five/avc/base9ddc.avc
File download: bases/five/avc/base9dec.avc
File download: bases/five/avc/base9dfc.avc
File download: bases/five/avc/base9e0c.avc
File download: bases/five/avc/base9e1c.avc
File download: bases/five/avc/base9e2c.avc
File download: bases/five/avc/base9e3c.avc
File download: bases/five/avc/base9e4c.avc
File download: bases/five/avc/base9e5c.avc
File download: bases/five/avc/base9e6c.avc
File download: bases/five/avc/base9e7c.avc
File download: bases/five/avc/base9e8c.avc
File download: bases/five/avc/base9e9c.avc
File download: bases/five/avc/base9eac.avc
File download: bases/five/avc/base9ebc.avc
File download: bases/five/avc/base9ecc.avc
File download: bases/five/avc/base9edc.avc
File download: bases/five/avc/base9eec.avc
File download: bases/five/avc/base9efc.avc
File download: bases/five/avc/base9f0c.avc
File download: bases/five/avc/base9f1c.avc
File download: bases/five/avc/base9f2c.avc
File download: bases/five/avc/base9f3c.avc
File download: bases/five/avc/base9f4c.avc
File download: bases/five/avc/base9f5c.avc
File download: bases/five/avc/base9f6c.avc
File download: bases/five/avc/base9f7c.avc
File download: bases/five/avc/base9f8c.avc
File download: bases/five/avc/base9f9c.avc
File download: bases/five/avc/base9fac.avc
File download: bases/five/avc/base9fbc.avc
File download: bases/five/avc/base9fcc.avc
File download: bases/five/avc/base9fdc.avc
File download: bases/five/avc/base9fec.avc
File download: bases/five/avc/base9ffc.avc
File download: bases/five/avc/basea00c.avc
File download: bases/five/avc/basea01c.avc
File download: bases/five/avc/basea02c.avc
File download: bases/five/avc/basea03c.avc
File download: bases/five/avc/basea04c.avc
File download: bases/five/avc/basea05c.avc
File download: bases/five/avc/basea06c.avc
File download: bases/five/avc/basea07c.avc
File download: bases/five/avc/basea08c.avc
File download: bases/five/avc/basea09c.avc
File download: bases/five/avc/basea0ac.avc
File download: bases/five/avc/basea0bc.avc
File download: bases/five/avc/basea0cc.avc
File download: bases/five/avc/basea0dc.avc
File download: bases/five/avc/basea0ec.avc
File download: bases/five/avc/basea0fc.avc
File download: bases/five/avc/basea10c.avc
File download: bases/five/avc/basea11c.avc
File download: bases/five/avc/basea12c.avc
File download: bases/five/avc/basea13c.avc
File download: bases/five/avc/basea14c.avc
File download: bases/five/avc/basea15c.avc
File download: bases/five/avc/basea16c.avc
File download: bases/five/avc/basea17c.avc
File download: bases/five/avc/basea18c.avc
File download: bases/five/avc/basea19c.avc
File download: bases/five/avc/basea1ac.avc
File download: bases/five/avc/basea1bc.avc
File download: bases/five/avc/basea1cc.avc
File download: bases/five/avc/basea1dc.avc
File download: bases/five/avc/basea1ec.avc
File download: bases/five/avc/basea1fc.avc
File download: bases/five/avc/basea20c.avc
File download: bases/five/avc/basea21c.avc
File download: bases/five/avc/basea22c.avc
File download: bases/five/avc/basea23c.avc
File download: bases/five/avc/basea24c.avc
File download: bases/five/avc/basea25c.avc
File download: bases/five/avc/basea26c.avc
File download: bases/five/avc/basea27c.avc
File download: bases/five/avc/basea28c.avc
File download: bases/five/avc/basea29c.avc
File download: bases/five/avc/basea2ac.avc
File download: bases/five/avc/basea2bc.avc
File download: bases/five/avc/basea2cc.avc
File download: bases/five/avc/basea2dc.avc
File download: bases/five/avc/basea2ec.avc
File download: bases/five/avc/basea2fc.avc
File download: bases/five/avc/basea30c.avc
File download: bases/five/avc/basea31c.avc
File download: bases/five/avc/basea32c.avc
File download: bases/five/avc/basea33c.avc
File download: bases/five/avc/basea34c.avc
File download: bases/five/avc/basea35c.avc
File download: bases/five/avc/basea36c.avc
File download: bases/five/avc/basea37c.avc
File download: bases/five/avc/basea38c.avc
File download: bases/five/avc/basea39c.avc
File download: bases/five/avc/basea3ac.avc
File download: bases/five/avc/basea3bc.avc
File download: bases/five/avc/basea3cc.avc
File download: bases/five/avc/basea3dc.avc
File download: bases/five/avc/basea3ec.avc
File download: bases/five/avc/basea3fc.avc
File download: bases/five/avc/basea40c.avc
File download: bases/five/avc/basea41c.avc
File download: bases/five/avc/basea42c.avc
File download: bases/five/avc/basea43c.avc
File download: bases/five/avc/basea44c.avc
File download: bases/five/avc/basea45c.avc
File download: bases/five/avc/basea46c.avc
File download: bases/five/avc/basea47c.avc
File download: bases/five/avc/basea48c.avc
File download: bases/five/avc/basea49c.avc
File download: bases/five/avc/basea4ac.avc
File download: bases/five/avc/basea4bc.avc
File download: bases/five/avc/basea4cc.avc
File download: bases/five/avc/basea4dc.avc
File download: bases/five/avc/basea4ec.avc
File download: bases/five/avc/basea4fc.avc
File download: bases/five/avc/basea50c.avc
File download: bases/five/avc/basea51c.avc
File download: bases/five/avc/basea52c.avc
File download: bases/five/avc/basea53c.avc
File download: bases/five/avc/basea54c.avc
File download: bases/five/avc/basea55c.avc
File download: bases/five/avc/basea56c.avc
File download: bases/five/avc/basea57c.avc
File download: bases/five/avc/basea58c.avc
File download: bases/five/avc/basea59c.avc
File download: bases/five/avc/basea5ac.avc
File download: bases/five/avc/basea5bc.avc
File download: bases/five/avc/basea5cc.avc
File download: bases/five/avc/basea5dc.avc
File download: bases/five/avc/basea5ec.avc
File download: bases/five/avc/basea5fc.avc
File download: bases/five/avc/basea60c.avc
File download: bases/five/avc/basea61c.avc
File download: bases/five/avc/basea62c.avc
File download: bases/five/avc/basea63c.avc
File download: bases/five/avc/basea64c.avc
File download: bases/five/avc/basea65c.avc
File download: bases/five/avc/basea66c.avc
File download: bases/five/avc/basea67c.avc
File download: bases/five/avc/basea68c.avc
File download: bases/five/avc/basea69c.avc
File download: bases/five/avc/basea6ac.avc
File download: bases/five/avc/basea6bc.avc
File download: bases/five/avc/basea6cc.avc
File download: bases/five/avc/basea6dc.avc
File download: bases/five/avc/basea6ec.avc
File download: bases/five/avc/basea6fc.avc
File download: bases/five/avc/basea70c.avc
File download: bases/five/avc/basea71c.avc
File download: bases/five/avc/basea72c.avc
File download: bases/five/avc/basea73c.avc
File download: bases/five/avc/basea74c.avc
File download: bases/five/avc/basea75c.avc
File download: bases/five/avc/basea76c.avc
File download: bases/five/avc/basea77c.avc
File download: bases/five/avc/basea78c.avc
File download: bases/five/avc/basea79c.avc
File download: bases/five/avc/basea7ac.avc
File download: bases/five/avc/basea7bc.avc
File download: bases/five/avc/basea7cc.avc
File download: bases/five/avc/basea7dc.avc
File download: bases/five/avc/basea7ec.avc
File download: bases/five/avc/basea7fc.avc
File download: bases/five/avc/basea80c.avc
File download: bases/five/avc/basea81c.avc
File download: bases/five/avc/basea82c.avc
File download: bases/five/avc/basea83c.avc
File download: bases/five/avc/basea84c.avc
File download: bases/five/avc/basea85c.avc
File download: bases/five/avc/basea86c.avc
File download: bases/five/avc/basea87c.avc
File download: bases/five/avc/basea88c.avc
File download: bases/five/avc/basea89c.avc
File download: bases/five/avc/basea8ac.avc
File download: bases/five/avc/basea8bc.avc
File download: bases/five/avc/basea8cc.avc
File download: bases/five/avc/basea8dc.avc
File download: bases/five/avc/basea8ec.avc
File download: bases/five/avc/basea8fc.avc
File download: bases/five/avc/basea90c.avc
File download: bases/five/avc/basea91c.avc
File download: bases/five/avc/basea92c.avc
File download: bases/five/avc/basea93c.avc
File download: bases/five/avc/basea94c.avc
File download: bases/five/avc/basea95c.avc
File download: bases/five/avc/basea96c.avc
File download: bases/five/avc/basea97c.avc
File download: bases/five/avc/basea98c.avc
File download: bases/five/avc/basea99c.avc
File download: bases/five/avc/basea9ac.avc
File download: bases/five/avc/basea9bc.avc
File download: bases/five/avc/basea9cc.avc
File download: bases/five/avc/basea9dc.avc
File download: bases/five/avc/basea9ec.avc
File download: bases/five/avc/basea9fc.avc
File download: bases/five/avc/baseaa0c.avc
File download: bases/five/avc/baseaa1c.avc
File download: bases/five/avc/baseaa2c.avc
File download: bases/five/avc/baseaa3c.avc
File download: bases/five/avc/baseaa4c.avc
File download: bases/five/avc/baseaa5c.avc
File download: bases/five/avc/baseaa6c.avc
File download: bases/five/avc/baseaa7c.avc
File download: bases/five/avc/baseaa8c.avc
File download: bases/five/avc/baseaa9c.avc
File download: bases/five/avc/baseaaac.avc
File download: bases/five/avc/baseaabc.avc
File download: bases/five/avc/baseaacc.avc
File download: bases/five/avc/baseaadc.avc
File download: bases/five/avc/baseaaec.avc
File download: bases/five/avc/baseaafc.avc
File download: bases/five/avc/baseab0c.avc
File download: bases/five/avc/baseab1c.avc
File download: bases/five/avc/baseab2c.avc
File download: bases/five/avc/baseab3c.avc
File download: bases/five/avc/baseab4c.avc
File download: bases/five/avc/baseab5c.avc
File download: bases/five/avc/baseab6c.avc
File download: bases/five/avc/baseab7c.avc
File download: bases/five/avc/baseab8c.avc
File download: bases/five/avc/baseab9c.avc
File download: bases/five/avc/dailyc.avc
File download: bases/five/avc/ext001c.avc
File download: bases/five/avc/ext002c.avc
File download: bases/five/avc/ext003c.avc
File download: bases/five/avc/ext004c.avc
File download: bases/five/avc/ext005c.avc
File download: bases/five/avc/ext006c.avc
File download: bases/five/avc/ext007c.avc
File download: bases/five/avc/ext008c.avc
File download: bases/five/avc/ext009c.avc
File download: bases/five/avc/ext010c.avc
File download: bases/five/avc/ext011c.avc
File download: bases/five/avc/ext012c.avc
File download: bases/five/avc/ext013c.avc
File download: bases/five/avc/ext014c.avc
File download: bases/five/avc/ext015c.avc
File download: bases/five/avc/ext016c.avc
File download: bases/five/avc/ext017c.avc
File download: bases/five/avc/ext018c.avc
File download: bases/five/avc/ext019c.avc
File download: bases/five/avc/ext020c.avc
File download: bases/five/avc/ext021c.avc
File download: bases/five/avc/ext022c.avc
File download: bases/five/avc/ext023c.avc
File download: bases/five/avc/ext024c.avc
File download: bases/five/avc/ext025c.avc
File download: bases/five/avc/ext026c.avc
File download: bases/five/avc/ext027c.avc
File download: bases/five/avc/ext028c.avc
File download: bases/five/avc/ext029c.avc
File download: bases/five/avc/ext030c.avc
File download: bases/five/avc/ext031c.avc
File download: bases/five/avc/ext032c.avc
File download: bases/five/avc/ext033c.avc
File download: bases/five/avc/ext034c.avc
File download: bases/five/avc/ext035c.avc
File download: bases/five/avc/ext036c.avc
File download: bases/five/avc/ext037c.avc
File download: bases/five/avc/ext038c.avc
File download: bases/five/avc/ext039c.avc
File download: bases/five/avc/ext040c.avc
File download: bases/five/avc/ext041c.avc
File download: bases/five/avc/ext042c.avc
File download: bases/five/avc/ext043c.avc
File download: bases/five/avc/ext044c.avc
File download: bases/five/avc/ext045c.avc
File download: bases/five/avc/ext046c.avc
File download: bases/five/avc/ext047c.avc
File download: bases/five/avc/ext048c.avc
File download: bases/five/avc/ext049c.avc
File download: bases/five/avc/ext050c.avc
File download: bases/five/avc/ext051c.avc
File download: bases/five/avc/ext052c.avc
File download: bases/five/avc/ext053c.avc
File download: bases/five/avc/ext054c.avc
File download: bases/five/avc/ext055c.avc
File download: bases/five/avc/ext056c.avc
File download: bases/five/avc/ext057c.avc
File download: bases/five/avc/ext058c.avc
File download: bases/five/avc/ext059c.avc
File download: bases/five/avc/ext060c.avc
File download: bases/five/avc/ext061c.avc
File download: bases/five/avc/ext062c.avc
File download: bases/five/avc/ext063c.avc
File download: bases/five/avc/ext064c.avc
File download: bases/five/avc/ext065c.avc
File download: bases/five/avc/ext066c.avc
File download: bases/five/avc/ext067c.avc
File download: bases/five/avc/ext068c.avc
File download: bases/five/avc/ext069c.avc
File download: bases/five/avc/ext070c.avc
File download: bases/five/avc/ext071c.avc
File download: bases/five/avc/ext072c.avc
File download: bases/five/avc/ext073c.avc
File download: bases/five/avc/ext074c.avc
File download: bases/five/avc/ext075c.avc
File download: bases/five/avc/ext076c.avc
File download: bases/five/avc/ext077c.avc
File download: bases/five/avc/ext078c.avc
File download: bases/five/avc/ext079c.avc
File download: bases/five/avc/ext080c.avc
File download: bases/five/avc/ext081c.avc
File download: bases/five/avc/ext082c.avc
File download: bases/five/avc/ext083c.avc
File download: bases/five/avc/ext084c.avc
File download: bases/five/avc/ext085c.avc
File download: bases/five/avc/ext086c.avc
File download: bases/five/avc/ext087c.avc
File download: bases/five/avc/ext088c.avc
File download: bases/five/avc/ext089c.avc
File download: bases/five/avc/ext090c.avc
File download: bases/five/avc/ext091c.avc
File download: bases/five/avc/ext092c.avc
File download: bases/five/avc/ext093c.avc
File download: bases/five/avc/ext094c.avc
File download: bases/five/avc/ext095c.avc
File download: bases/five/avc/ext096c.avc
File download: bases/five/avc/ext097c.avc
File download: bases/five/avc/ext098c.avc
File download: bases/five/avc/ext099c.avc
File download: bases/five/avc/ext100c.avc
File download: bases/five/avc/ext101c.avc
File download: bases/five/avc/ext102c.avc
File download: bases/five/avc/ext103c.avc
File download: bases/five/avc/ext104c.avc
File download: bases/five/avc/ext105c.avc
File download: bases/five/avc/ext106c.avc
File download: bases/five/avc/ext107c.avc
File download: bases/five/avc/ext108c.avc
File download: bases/five/avc/ext109c.avc
File download: bases/five/avc/ext110c.avc
File download: bases/five/avc/ext111c.avc
File download: bases/five/avc/ext112c.avc
File download: bases/five/avc/ext113c.avc
File download: bases/five/avc/ext114c.avc
File download: bases/five/avc/ext115c.avc
File download: bases/five/avc/ext116c.avc
File download: bases/five/avc/ext117c.avc
File download: bases/five/avc/ext118c.avc
File download: bases/five/avc/ext119c.avc
File download: bases/five/avc/ext120c.avc
File download: bases/five/avc/ext121c.avc
File download: bases/five/avc/ext122c.avc
File download: bases/five/avc/ext123c.avc
File download: bases/five/avc/ext124c.avc
File download: bases/five/avc/ext125c.avc
File download: bases/five/avc/ext126c.avc
File download: bases/five/avc/ext127c.avc
File download: bases/five/avc/ext128c.avc
File download: bases/five/avc/ext129c.avc
File download: bases/five/avc/daily-ec.avc
File download: bases/five/avc/base001.avc
File download: bases/five/avc/base002.avc
File download: bases/five/avc/base003.avc
File download: bases/five/avc/base004.avc
File download: bases/five/avc/base005.avc
File download: bases/five/avc/base006.avc
File download: bases/five/avc/base007.avc
File download: bases/five/avc/base008.avc
File download: bases/five/avc/base009.avc
File download: bases/five/avc/base010.avc
File download: bases/five/avc/base011.avc
File download: bases/five/avc/base012.avc
File download: bases/five/avc/base013.avc
File download: bases/five/avc/base014.avc
File download: bases/five/avc/base015.avc
File download: bases/five/avc/base016.avc
File download: bases/five/avc/base017.avc
File download: bases/five/avc/base018.avc
File download: bases/five/avc/base019.avc
File download: bases/five/avc/base020.avc
File download: bases/five/avc/base021.avc
File download: bases/five/avc/base022.avc
File download: bases/five/avc/base023.avc
File download: bases/five/avc/base024.avc
File download: bases/five/avc/base025.avc
File download: bases/five/avc/base026.avc
File download: bases/five/avc/base027.avc
File download: bases/five/avc/base028.avc
File download: bases/five/avc/base029.avc
File download: bases/five/avc/base030.avc
File download: bases/five/avc/base031.avc
File download: bases/five/avc/base032.avc
File download: bases/five/avc/base033.avc
File download: bases/five/avc/base034.avc
File download: bases/five/avc/base035.avc
File download: bases/five/avc/base036.avc
File download: bases/five/avc/base037.avc
File download: bases/five/avc/base038.avc
File download: bases/five/avc/base039.avc
File download: bases/five/avc/base040.avc
File download: bases/five/avc/base041.avc
File download: bases/five/avc/base042.avc
File download: bases/five/avc/base043.avc
File download: bases/five/avc/base044.avc
File download: bases/five/avc/base045.avc
File download: bases/five/avc/base046.avc
File download: bases/five/avc/base047.avc
File download: bases/five/avc/base048.avc
File download: bases/five/avc/base049.avc
File download: bases/five/avc/base050.avc
File download: bases/five/avc/base051.avc
File download: bases/five/avc/base052.avc
File download: bases/five/avc/base053.avc
File download: bases/five/avc/base054.avc
File download: bases/five/avc/base055.avc
File download: bases/five/avc/base056.avc
File download: bases/five/avc/base057.avc
File download: bases/five/avc/base058.avc
File download: bases/five/avc/base059.avc
File download: bases/five/avc/base060.avc
File download: bases/five/avc/base061.avc
File download: bases/five/avc/base062.avc
File download: bases/five/avc/base063.avc
File download: bases/five/avc/base064.avc
File download: bases/five/avc/base065.avc
File download: bases/five/avc/base066.avc
File download: bases/five/avc/base067.avc
File download: bases/five/avc/base068.avc
File download: bases/five/avc/base069.avc
File download: bases/five/avc/base070.avc
File download: bases/five/avc/base071.avc
File download: bases/five/avc/base072.avc
File download: bases/five/avc/base073.avc
File download: bases/five/avc/base074.avc
File download: bases/five/avc/base075.avc
File download: bases/five/avc/base076.avc
File download: bases/five/avc/base077.avc
File download: bases/five/avc/base078.avc
File download: bases/five/avc/base079.avc
File download: bases/five/avc/base080.avc
File download: bases/five/avc/base081.avc
File download: bases/five/avc/base082.avc
File download: bases/five/avc/base083.avc
File download: bases/five/avc/base084.avc
File download: bases/five/avc/base085.avc
File download: bases/five/avc/base086.avc
File download: bases/five/avc/base087.avc
File download: bases/five/avc/base088.avc
File download: bases/five/avc/base089.avc
File download: bases/five/avc/base090.avc
File download: bases/five/avc/base091.avc
File download: bases/five/avc/base092.avc
File download: bases/five/avc/base093.avc
File download: bases/five/avc/base094.avc
File download: bases/five/avc/base095.avc
File download: bases/five/avc/base096.avc
File download: bases/five/avc/base097.avc
File download: bases/five/avc/base098.avc
File download: bases/five/avc/base099.avc
File download: bases/five/avc/base100.avc
File download: bases/five/avc/base101.avc
File download: bases/five/avc/base102.avc
File download: bases/five/avc/base103.avc
File download: bases/five/avc/base104.avc
File download: bases/five/avc/base105.avc
File download: bases/five/avc/base106.avc
File download: bases/five/avc/base107.avc
File download: bases/five/avc/base108.avc
File download: bases/five/avc/base109.avc
File download: bases/five/avc/base110.avc
File download: bases/five/avc/base111.avc
File download: bases/five/avc/base112.avc
File download: bases/five/avc/base113.avc
File download: bases/five/avc/base114.avc
File download: bases/five/avc/base115.avc
File download: bases/five/avc/base116.avc
File download: bases/five/avc/base117.avc
File download: bases/five/avc/base118.avc
File download: bases/five/avc/base119.avc
File download: bases/five/avc/base120.avc
File download: bases/five/avc/base121.avc
File download: bases/five/avc/base122.avc
File download: bases/five/avc/base123.avc
File download: bases/five/avc/base124.avc
File download: bases/five/avc/base125.avc
File download: bases/five/avc/base126.avc
File download: bases/five/avc/base127.avc
File download: bases/five/avc/base128.avc
File download: bases/five/avc/base129.avc
File download: bases/five/avc/base130.avc
File download: bases/five/avc/base131.avc
File download: bases/five/avc/base132.avc
File download: bases/five/avc/base133.avc
File download: bases/five/avc/base134.avc
File download: bases/five/avc/base135.avc
File download: bases/five/avc/base136.avc
File download: bases/five/avc/base137.avc
File download: bases/five/avc/base138.avc
File download: bases/five/avc/base139.avc
File download: bases/five/avc/base140.avc
File download: bases/five/avc/base141.avc
File download: bases/five/avc/base142.avc
File download: bases/five/avc/base143.avc
File download: bases/five/avc/base144.avc
File download: bases/five/avc/base145.avc
File download: bases/five/avc/base146.avc
File download: bases/five/avc/base147.avc
File download: bases/five/avc/base148.avc
File download: bases/five/avc/base149.avc
File download: bases/five/avc/base150.avc
File download: bases/five/avc/base151.avc
File download: bases/five/avc/base152.avc
File download: bases/five/avc/base153.avc
File download: bases/five/avc/base154.avc
File download: bases/five/avc/base155.avc
File download: bases/five/avc/base156.avc
File download: bases/five/avc/base157.avc
File download: bases/five/avc/base158.avc
File download: bases/five/avc/base159.avc
File download: bases/five/avc/base160.avc
File download: bases/five/avc/base161.avc
File download: bases/five/avc/base162.avc
File download: bases/five/avc/base163.avc
File download: bases/five/avc/base164.avc
File download: bases/five/avc/base165.avc
File download: bases/five/avc/base166.avc
File download: bases/five/avc/base167.avc
File download: bases/five/avc/base168.avc
File download: bases/five/avc/base169.avc
File download: bases/five/avc/base999.avc
File download: bases/five/avc/unp000.avc
File download: bases/five/avc/unp001.avc
File download: bases/five/avc/unp002.avc
File download: bases/five/avc/unp003.avc
File download: bases/five/avc/unp004.avc
File download: bases/five/avc/unp005.avc
File download: bases/five/avc/unp006.avc
File download: bases/five/avc/unp007.avc
File download: bases/five/avc/unp008.avc
File download: bases/five/avc/unp009.avc
File download: bases/five/avc/unp010.avc
File download: bases/five/avc/unp011.avc
File download: bases/five/avc/unp012.avc
File download: bases/five/avc/unp013.avc
File download: bases/five/avc/unp014.avc
File download: bases/five/avc/unp015.avc
File download: bases/five/avc/unp016.avc
File download: bases/five/avc/unp017.avc
File download: bases/five/avc/unp018.avc
File download: bases/five/avc/unp019.avc
File download: bases/five/avc/unp020.avc
File download: bases/five/avc/unp021.avc
File download: bases/five/avc/unp022.avc
File download: bases/five/avc/unp023.avc
File download: bases/five/avc/unp024.avc
File download: bases/five/avc/unp025.avc
File download: bases/five/avc/unp026.avc
File download: bases/five/avc/unp027.avc
File download: bases/five/avc/unp028.avc
File download: bases/five/avc/unp029.avc
File download: bases/five/avc/unp030.avc
File download: bases/five/avc/unp031.avc
File download: bases/five/avc/unp032.avc
File download: bases/five/avc/unp033.avc
File download: bases/five/avc/unp034.avc
File download: bases/five/avc/unp035.avc
File download: bases/five/avc/unp036.avc
File download: bases/five/avc/unp037.avc
File download: bases/five/avc/unp038.avc
File download: bases/five/avc/unp039.avc
File download: bases/five/avc/unp040.avc
File download: bases/five/avc/unp041.avc
File download: bases/five/avc/unp042.avc
File download: bases/five/avc/unp043.avc
File download: bases/five/avc/unp044.avc
File download: bases/five/avc/unp045.avc
File download: bases/five/avc/unp999.avc
File download: bases/five/avc/daily.avc
File download: bases/five/avc/daily-ex.avc
File download: bases/five/avc/mail.avc
File download: bases/five/avc/ext001.avc
File download: bases/five/avc/ext002.avc
File download: bases/five/avc/ext003.avc
File download: bases/five/avc/ext004.avc
File download: bases/five/avc/ext005.avc
File download: bases/five/avc/ext006.avc
File download: bases/five/avc/ext007.avc
File download: bases/five/avc/ext008.avc
File download: bases/five/avc/ext009.avc
File download: bases/five/avc/ext999.avc
File download: bases/five/avc/gen001.avc
File download: bases/five/avc/gen002.avc
File download: bases/five/avc/gen003.avc
File download: bases/five/avc/gen004.avc
File download: bases/five/avc/gen005.avc
File download: bases/five/avc/gen006.avc
File download: bases/five/avc/gen999.avc
File download: bases/five/avc/ca001.avc
File download: bases/five/avc/ca002.avc
File download: bases/five/avc/ca003.avc
File download: bases/five/avc/fa.avc
File download: bases/five/avc/eicar.avc
File download: bases/five/avc/verdicts.ini
File download: bases/five/avc/engine.dt
File download: bases/five/avc/engine.cfg
File download: bases/five/avc/avcmhk5.mhk
File download: bases/five/avc/avp.set
File download: bases/five/avc/avp_ext.set
File download: bases/five/avc/avp_x.set
File download: bases/five/avc/avp.vnd
File download: bases/five/avc/avp.klb

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: Scanning could not be started. [0x80004005]]


2nd try
The program is starting. Please wait...
Updates source is selected: http://www.kaspersky.com
File download: packages/kos-extras.jar
The program is started.

Updating the anti-virus database. Please wait...
Updates source is selected: http://dnl-04.geo.kaspersky.com/
File download: index/master.xml.klz

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: Scanning could not be started. [0x80004005]]

Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.



Here are the logs from Malwarebytes:

Malwarebytes' Anti-Malware 1.41
Database version: 3176
Windows 5.1.2600 Service Pack 3

11/15/2009 4:04:29 PM
mbam-log-2009-11-15 (16-04-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 229261
Time elapsed: 43 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thank you for your help SweetTech

St John

#9 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 15 November 2009 - 10:59 PM

In regards to your text being backwards when you type something in your internet browser a simple restart of your computer should fix that issue.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please make sure you include the following items in your next post:
1. The log that was produced after running ComboFix.
2. The log that was produced after running the ESET Online Scanner.
3. An update on how your computer is currently running.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#10 stjohn

stjohn

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 16 November 2009 - 02:16 AM

Thank you for your help. Here are the logs.

ComboFix 09-11-16.04 - User 11/16/2009 1:26.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.438 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091115-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-16 05:35 . 2009-11-16 05:38 -------- d-----w- c:\windows\LastGood
2009-11-15 08:10 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-15 08:10 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-15 08:10 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-15 08:10 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-15 08:10 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-15 08:10 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-15 08:10 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-15 08:10 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-15 08:10 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-15 05:59 . 2009-11-15 05:59 -------- d-----w- c:\program files\Alwil Software
2009-11-15 02:36 . 2006-03-15 09:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-11-15 02:36 . 2006-03-15 09:00 4224 ------w- c:\windows\system32\drivers\beep.sys
2009-11-15 02:15 . 2009-11-15 02:15 3310608 ----a-w- c:\program files\ccsetup225.exe
2009-11-13 10:23 . 2009-11-13 10:23 165232 ---ha-w- c:\documents and settings\User\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-11-13 10:22 . 2009-11-13 10:22 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-11-13 10:16 . 2009-11-13 10:20 31884672 ----a-w- c:\program files\virtualpc2007.exe
2009-11-13 05:47 . 2009-11-13 05:47 -------- d-----w- c:\program files\ERUNT
2009-11-06 18:17 . 2009-11-06 18:17 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-11-06 18:16 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 18:16 . 2009-11-08 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 18:16 . 2009-11-06 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 18:16 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 18:12 . 2009-11-06 18:13 4045544 ----a-w- c:\program files\mbam-setup.exe
2009-11-06 08:42 . 2009-11-06 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-11-06 08:41 . 2009-11-06 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-11-06 08:41 . 2009-11-06 08:41 -------- d-----w- c:\program files\Common Files\iS3
2009-11-06 08:36 . 2009-11-06 08:36 390656 ----a-w- c:\program files\STOPzilla_Setup.exe
2009-10-20 02:24 . 2009-10-20 02:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-19 04:33 . 2009-10-19 04:33 -------- d-----w- c:\documents and settings\User\Application Data\AVS4YOU
2009-10-19 04:33 . 2009-10-19 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-19 04:31 . 2009-10-19 04:33 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-19 04:31 . 2009-10-19 04:33 -------- d-----w- c:\program files\AVS4YOU
2009-10-19 04:31 . 2008-08-13 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-10-19 04:31 . 2008-08-13 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-18 03:23 . 2009-10-18 03:23 -------- d-----w- c:\program files\Flash Player Pro
2009-10-18 03:22 . 2009-10-18 03:22 3456313 ----a-w- c:\program files\FlashMediaPlayer.exe
2009-10-18 03:00 . 2009-10-18 03:09 46323904 ----a-w- C:\AVSVideoConverter.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-16 05:39 . 2007-09-17 23:51 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2009-11-16 04:42 . 2008-09-05 01:23 138376 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-16 04:41 . 2008-09-05 01:23 202448 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-16 00:36 . 2008-08-30 22:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-15 02:16 . 2009-06-07 21:56 -------- d-----w- c:\program files\CCleaner
2009-11-06 19:40 . 2009-11-06 19:39 840 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-14 22:37 . 2008-08-30 18:14 -------- d-----w- c:\program files\XoftSpySE
2009-09-21 03:39 . 2009-09-21 03:38 9008576 ----a-w- c:\program files\windows-kb890830-v2.14.exe
2009-04-22 03:09 . 2009-04-22 03:08 4399670 -c--a-w- c:\program files\zen-cart-v1.3.8a-full-fileset-12112007.zip
2008-10-19 18:04 . 2008-10-19 17:58 25740144 -c--a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2008-10-12 19:41 . 2008-10-12 19:37 20355856 -c--a-w- c:\program files\sdsetup.exe
2008-08-31 22:03 . 2008-08-31 22:02 1077448 -c--a-w- c:\program files\RegCureSetup_1501_CB.exe
2008-08-30 00:25 . 2008-08-23 21:57 12413440 -c--a-w- c:\program files\avgas-setup-7.5.1.43.exe
2008-07-25 23:57 . 2008-07-25 23:54 3714959 -c--a-w- c:\program files\Stickman4.zip
2008-06-29 06:19 . 2008-06-29 06:19 318904 -c--a-w- c:\program files\wmpfirefoxplugin.exe
2008-06-27 22:10 . 2008-06-27 22:07 5319506 -c--a-w- c:\program files\Stickman5.zip
2008-06-27 05:27 . 2008-06-27 05:27 496085 -c--a-w- c:\program files\Pivot.zip
2008-05-18 05:39 . 2008-05-18 05:37 9722720 -c--a-w- c:\program files\spybotsd152.exe
2008-01-27 20:45 . 2008-01-27 20:44 13413048 -c--a-w- c:\program files\Google_Earth_BZXD.exe
2008-01-21 21:15 . 2008-01-21 21:15 2514811 -c--a-w- c:\program files\First_Spaceship_on_Venus.avi.torrent.exe
2008-01-19 03:44 . 2008-01-19 03:44 837811 -c--a-w- c:\program files\AntilagXP.zip
2008-01-19 03:38 . 2008-01-19 03:38 15486287 -c--a-w- c:\program files\BZFMapPakII.exe
2008-01-18 00:32 . 2008-01-18 00:32 6026816 -c--a-w- c:\program files\Firefox Setup 2.0.0.11.exe
2008-01-16 05:34 . 2008-01-16 05:34 1491592 -c--a-w- c:\program files\install_flash_player.exe
2008-01-15 17:00 . 2008-01-11 00:39 54330664 -c--a-w- c:\program files\iTunesSetup.exe
2008-01-07 02:19 . 2008-01-07 02:19 523976 -c--a-w- c:\program files\PopUpStopperFree.exe
2008-01-01 21:47 . 2008-01-01 21:51 83848 -c--a-w- c:\program files\1394.zip
2008-01-01 20:49 . 2008-01-01 20:53 5103056 -c--a-w- c:\program files\DriverDetective.exe
2007-06-04 17:39 . 2008-02-10 15:40 1605557 -c--a-w- c:\program files\WIN32-MPEG2-cafecf94a20d.exe
2007-06-04 17:25 . 2008-01-26 00:14 899414 -c--a-w- c:\program files\SetupDVDDecrypter_3.5.4.0.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-13_21.55.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 23:43 . 2009-11-15 23:43 16384 c:\windows\temp\Perflib_Perfdata_104.dat
+ 2006-09-28 12:27 . 2009-08-07 00:24 53472 c:\windows\system32\wuauclt.exe
+ 2009-11-16 05:35 . 2009-08-07 00:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-11-16 05:35 . 2009-08-07 00:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2006-09-28 00:01 . 2009-08-07 00:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2006-09-28 00:01 . 2009-08-07 00:24 96480 c:\windows\system32\cdm.dll
+ 2009-11-16 05:35 . 2008-10-16 18:09 43544 c:\windows\LastGood\system32\wups2.dll
+ 2009-11-16 05:35 . 2008-10-16 18:08 34328 c:\windows\LastGood\system32\wups.dll
+ 2009-11-16 05:35 . 2008-10-16 18:09 51224 c:\windows\LastGood\system32\wuauclt.exe
+ 2009-11-16 05:35 . 2008-10-16 18:09 92696 c:\windows\LastGood\system32\cdm.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 209632 c:\windows\system32\wuweb.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 327896 c:\windows\system32\wucltui.dll
+ 2006-09-28 12:27 . 2009-08-07 00:23 575704 c:\windows\system32\wuapi.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2006-09-28 12:27 . 2009-08-07 00:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2009-11-16 05:35 . 2008-10-16 18:12 202776 c:\windows\LastGood\system32\wuweb.dll
+ 2009-11-16 05:35 . 2008-10-16 18:12 323608 c:\windows\LastGood\system32\wucltui.dll
+ 2009-11-16 05:35 . 2008-10-16 18:12 561688 c:\windows\LastGood\system32\wuapi.dll
+ 2006-09-28 12:27 . 2009-08-07 00:23 1929952 c:\windows\system32\wuaueng.dll
+ 2006-09-28 12:27 . 2009-08-07 00:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2009-11-16 05:35 . 2008-10-16 18:13 1809944 c:\windows\LastGood\system32\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\BlogTorrent\\btdownloadgui.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BZinstall14L\\bzone.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [12/31/1979 11:00 PM 70784]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/21/2009 11:27 AM 130936]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/15/2009 3:10 AM 114768]
R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [10/11/2008 1:10 PM 10368]
R1 cdrport;cdrport;c:\windows\system32\drivers\cdrport.sys [10/11/2008 1:10 PM 4608]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/21/2009 11:27 AM 159600]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/15/2009 3:10 AM 20560]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [6/21/2009 11:27 AM 73840]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [8/17/2009 10:57 PM 95640]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;c:\cfusionmx\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent" --> c:\cfusionmx\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?]
S2 Microsoft System Management;Microsoft System Management; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [6/21/2009 11:27 AM 64392]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-15 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2006-09-28 09:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\erz9nlou.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-16 01:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2372)
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-16 01:36
ComboFix-quarantined-files.txt 2009-11-16 06:36
ComboFix2.txt 2009-11-15 02:45
ComboFix3.txt 2009-11-13 22:00

Pre-Run: 61,129,826,304 bytes free
Post-Run: 61,216,239,616 bytes free

- - End Of File - - 44BF08D54143EE87BDC70F900FAFA691


ESETScan

C:\Documents and Settings\User\My Documents\Freds wares\Nero 7.8.5.0 Ultra Edition Enhanced + Keymaker\Nero-7.8.5.0_eng.exe Win32/Toolbar.AskSBar application
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip a variant of Win32/Kryptik.BAY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_nevcgsxx_.sys.zip Win32/BHO.EXT trojan

Edited by stjohn, 16 November 2009 - 02:18 AM.

    Advertisements

Register to Remove


#11 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 16 November 2009 - 07:26 PM

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
C:\Documents and Settings\User\My Documents\Freds wares\Nero 7.8.5.0 Ultra Edition Enhanced + Keymaker

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

Registry::
[-HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Locate ESET Online Scanner Log
The ESET Online Scanner log that you provided for me looks to be incomplete.

I need to get a look at the complete file if possible.

Please do the following:
On your keyboard press the Windows key + R
By pressing those two keys at the same time this should display the run dialog box.
Once the Run Dialog box appears please copy and paste the following:
C:\Program Files\ESET\log.txt
After you've copied and pasted the above please select OK.
This should display the ESET Online Scanner log.

Once the ESET Online Scanner log is displayed please copy and paste the contents of the file into your next post.

Please make sure you include the log that was produced after running ComboFix and the log.txt from the ESET folder.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#12 stjohn

stjohn

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 17 November 2009 - 02:20 AM

Hello SweetTech, Thank you for your help. When I ran Combo Cleaner, PC firewall had a lot of warnings about registry changes. I believe this may be normal and said OK to all. The ESET log was not in the location provided (C:\Program Files\ESET\log.txt). I did find the log in the ESET folder.

Here are the logs. Again, thank you for your help. :o)

ComboFix 09-11-17.01 - User 11/17/2009 2:08.4.2 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091116-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\My Documents\Freds wares\Nero 7.8.5.0 Ultra Edition Enhanced + Keymaker
c:\documents and settings\User\My Documents\Freds wares\Nero 7.8.5.0 Ultra Edition Enhanced + Keymaker\embrace.nfo
c:\documents and settings\User\My Documents\Freds wares\Nero 7.8.5.0 Ultra Edition Enhanced + Keymaker\Nero-7.8.5.0_eng.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-16 06:49 . 2009-11-16 06:49 -------- d-----w- c:\program files\ESET
2009-11-16 05:35 . 2009-11-16 05:38 -------- d-----w- c:\windows\LastGood
2009-11-15 08:10 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-15 08:10 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-15 08:10 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-15 08:10 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-15 08:10 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-15 08:10 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-15 08:10 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-15 08:10 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-15 08:10 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-15 05:59 . 2009-11-15 05:59 -------- d-----w- c:\program files\Alwil Software
2009-11-15 02:36 . 2006-03-15 09:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-11-15 02:36 . 2006-03-15 09:00 4224 ------w- c:\windows\system32\drivers\beep.sys
2009-11-15 02:15 . 2009-11-15 02:15 3310608 ----a-w- c:\program files\ccsetup225.exe
2009-11-13 10:23 . 2009-11-13 10:23 165232 ---ha-w- c:\documents and settings\User\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-11-13 10:22 . 2009-11-13 10:22 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-11-13 10:16 . 2009-11-13 10:20 31884672 ----a-w- c:\program files\virtualpc2007.exe
2009-11-13 05:47 . 2009-11-13 05:47 -------- d-----w- c:\program files\ERUNT
2009-11-06 18:17 . 2009-11-06 18:17 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-11-06 18:16 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 18:16 . 2009-11-08 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 18:16 . 2009-11-06 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 18:16 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 18:12 . 2009-11-06 18:13 4045544 ----a-w- c:\program files\mbam-setup.exe
2009-11-06 08:42 . 2009-11-06 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-11-06 08:41 . 2009-11-06 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-11-06 08:41 . 2009-11-06 08:41 -------- d-----w- c:\program files\Common Files\iS3
2009-11-06 08:36 . 2009-11-06 08:36 390656 ----a-w- c:\program files\STOPzilla_Setup.exe
2009-10-20 02:24 . 2009-10-20 02:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-19 04:33 . 2009-10-19 04:33 -------- d-----w- c:\documents and settings\User\Application Data\AVS4YOU
2009-10-19 04:33 . 2009-10-19 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-19 04:31 . 2009-10-19 04:33 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-19 04:31 . 2009-10-19 04:33 -------- d-----w- c:\program files\AVS4YOU
2009-10-19 04:31 . 2008-08-13 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-10-19 04:31 . 2008-08-13 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 06:59 . 2007-09-17 23:51 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2009-11-17 05:45 . 2008-09-05 01:23 138376 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-17 05:45 . 2008-09-05 01:23 202448 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-16 06:42 . 2008-08-30 22:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-15 02:16 . 2009-06-07 21:56 -------- d-----w- c:\program files\CCleaner
2009-11-06 19:40 . 2009-11-06 19:39 840 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-18 03:23 . 2009-10-18 03:23 -------- d-----w- c:\program files\Flash Player Pro
2009-10-18 03:22 . 2009-10-18 03:22 3456313 ----a-w- c:\program files\FlashMediaPlayer.exe
2009-10-18 03:09 . 2009-10-18 03:00 46323904 ----a-w- C:\AVSVideoConverter.exe
2009-10-14 22:37 . 2008-08-30 18:14 -------- d-----w- c:\program files\XoftSpySE
2009-09-21 03:39 . 2009-09-21 03:38 9008576 ----a-w- c:\program files\windows-kb890830-v2.14.exe
2009-04-22 03:09 . 2009-04-22 03:08 4399670 -c--a-w- c:\program files\zen-cart-v1.3.8a-full-fileset-12112007.zip
2008-10-19 18:04 . 2008-10-19 17:58 25740144 -c--a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2008-10-12 19:41 . 2008-10-12 19:37 20355856 -c--a-w- c:\program files\sdsetup.exe
2008-08-31 22:03 . 2008-08-31 22:02 1077448 -c--a-w- c:\program files\RegCureSetup_1501_CB.exe
2008-08-30 00:25 . 2008-08-23 21:57 12413440 -c--a-w- c:\program files\avgas-setup-7.5.1.43.exe
2008-07-25 23:57 . 2008-07-25 23:54 3714959 -c--a-w- c:\program files\Stickman4.zip
2008-06-29 06:19 . 2008-06-29 06:19 318904 -c--a-w- c:\program files\wmpfirefoxplugin.exe
2008-06-27 22:10 . 2008-06-27 22:07 5319506 -c--a-w- c:\program files\Stickman5.zip
2008-06-27 05:27 . 2008-06-27 05:27 496085 -c--a-w- c:\program files\Pivot.zip
2008-05-18 05:39 . 2008-05-18 05:37 9722720 -c--a-w- c:\program files\spybotsd152.exe
2008-01-27 20:45 . 2008-01-27 20:44 13413048 -c--a-w- c:\program files\Google_Earth_BZXD.exe
2008-01-21 21:15 . 2008-01-21 21:15 2514811 -c--a-w- c:\program files\First_Spaceship_on_Venus.avi.torrent.exe
2008-01-19 03:44 . 2008-01-19 03:44 837811 -c--a-w- c:\program files\AntilagXP.zip
2008-01-19 03:38 . 2008-01-19 03:38 15486287 -c--a-w- c:\program files\BZFMapPakII.exe
2008-01-18 00:32 . 2008-01-18 00:32 6026816 -c--a-w- c:\program files\Firefox Setup 2.0.0.11.exe
2008-01-16 05:34 . 2008-01-16 05:34 1491592 -c--a-w- c:\program files\install_flash_player.exe
2008-01-15 17:00 . 2008-01-11 00:39 54330664 -c--a-w- c:\program files\iTunesSetup.exe
2008-01-07 02:19 . 2008-01-07 02:19 523976 -c--a-w- c:\program files\PopUpStopperFree.exe
2008-01-01 21:47 . 2008-01-01 21:51 83848 -c--a-w- c:\program files\1394.zip
2008-01-01 20:49 . 2008-01-01 20:53 5103056 -c--a-w- c:\program files\DriverDetective.exe
2007-06-04 17:39 . 2008-02-10 15:40 1605557 -c--a-w- c:\program files\WIN32-MPEG2-cafecf94a20d.exe
2007-06-04 17:25 . 2008-01-26 00:14 899414 -c--a-w- c:\program files\SetupDVDDecrypter_3.5.4.0.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-13_21.55.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 23:43 . 2009-11-15 23:43 16384 c:\windows\temp\Perflib_Perfdata_104.dat
+ 2006-09-28 12:27 . 2009-08-07 00:24 53472 c:\windows\system32\wuauclt.exe
+ 2009-11-16 05:35 . 2009-08-07 00:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-11-16 05:35 . 2009-08-07 00:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2006-09-28 00:01 . 2009-08-07 00:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2006-09-28 00:01 . 2009-08-07 00:24 96480 c:\windows\system32\cdm.dll
+ 2009-11-16 05:35 . 2008-10-16 18:09 43544 c:\windows\LastGood\system32\wups2.dll
+ 2009-11-16 05:35 . 2008-10-16 18:08 34328 c:\windows\LastGood\system32\wups.dll
+ 2009-11-16 05:35 . 2008-10-16 18:09 51224 c:\windows\LastGood\system32\wuauclt.exe
+ 2009-11-16 05:35 . 2008-10-16 18:09 92696 c:\windows\LastGood\system32\cdm.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 209632 c:\windows\system32\wuweb.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 327896 c:\windows\system32\wucltui.dll
+ 2006-09-28 12:27 . 2009-08-07 00:23 575704 c:\windows\system32\wuapi.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2006-09-28 12:27 . 2009-08-07 00:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2006-09-28 12:27 . 2009-08-07 00:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2009-11-16 05:35 . 2008-10-16 18:12 202776 c:\windows\LastGood\system32\wuweb.dll
+ 2009-11-16 05:35 . 2008-10-16 18:12 323608 c:\windows\LastGood\system32\wucltui.dll
+ 2009-11-16 05:35 . 2008-10-16 18:12 561688 c:\windows\LastGood\system32\wuapi.dll
+ 2006-09-28 12:27 . 2009-08-07 00:23 1929952 c:\windows\system32\wuaueng.dll
+ 2006-09-28 12:27 . 2009-08-07 00:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2009-11-16 05:35 . 2008-10-16 18:13 1809944 c:\windows\LastGood\system32\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\BlogTorrent\\btdownloadgui.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BZinstall14L\\bzone.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;c:\cfusionmx\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [x]
R2 Microsoft System Management;Microsoft System Management; [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2008-12-10 64392]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2006-08-30 70784]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]
S1 aswSP;avast! Self Protection; [x]
S1 cdrblock;cdrblock;c:\windows\system32\DRIVERS\cdrblock.sys [2005-06-14 10368]
S1 cdrport;cdrport;c:\windows\system32\DRIVERS\cdrport.sys [2005-03-11 4608]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2008-12-11 159600]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2008-12-18 73840]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-01-21 95640]


--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-16 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2006-09-28 09:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\erz9nlou.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 02:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-17 02:24
ComboFix-quarantined-files.txt 2009-11-17 07:24
ComboFix2.txt 2009-11-16 06:36
ComboFix3.txt 2009-11-15 02:45
ComboFix4.txt 2009-11-13 22:00

Pre-Run: 61,070,524,416 bytes free
Post-Run: 61,023,567,872 bytes free

- - End Of File - - 3E71E0587537F5C778252E25BAEF9542



ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e17c9733b799c248850cd8afabc31810
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-16 07:53:57
# local_time=2009-11-16 02:53:57 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775141 100 98 0 193710608 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=117506
# found=3
# cleaned=0
# scan_time=3383
C:\Documents and Settings\User\My Documents\Freds wares\Nero 7.8.5.0 Ultra Edition Enhanced + Keymaker\Nero-7.8.5.0_eng.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip a variant of Win32/Kryptik.BAY trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_nevcgsxx_.sys.zip Win32/BHO.EXT trojan 00000000000000000000000000000000 I

#13 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 17 November 2009 - 06:28 PM

Re-Scanning with DDS
Please re-run DDS by sUBs.
Make sure to pay attention to the directions below:
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by doing the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post
Please make sure that you include the contents of the DDS.txt file and attach the Attach.txt file in your next post.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#14 stjohn

stjohn

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 17 November 2009 - 06:54 PM

Hi SweetTech, Your help is greatly appreciated. Here is the DDS info: DDS (Ver_09-06-26.01) - NTFSx86 Run by User at 19:45:29.79 on Tue 11/17/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.524 [GMT -5:00] AV: avast! antivirus 4.8.1356 [VPS 091117-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\PC Tools Firewall Plus\FWService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\User\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uInternet Settings,ProxyOverride = *.local BHO: AutorunsDisabled - No File uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242765404109 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\erz9nlou.default\ FF - prefs.js: browser.search.selectedEngine - eBay FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q= ============= SERVICES / DRIVERS =============== R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [1979-12-31 70784] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-21 130936] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-15 114768] R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [2008-10-11 10368] R1 cdrport;cdrport;c:\windows\system32\drivers\cdrport.sys [2008-10-11 4608] R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-6-21 159600] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-15 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-15 138680] R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-6-21 73840] R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-8-17 146800] R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-8-17 95640] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;c:\cfusionmx\db\slserver52\bin\swagent.exe "coldfusion mx odbc agent" --> c:\cfusionmx\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?] S2 Microsoft System Management;Microsoft System Management; [x] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-15 254040] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-15 352920] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-6-21 64392] =============== Created Last 30 ================ 2009-11-17 03:36 <DIR> --d----- c:\windows\system32\XPSViewer 2009-11-17 03:35 <DIR> --d----- C:\3960f18d846642816335 2009-11-17 03:35 1,676,288 -------- c:\windows\system32\xpssvcs.dll 2009-11-17 03:35 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll 2009-11-17 03:35 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-11-17 03:35 575,488 -------- c:\windows\system32\xpsshhdr.dll 2009-11-17 03:35 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll 2009-11-17 03:35 117,760 -------- c:\windows\system32\prntvpt.dll 2009-11-17 03:35 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-11-16 01:49 <DIR> --d----- c:\program files\ESET 2009-11-16 00:50 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll 2009-11-16 00:50 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll 2009-11-16 00:50 12,800 -------- c:\windows\system32\dllcache\xpshims.dll 2009-11-16 00:50 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll 2009-11-16 00:50 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll 2009-11-16 00:50 11,069,440 -------- c:\windows\system32\dllcache\ieframe.dll 2009-11-16 00:38 2,560 -------- c:\windows\system32\xpsp4res.dll 2009-11-14 21:36 4,224 a------- c:\windows\system32\dllcache\beep.sys 2009-11-14 21:36 4,224 -------- c:\windows\system32\drivers\beep.sys 2009-11-14 21:15 3,310,608 a------- c:\program files\ccsetup225.exe 2009-11-13 16:46 <DIR> a-dshr-- C:\cmdcons 2009-11-13 16:40 77,312 a------- c:\windows\MBR.exe 2009-11-13 05:22 <DIR> --d----- c:\program files\Microsoft Virtual PC 2009-11-13 05:16 31,884,672 a------- c:\program files\virtualpc2007.exe 2009-11-13 04:24 21,610 a------- C:\1.gif 2009-11-06 14:39 840 a------- c:\windows\system32\drivers\kgpcpy.cfg 2009-11-06 13:17 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes 2009-11-06 13:16 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-06 13:16 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-11-06 13:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-11-06 13:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-11-06 13:12 4,045,544 a------- c:\program files\mbam-setup.exe 2009-11-06 03:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard 2009-11-06 03:41 <DIR> --d----- c:\program files\common files\iS3 2009-11-06 03:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla! 2009-11-06 03:36 390,656 a------- c:\program files\STOPzilla_Setup.exe 2009-10-18 23:33 <DIR> --d----- c:\docume~1\user\applic~1\AVS4YOU 2009-10-18 23:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU 2009-10-18 23:31 <DIR> --d----- c:\program files\common files\AVSMedia 2009-10-18 23:31 1,700,352 a------- c:\windows\system32\GdiPlus.dll 2009-10-18 23:31 24,576 a------- c:\windows\system32\msxml3a.dll 2009-10-18 23:31 <DIR> --d----- c:\program files\AVS4YOU ==================== Find3M ==================== 2009-11-17 17:34 138,376 ac------ c:\windows\system32\drivers\PnkBstrK.sys 2009-11-17 17:34 202,448 a------- c:\windows\system32\PnkBstrB.exe 2009-11-14 01:47 260,608 ac------ c:\windows\PEV.exe 2009-10-17 22:22 3,456,313 a------- c:\program files\FlashMediaPlayer.exe 2009-10-17 22:09 46,323,904 a------- C:\AVSVideoConverter.exe 2009-09-20 22:39 9,008,576 a------- c:\program files\windows-kb890830-v2.14.exe 2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-11 09:18 136,192 a------- c:\windows\system32\dllcache\msv1_0.dll 2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-09-04 16:03 58,880 a------- c:\windows\system32\dllcache\msasn1.dll 2009-08-29 03:08 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll 2009-08-29 03:08 916,480 a------- c:\windows\system32\wininet.dll 2009-08-29 03:08 916,480 a------- c:\windows\system32\dllcache\wininet.dll 2009-08-29 03:08 5,940,224 a------- c:\windows\system32\dllcache\mshtml.dll 2009-08-29 03:08 206,848 a------- c:\windows\system32\dllcache\occache.dll 2009-08-29 03:08 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll 2009-08-29 03:08 184,320 a------- c:\windows\system32\dllcache\iepeers.dll 2009-08-29 03:08 387,584 a------- c:\windows\system32\dllcache\iedkcs32.dll 2009-08-28 05:35 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll 2009-08-26 03:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll 2009-04-21 22:09 4,399,670 ac------ c:\program files\zen-cart-v1.3.8a-full-fileset-12112007.zip 2008-10-19 13:04 25,740,144 ac------ c:\program files\wmp11-windowsxp-x86-enu.exe 2008-10-12 14:41 20,355,856 ac------ c:\program files\sdsetup.exe 2008-08-31 17:03 1,077,448 ac------ c:\program files\RegCureSetup_1501_CB.exe 2008-08-29 19:25 12,413,440 ac------ c:\program files\avgas-setup-7.5.1.43.exe 2008-07-25 18:57 3,714,959 ac------ c:\program files\Stickman4.zip 2008-06-29 01:19 318,904 ac------ c:\program files\wmpfirefoxplugin.exe 2008-06-27 17:10 5,319,506 ac------ c:\program files\Stickman5.zip 2008-06-27 00:27 496,085 ac------ c:\program files\Pivot.zip 2008-05-18 00:39 9,722,720 ac------ c:\program files\spybotsd152.exe 2008-01-27 15:45 13,413,048 ac------ c:\program files\Google_Earth_BZXD.exe 2008-01-21 16:15 2,514,811 ac------ c:\program files\First_Spaceship_on_Venus.avi.torrent.exe 2008-01-18 22:44 837,811 ac------ c:\program files\AntilagXP.zip 2008-01-18 22:38 15,486,287 ac------ c:\program files\BZFMapPakII.exe 2008-01-17 19:32 6,026,816 ac------ c:\program files\Firefox Setup 2.0.0.11.exe 2008-01-16 00:34 1,491,592 ac------ c:\program files\install_flash_player.exe 2008-01-15 12:00 54,330,664 ac------ c:\program files\iTunesSetup.exe 2008-01-06 21:19 523,976 ac------ c:\program files\PopUpStopperFree.exe 2008-01-01 16:47 83,848 ac------ c:\program files\1394.zip 2008-01-01 15:49 5,103,056 ac------ c:\program files\DriverDetective.exe 2007-06-04 12:39 1,605,557 ac------ c:\program files\WIN32-MPEG2-cafecf94a20d.exe 2007-06-04 12:25 899,414 ac------ c:\program files\SetupDVDDecrypter_3.5.4.0.exe 2009-05-21 14:13 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat 2009-05-19 16:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051920090520\index.dat ============= FINISH: 19:45:52.18 ===============

Attached Files



#15 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 17 November 2009 - 07:13 PM

Clean-Up Time

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:
Posted Image
Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall

Remove Logs/Tools
From your Desktop please delete the following things:
  • Any notepad/logs that we created
  • DDS.scr
  • RootRepeal.zip from wherever you downloaded the file to.
  • RootRepeal.exe from where you extracted it.
  • You may also remove ESET Online Scan via your Add/Remove Programs.
Update Software:

Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.

Java Outdated
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the drop-down menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or JavaÖ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

Update Firefox
You are currently using Mozilla Firefox 3.10. The last version of Firefox is 3.5.5
This can be done by accessing the Help menu in Firefox and then selecting Check for Updates. Please make sure that you Check for Updates again after updating to the latest version to make sure that you have in fact received the latest version.

Peer to Peer Program
You currently have the following P2P programs installed:
  • uTorrent
Most of the infections that we see today are through P2P file sharing. By uninstalling the programs that I mentioned above you will be doing yourself a favor. It's impossible to trust the source of what is being downloaded from them and a file may or may not be what it appears to be.

How to Uninstall the P2P Programs:
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    uTorrent
PLEASE NOTE: When your uninstalling the P2P Program(s) some questions are worded in various ways to try and deceive you and keep you from uninstalling their Program.

All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===

Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE
  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here
    • If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
      • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users