Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HJT Log - trying to remove virus


  • Please log in to reply
9 replies to this topic

#1 jskinner23

jskinner23

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 05 November 2007 - 01:26 PM

I am having a problem using search engines. After searching, whenever I click on any result, it takes me to a random website (the kind you would get with unwanted pop-up viruses) and not the site I wanted to go to.

I just updated and ran my McAfee AntiVirus and it is finding no problems. Here is my HijackThis log. Thanks!

----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:20 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.lycos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {a57cac5c-db24-4270-bf30-31a8fb1ac918} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1\Content.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.IE5\MSHIST~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\Cookies.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\6XVCXCJ6\AIM_UA~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XEF6AZAB\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://ka.bar.need2f...earch.html?p=KA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.co.../AttachMail.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O16 - DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - http://www.mtv.com/o...e/bin/setup.exe
O20 - Winlogon Notify: catlgs - catlgs.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jonathan/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 11529 bytes

    Advertisements

Register to Remove


#2 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 07 November 2007 - 06:29 PM

Howdy jskinner23,

Infection is showing here, so let's start repairs.


Be sure to temporarily disable any protective software when running the scan tools we use here.

For McAfee, which is one that will very likely interfere, right click the McAfee icon in your Taskbar, then click "Exit."
A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.


Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------------------

Also Download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually the C drive), and launch from there.

NOTE: Please do not run any other options from SmitfraudFix until we discuss the results.


Then run a new HijackThis scan, and post that log along with the combofix.txt log and the rapport.txt log please.

#3 jskinner23

jskinner23

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 08 November 2007 - 11:01 AM

Thanks a lot! Here are the reports:


ComboFix Report

ComboFix 07-11-08.1 - Jonathan 2007-11-08 11:20:17.1 - NTFSx86
Running from: C:\Documents and Settings\Jonathan\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\kdasy.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-08 11:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 20:49 <DIR> d-------- C:\Program Files\iTunes
2007-11-06 20:40 <DIR> d-------- C:\Program Files\QuickTime
2007-11-05 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-22 13:39 <DIR> d-------- C:\Program Files\Hp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 18:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-07 01:50 --------- d-----w C:\Program Files\iPod
2007-11-04 04:10 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\uTorrent
2007-11-02 14:19 --------- d-----w C:\Program Files\McAfee
2007-11-02 02:47 --------- d-----w C:\Program Files\Common Files\McAfee
2007-09-26 23:16 --------- d-----w C:\Program Files\DivX
2007-09-17 15:13 --------- d-----w C:\Program Files\Apple Software Update
2007-09-12 05:28 --------- d-----w C:\Program Files\Java
2007-09-12 05:06 --------- d-----w C:\Program Files\Sun
2006-08-18 03:07 91,256 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a57cac5c-db24-4270-bf30-31a8fb1ac918}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-14 20:29]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 09:26]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-03-13 10:14]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 17:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 17:38]
"CARPService"="carpserv.exe" [2003-05-21 17:35 C:\WINDOWS\system32\carpserv.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 07:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-25 08:26]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 21:33]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Aim6"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1\Content.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.IE5\MSHIST~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\Cookies.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\6XVCXCJ6\AIM_UA~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XEF6AZAB\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\1V6B0XCQ\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XEF6AZAB\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\7YMPBCM5\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ZWBPO4LH\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\AD451B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L89PBDOE\IMG_3_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\VMLF6W5Y\STYLES~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XPTEYOJ1\CSS_DR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XPTEYOJ1\IMG_6_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\780X90~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L89PBDOE\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\IMG_8_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IEE3PYPI\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\7YMPBCM5\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\IMGCAV~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\WE081C~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\1V6B0XCQ\IMG_10~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\VMLF6W5Y\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L89PBDOE\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\IMGCAM~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\WE3C5B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\7YMPBCM5\AD4D1B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\IMG_11~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\HBX_2_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\IMG_10~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD4D1B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\IMG_9_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMG_8_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\AD491B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\AD451B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\LOG_1_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMG_9_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMG_5_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAF~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCA3~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMG_7_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYY12I7\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMG_7_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYY12I7\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMG_10~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD451B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WE081C~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMGCAA~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\IMG_6_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMG_1_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\IMG_3_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAJ~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA7~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAH~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMG_10~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAI~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD99AE~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAH~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMG_6_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAS~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD99A4~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WE081A~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA6~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD491B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMG_11~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMGCAV~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAU~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCA2~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\AD4D1B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEF716~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\IMG_7_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WE1F00~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\PC_1_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WE1B00~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMGCAO~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAK~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAM~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAX~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD99AE~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMG_6_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEF716~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD9A64~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA2~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD4D1B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAC~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA6~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD99A4~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAS~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\BANNER~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA6~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAL~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCA3~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAY~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WE081C~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAE~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD9D11~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEF716~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WE081C~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCA3~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMGCAZ~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAX~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEC782~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAB~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAP~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAO~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCA7~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEF716~1.SH!

C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2004-06-18 00:05:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\catlgs]
catlgs.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EZVideo Chat.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EZVideo Chat.lnk
backup=C:\WINDOWS\pss\EZVideo Chat.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnapDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnapDetect.lnk
backup=C:\WINDOWS\pss\SnapDetect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Now]
C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\x3watch]
C:\Program Files\X3watch\x3watch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

R3 CALIAUD;Conexant AMC 3D Environmental Audio;C:\WINDOWS\system32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.SYS
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 00:01:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-07-15 05:01:15 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-10-01 05:02:35 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 11:35:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????4?9?1?5??????? ???B?????????????hLC? ??????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-08 11:40:08 - machine was rebooted
.
--- E O F ---

--------------------------------------------------------------------------------------------------------------------------


SmitfraudFix Report

SmitFraudFix v2.250

Scan done at 11:45:42.21, Thu 11/08/2007
Run from C:\Documents and Settings\Jonathan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jonathan


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jonathan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jonathan\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="file:///C:/DOCUME~1/Jonathan/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Jonathan/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: National Semiconductor Corp. DP83815/816 10/100 MacPhyter PCI Adapter
DNS Server Search Order: 12.127.17.71
DNS Server Search Order: 12.127.16.68

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0DC3536C-DC8A-45E1-AB23-266B3063DF23}: DhcpNameServer=12.127.17.71 12.127.16.68
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7AB8A475-AFC0-46C0-A752-D5BB8DB9CFB4}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C74B4B20-22BB-47D8-BFE7-F07800DB5C78}: DhcpNameServer=85.255.116.104,85.255.112.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0DC3536C-DC8A-45E1-AB23-266B3063DF23}: DhcpNameServer=12.127.17.71 12.127.16.68
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7AB8A475-AFC0-46C0-A752-D5BB8DB9CFB4}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C74B4B20-22BB-47D8-BFE7-F07800DB5C78}: DhcpNameServer=85.255.116.104,85.255.112.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0DC3536C-DC8A-45E1-AB23-266B3063DF23}: DhcpNameServer=12.127.17.71 12.127.16.68
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7AB8A475-AFC0-46C0-A752-D5BB8DB9CFB4}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C74B4B20-22BB-47D8-BFE7-F07800DB5C78}: DhcpNameServer=85.255.116.104,85.255.112.222


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


----------------------------------------------------------------------------------------------------------------------

HijackThis Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:51 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.lycos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {a57cac5c-db24-4270-bf30-31a8fb1ac918} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1\Content.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.IE5\MSHIST~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\Cookies.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\6XVCXCJ6\AIM_UA~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XEF6AZAB\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://ka.bar.need2f...earch.html?p=KA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.co.../AttachMail.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O16 - DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - http://www.mtv.com/o...e/bin/setup.exe
O20 - Winlogon Notify: catlgs - catlgs.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jonathan/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 11162 bytes

#4 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 08 November 2007 - 07:16 PM

Looks like changes made from a DNS Change hijacker there, but ComboFix was able to remove the active file involved. You have many startups disabled through msconfig there - at some point we will need to re-enable all these to do a complete cleaning.


As you are about to make registry changes, you will need to backup the registry to have if needed. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup (not to a temp folder). Close the Registry Editor. This is just a smart precaution when making changes to the registry.


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
  00,00,01,00,00,00
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it deskfix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

---------------------------------------


Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O2 - BHO: (no name) - {a57cac5c-db24-4270-bf30-31a8fb1ac918} - (no file)
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O20 - Winlogon Notify: catlgs - catlgs.dll (file missing)


---------------------------------------

Please download FixWareout from here

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, just follow the prompts. If your firewall sends an alert, please don't let your firewall block it, allow it (this tool will download an additional file from the internet). Note: You must must be online to run this utility

Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load, this is normal.

Once your desktop loads, notepad will open a report.txt file. Close this, and allow the reboot to complete. On reboot you will also get notified about possible difficulties making a connection after the fix is run. If you do have net access difficulties double click the registry file dnsbak.reg located in the Fixwareout folder on the root of the drive windows is installed (normaly c:\ as suggested).

Once your desktop loads, please post the contents of the logfile C:\fixwareout\report.txt along with a new HijackThis log and a new ComboFix log please.

#5 jskinner23

jskinner23

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 08 November 2007 - 10:49 PM

Thanks again for all of your help with this! Here are the reports for Fixwareout, ComboFix, and HijackThis:


Fixwareout Report

Username "Jonathan" - 11/08/2007 22:21:15 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C74B4B20-22BB-47D8-BFE7-F07800DB5C78}
"DhcpNameServer"="85.255.116.104,85.255.112.222" <Value cleared.

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Display Settings"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
"QT4HPOT"="C:\\Program Files\\HPQ\\One-Touch\\OneTouch.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"CARPService"="carpserv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"mcagent_exe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe /runkey"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\NEROPH~1\\data\\Xtras\\mssysmgr.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"=""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

----------------------------------------------------------------------------------------------------------------------


ComboFix Log

ComboFix 07-11-08.1 - Jonathan 2007-11-08 23:29:20.2 - NTFSx86
Running from: C:\Documents and Settings\Jonathan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-08 11:45 3,242 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-08 11:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 20:49 <DIR> d-------- C:\Program Files\iTunes
2007-11-06 20:40 <DIR> d-------- C:\Program Files\QuickTime
2007-11-05 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-22 13:39 <DIR> d-------- C:\Program Files\Hp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 18:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-07 01:50 --------- d-----w C:\Program Files\iPod
2007-11-04 04:10 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\uTorrent
2007-11-02 14:19 --------- d-----w C:\Program Files\McAfee
2007-11-02 02:47 --------- d-----w C:\Program Files\Common Files\McAfee
2007-09-26 23:16 --------- d-----w C:\Program Files\DivX
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-17 15:13 --------- d-----w C:\Program Files\Apple Software Update
2007-09-12 05:28 --------- d-----w C:\Program Files\Java
2007-09-12 05:06 --------- d-----w C:\Program Files\Sun
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-18 03:07 91,256 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-11-08_11.38.37.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 14:33:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-09 03:40:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-08 14:33:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-09 03:40:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-09 03:40:29 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-08 14:32:53 63,700 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-09 03:28:46 63,700 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-08 14:32:53 404,752 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-09 03:28:46 404,752 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-14 20:29]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 09:26]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-03-13 10:14]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 17:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 17:38]
"CARPService"="carpserv.exe" [2003-05-21 17:35 C:\WINDOWS\system32\carpserv.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 07:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-25 08:26]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 21:33]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Aim6"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1\Content.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.IE5\MSHIST~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\Cookies.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\6XVCXCJ6\AIM_UA~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XEF6AZAB\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\1V6B0XCQ\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XEF6AZAB\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\7YMPBCM5\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ZWBPO4LH\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\AD451B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L89PBDOE\IMG_3_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\VMLF6W5Y\STYLES~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XPTEYOJ1\CSS_DR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XPTEYOJ1\IMG_6_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\780X90~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L89PBDOE\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\IMG_8_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IEE3PYPI\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\7YMPBCM5\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\IMGCAV~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\WE081C~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\1V6B0XCQ\IMG_10~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\VMLF6W5Y\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L89PBDOE\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\TQ0TBO1A\IMGCAM~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\WE3C5B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\7YMPBCM5\AD4D1B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ODYQ5GN1\IMG_11~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\HBX_2_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\IMG_10~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD4D1B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\IMG_9_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMG_8_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\AD491B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\AD451B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\LOG_1_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMG_9_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMG_5_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAF~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCA3~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMG_7_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYY12I7\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMG_7_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYY12I7\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMG_10~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD451B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WE081C~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMGCAA~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\IMG_6_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMG_1_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\IMG_3_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAJ~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA7~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAH~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMG_10~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAI~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD99AE~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAH~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMG_6_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAS~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD99A4~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WE081A~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA6~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEB_AN~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD491B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMG_11~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\D0GQTWWY\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMGCAV~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAU~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCA2~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMG_4_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\HNYG52Z2\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\AD4D1B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C5EVD6BW\WEF716~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\269UC60C\IMG_7_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEB_AN~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WE1F00~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\EY8ZIE90\PC_1_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\2AOAXHCE\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WE1B00~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMGCAO~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAK~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAM~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAX~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD99AE~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMG_6_~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WEF716~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD9A64~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA2~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\FQ5UJLIX\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD4D1B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\AD4D0B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAC~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA6~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\AD99A4~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAS~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\BANNER~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCA6~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAL~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\ADBRIT~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCA3~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEF712~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCAY~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\WE081C~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAE~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\AD9D11~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEF716~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WE081C~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEF710~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCA3~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\4X72PDOH\IMGCAZ~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAX~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\WEC782~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAB~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\IMGCAP~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C4JBM551\IMGCAO~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\IIY0WY41\IMGCA7~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\5W43WW64\WEF716~1.SH!

C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2004-06-18 00:05:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EZVideo Chat.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EZVideo Chat.lnk
backup=C:\WINDOWS\pss\EZVideo Chat.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnapDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnapDetect.lnk
backup=C:\WINDOWS\pss\SnapDetect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jonathan^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Now]
C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\x3watch]
C:\Program Files\X3watch\x3watch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

R3 CALIAUD;Conexant AMC 3D Environmental Audio;C:\WINDOWS\system32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.SYS
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 00:01:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-07-15 05:01:15 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-10-01 05:02:35 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 23:36:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????4?9?1?5??????? ???B?????????????hLC? ??????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-08 23:38:53
C:\ComboFix2.txt ... 2007-11-08 11:40
.
--- E O F ---

----------------------------------------------------------------------------------------------


HijackThis Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:50 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.lycos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1\Content.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.IE5\MSHIST~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\Cookies.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\6XVCXCJ6\AIM_UA~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XEF6AZAB\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://ka.bar.need2f...earch.html?p=KA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.co.../AttachMail.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O16 - DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - http://www.mtv.com/o...e/bin/setup.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jonathan/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 10992 bytes

#6 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 09 November 2007 - 08:04 AM

Very good - Fixwareout made the necessary repairs to the DNS settings in the registry. My suggested registry repair however got a "0" cut off in here due to a board code glitch, so needs to be redone. Let's do that a different way, and do one additional scan, then see about cleaning up any remnants here. That will require re-enabling those many startups disabled through msconfig, but will result if getting things back ship shape there.


Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O8 - Extra context menu item: &Search - http://ka.bar.need2f...earch.html?p=KA
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jonathan/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg



Then Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.


To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

#7 jskinner23

jskinner23

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 09 November 2007 - 10:41 PM

Here is the Kaspersky Report and another HijackThis Report:

Kaspersky Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 09, 2007 11:30:38 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/11/2007
Kaspersky Anti-Virus database records: 455515
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 157378
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 04:39:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{FAC85242-D900-4504-8384-C4A1EB9D8714}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFRB.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Jonathan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jonathan\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jonathan\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jonathan\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jonathan\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Jonathan\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Jonathan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jonathan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jonathan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jonathan\Local Settings\Temp\~DFDF08.tmp Object is locked skipped
C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jonathan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jonathan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP1124\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{89B3CBE0-2748-457A-BB8B-20A7C5EA5AE6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_fd4ycg3OvEutHl3 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_8FM1M2fmQdsH6VB Object is locked skipped
C:\WINDOWS\Temp\mcmsc_CdzDh6Swb3EMHTS Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ft4Jv5LNAboCmKa Object is locked skipped
C:\WINDOWS\Temp\mcmsc_udlCBobeQyz7Yvo Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


-----------------------------------------------------------------------------------------------------------------

HijackThis Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:13 PM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Money 2006\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.lycos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1\Content.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.IE5\MSHIST~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Jonathan\LOCALS~1\Temp\Cookies.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\6XVCXCJ6\AIM_UA~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\L7RYJO5Y\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\XEF6AZAB\AD411B~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\ASPM5SSA\ADBRIT~4.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\ADBRIT~2.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\Y0VAXKE6\WEB_AN~1.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\WEB_AN~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR~1\Content.IE5\C3C5W67C\ADBRIT~3.SH! C:\DOCUME~1\Jonathan\LOCALS~1\TEMPOR
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.co.../AttachMail.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O16 - DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - http://www.mtv.com/o...e/bin/setup.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 11005 bytes

#8 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 10 November 2007 - 06:51 PM

Normally locked system functions, items we sued that you can delete such as SmitFraudFix.exe and popcaploader.dll. Some scans include this since it is often used by infection, but is also used by many online games as well (I think Pogo is one). So likely to be returned next time a game is used. Any issues before we do some final cleaning steps?

#9 jskinner23

jskinner23

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 10 November 2007 - 08:51 PM

I haven't seen any more issues. I think final cleaning sounds good.

#10 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 11 November 2007 - 10:22 AM

Sounds good. You can basically delete all the tools we used here, and the reports they created, including SmitFraudFix.exe and the SmitFraudFix folder. To have ComboFix remove it's files/folders and undo some changes it made just go to Start - Run, type the following and select OK:

ComboFix /u

Then always a good last step to reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In addition, I would like to recommend reviewing the information Here to make sure you stay malware free.

Edited by Jintan, 11 November 2007 - 10:22 AM.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users