53 replies to this topic

[patnhank]

Hello,
Computer infected with W2.Trats!inf, used Symentac, BitDefender, AVIR, with limited success. On bootup, continue to find virus and unable irradicate it. Getting thousands of TMP files created under all user names. Getting redirected to other internet sites and having to close popups. Previously, system would prevent me from opening "my Computer" to see files, locking up, would disable BitDefender exe startup file; would have to use "repair" to run BitDefender. Thanks in advance for any help.

PNH
-----------------------------------------
Hijack This log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:12 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Photoshop Elements\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
F:\Program Files\Photoshop Elements\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
F:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
f:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [masqform.exe] F:\Program Files\ICS\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115w.bay115...es/MsnPUpld.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective....torLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171839184374
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} (SiteBuilderEditor Class) - http://stores.homest...es/pssbedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6764B366-2522-4F27-9DDF-EE12C8361D53}: NameServer = 192.168.2.1
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\Program Files\Photoshop Elements\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DefWatch - Symantec Corporation - F:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\cpaiwwai.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - F:\Program Files\Photoshop Elements\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7312 bytes


----------------------------

Results of RenV log

Ran on Sun 01/13/2008 -  8:51:55.78

------------------------------

[Simon V.]

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

• On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
• Click on the Run Cleaner button at the bottom right hand corner.
• When the cleaner has completed, click Tools in the Left Pane.
• Verify that Uninstall is highlighted in color, or click on it.
• In the lower right, click Save to Text File.
• Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
• You can leave the filename as install.txt.
• Click Save, then exit Ccleaner.

Step 2

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix (C:\Combofix.txt) when you've accomplished that, along with a new HijackThis log and the CCleaner Uninstall List (install.txt)

[patnhank]

Simon V, thanks for the response, I will work this task. In addition, my windows OS is unstable and I may have to repair or worse reload. With my job it may be the weekend before I am complete. Is that OK? Visited Brugge for New Year Celebration, very nice. Respectfully Hank

[Simon V.]

Simon V,
thanks for the response, I will work this task. In addition, my windows OS is unstable and I may have to repair or worse reload. With my job it may be the weekend before I am complete. Is that OK?

Yes, that's no problem.

Visited Brugge for New Year Celebration, very nice.

It's nice indeed After Gent, I find it the most beautiful city in Belgium.

I'll await your reply in the weekend.

[patnhank]

Simon V The "repair" is NOT working on the Windows XP OS, therefore I will do a complete reinstall. WIth a reinstall will I need to still engage with you on virus/malware removal or by replacing the OS will I eliminate my problem? I have a plan on how I want to accomplish my reinstall but if you have any guidance on how I might improve this process to rid myself of the w32.trats.inf let me know. Thank you Hank

[Simon V.]

Simon V
The "repair" is NOT working on the Windows XP OS, therefore I will do a complete reinstall. WIth a reinstall will I need to still engage with you on virus/malware removal or by replacing the OS will I eliminate my problem? I have a plan on how I want to accomplish my reinstall but if you have any guidance on how I might improve this process to rid myself of the w32.trats.inf let me know.
Thank you
Hank

There's no real need to reformat and reinstall, or even repairing your Windows OS. We can probably clean the infection quite nicely. If you still choose to reformat your system, here are a few links that will propably help:

Reformatting Windows XP by wng_z3r0
When should I re-format? How should I reinstall?
Windows XP Clean install

If you have completed the process, you can come back and I'll give you some tips to stay clean in the future.

[patnhank]

Simon V, the system is very unstable, I am not sure if I can keep it going long enough to run the two diagnostics you prescribed. I understand that if I run the CCLeaner, Combofix and HiJack this and post the three results you can maybe assist in cleaning this mess up and return the system to some form of stability? Great. I will attempt the three files and post as requested. Currently the system won't go to the internet and USB is not working so a thumbdrive isnot an option. I will burn the files to CD and carry over to another system--you can see how difficult this is getting. Thanks for your patience

[Simon V.]

Hi I understand you're having a difficult time. Seeing how unstable the computer is at the moment, it could very well become inaccessible. I therefor recommend you to backup your data files (do not backup .dll, .exe, .scr, .bat, .cmd, .vbs, .sys files) to a CD or DVD. This is purely a precautionary measure, I'm fairly sure we'll be able to clean out all infections present on the system.

[patnhank]

Simon V,
Ok, limped through the bootup and all the procedures I hope. Able to run CCleaner, ComboFix and HijackTHis all smoothly. Unsure if you want the text files here or uploaded. I looked at these in preview and all mixed up, therefore I will post separated by ----------------------------
Best wishes in finding a solution in all this mess, I appreciate your help.
very respectfully
Hank


Really loving ALL the posXXX.tmp files, removed over 5K so far
--------------
install.txt
µTorrent
6200
6200_Help
6200Trb
Adobe Flash Player 9 ActiveX
Adobe Photoshop Elements 3.0
Adobe Reader 8.1.1
Adobe® Photoshop® Elements 3.0
AiO_Scan
AiOSoftware
ATI - Software Uninstall Utility
ATI Display Driver
Auto Gordian Knot 2.45
AVG Anti-Spyware 7.5
Avira AntiVir PersonalEdition Classic
AviSynth 2.5
BitDefender Free Edition v10
BufferChm
CCleaner (remove only)
Click'N Design 3D
C-Media WDM Audio Driver
Codec Pack - All In 1 6.0.3.0
Destinations
Director
Documents To Go
DVDFab Platinum 4.0.1.2
ebgcInfra
ebgcRes
ebgcSDK
EVEREST Home Edition v2.20
Fax
Google Earth
Google Toolbar for Internet Explorer
Greetings Workshop
HijackThis 2.0.2
HP Image Zone 4.7
HP Photosmart Essential
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPSystemDiagnostics
ICS Viewer 6.0
iPod for Windows 2005-09-23
iRiver Manager
iRiver Updater
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
Keynote Connector
LimeWire 4.14.10
LiveUpdate 1.7 (Symantec Corporation)
Logitech Harmony Remote Software 7
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft FrontPage 2002
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Multimedia Card Reader
Norton Security Scan
OLYMPUS CAMEDIA Master 4.1
OLYMPUS xD USB Reader/Writer
ProductContext
ProStores Store Monitor (remove only)
QFolder
Quicken 2007
Quicken SE 6
QuickTime
Readme
RegCure 1.3.0.2
Remote Control USB Driver
Scan
ScannerCopy
Security Update for Windows XP (KB923789)
SmartFTP Client 2.5.1007.0
SopCast 2.0.4
Steam™
Symantec AntiVirus Client
TrayApp
Unload
Veo Connect
Veo Digital Studio
VobSub v2.23 (Remove Only)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Presentation Foundation
WinRAR archiver
XviD MPEG4 Video Codec (remove only)
Zuma Deluxe 1.0
-------------------------

Combofix.txt
ComboFix 08-01-18.5 - mama 2008-01-18 20:11:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.568 [GMT -6:00]
Running from: C:\Documents and Settings\mama\Desktop\ComboFix.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\My Documents\pos220.tmp
C:\Documents and Settings\Administrator\My Documents\pos221.tmp
C:\Documents and Settings\Administrator\My Documents\pos222.tmp
C:\Documents and Settings\Administrator\My Documents\pos223.tmp
C:\Documents and Settings\Administrator\My Documents\pos224.tmp
C:\Documents and Settings\Administrator\My Documents\pos225.tmp
C:\Documents and Settings\Administrator\My Documents\pos226.tmp
C:\Documents and Settings\Administrator\My Documents\pos227.tmp
C:\Documents and Settings\Administrator\My Documents\pos228.tmp
C:\Documents and Settings\Administrator\My Documents\pos229.tmp
C:\Documents and Settings\Administrator\My Documents\pos22A.tmp
C:\Documents and Settings\Administrator\My Documents\pos22B.tmp
C:\Documents and Settings\Administrator\My Documents\pos22C.tmp
C:\Documents and Settings\Administrator\My Documents\pos22D.tmp
C:\Documents and Settings\Administrator\My Documents\pos22E.tmp
C:\Documents and Settings\Administrator\My Documents\pos22F.tmp
C:\Documents and Settings\Administrator\My Documents\pos230.tmp
C:\Documents and Settings\Administrator\My Documents\pos231.tmp
C:\Documents and Settings\Administrator\My Documents\pos232.tmp
C:\Documents and Settings\Administrator\My Documents\pos233.tmp
C:\Documents and Settings\Administrator\My Documents\pos234.tmp
C:\Documents and Settings\Administrator\My Documents\pos235.tmp
C:\Documents and Settings\Administrator\My Documents\pos236.tmp
C:\Documents and Settings\Administrator\My Documents\pos237.tmp
C:\Documents and Settings\Administrator\My Documents\pos238.tmp
C:\Documents and Settings\Administrator\My Documents\pos239.tmp
C:\Documents and Settings\Administrator\My Documents\pos23A.tmp
C:\Documents and Settings\Administrator\My Documents\pos23B.tmp
C:\Documents and Settings\Administrator\My Documents\pos23C.tmp
C:\Documents and Settings\Administrator\My Documents\pos23D.tmp
C:\Documents and Settings\Administrator\My Documents\pos23E.tmp
C:\Documents and Settings\Administrator\My Documents\pos23F.tmp
C:\Documents and Settings\Administrator\My Documents\pos240.tmp
C:\Documents and Settings\Administrator\My Documents\pos241.tmp
C:\Documents and Settings\Administrator\My Documents\pos242.tmp
C:\Documents and Settings\Administrator\My Documents\pos243.tmp
C:\Documents and Settings\Administrator\My Documents\pos244.tmp
C:\Documents and Settings\Administrator\My Documents\pos245.tmp
C:\Documents and Settings\Administrator\My Documents\pos246.tmp
C:\Documents and Settings\Administrator\My Documents\pos247.tmp
C:\Documents and Settings\Administrator\My Documents\pos248.tmp
C:\Documents and Settings\Administrator\My Documents\pos249.tmp
C:\Documents and Settings\Administrator\My Documents\pos24A.tmp
C:\Documents and Settings\Administrator\My Documents\pos24B.tmp
C:\Documents and Settings\Administrator\My Documents\pos24C.tmp
C:\Documents and Settings\Administrator\My Documents\pos24D.tmp
C:\Documents and Settings\Administrator\My Documents\pos24E.tmp
C:\Documents and Settings\Administrator\My Documents\pos24F.tmp
C:\Documents and Settings\Administrator\My Documents\pos250.tmp
C:\Documents and Settings\Administrator\My Documents\pos251.tmp
C:\Documents and Settings\Administrator\My Documents\pos252.tmp
C:\Documents and Settings\Administrator\My Documents\pos253.tmp
C:\Documents and Settings\Administrator\My Documents\pos254.tmp
C:\Documents and Settings\Administrator\My Documents\pos255.tmp
C:\Documents and Settings\Administrator\My Documents\pos256.tmp
C:\Documents and Settings\Administrator\My Documents\pos257.tmp
C:\Documents and Settings\Administrator\My Documents\pos258.tmp
C:\Documents and Settings\Administrator\My Documents\pos259.tmp
C:\Documents and Settings\Administrator\My Documents\pos25A.tmp
C:\Documents and Settings\Administrator\My Documents\pos25B.tmp
C:\Documents and Settings\Administrator\My Documents\pos25C.tmp
C:\Documents and Settings\Administrator\My Documents\pos25D.tmp
C:\Documents and Settings\Administrator\My Documents\pos25E.tmp
C:\Documents and Settings\Administrator\My Documents\pos25F.tmp
C:\Documents and Settings\Administrator\My Documents\pos260.tmp
C:\Documents and Settings\Administrator\My Documents\pos261.tmp
C:\Documents and Settings\Administrator\My Documents\pos262.tmp
C:\Documents and Settings\Administrator\My Documents\pos263.tmp
C:\Documents and Settings\Administrator\My Documents\pos264.tmp
C:\Documents and Settings\Administrator\My Documents\pos265.tmp
C:\Documents and Settings\Administrator\My Documents\pos266.tmp
C:\Documents and Settings\Administrator\My Documents\pos267.tmp
C:\Documents and Settings\Administrator\My Documents\pos268.tmp
C:\Documents and Settings\Administrator\My Documents\pos269.tmp
C:\Documents and Settings\Administrator\My Documents\pos26A.tmp
C:\Documents and Settings\Administrator\My Documents\pos26B.tmp
C:\Documents and Settings\Administrator\My Documents\pos26C.tmp
C:\Documents and Settings\Administrator\My Documents\pos26D.tmp
C:\Documents and Settings\Administrator\My Documents\pos26E.tmp
C:\Documents and Settings\Administrator\My Documents\pos26F.tmp
C:\Documents and Settings\Administrator\My Documents\pos270.tmp
C:\Documents and Settings\Administrator\My Documents\pos271.tmp
C:\Documents and Settings\Administrator\My Documents\pos272.tmp
C:\Documents and Settings\Administrator\My Documents\pos273.tmp
C:\Documents and Settings\Administrator\My Documents\pos274.tmp
C:\Documents and Settings\Administrator\My Documents\pos275.tmp
C:\Documents and Settings\Administrator\My Documents\pos276.tmp
C:\Documents and Settings\Administrator\My Documents\pos277.tmp
C:\Documents and Settings\Administrator\My Documents\pos278.tmp
C:\Documents and Settings\Administrator\My Documents\pos279.tmp
C:\Documents and Settings\Administrator\My Documents\pos27A.tmp
C:\Documents and Settings\Administrator\My Documents\pos27B.tmp
C:\Documents and Settings\Administrator\My Documents\pos27C.tmp
C:\Documents and Settings\Administrator\My Documents\pos27D.tmp
C:\Documents and Settings\Administrator\My Documents\pos27E.tmp
C:\Documents and Settings\Administrator\My Documents\pos27F.tmp
C:\Documents and Settings\Administrator\My Documents\pos280.tmp
C:\Documents and Settings\Administrator\My Documents\pos281.tmp
C:\Documents and Settings\Administrator\My Documents\pos282.tmp
C:\Documents and Settings\Administrator\My Documents\pos283.tmp
C:\Documents and Settings\Administrator\My Documents\pos284.tmp
C:\Documents and Settings\Administrator\My Documents\pos285.tmp
C:\Documents and Settings\Administrator\My Documents\pos286.tmp
C:\Documents and Settings\Administrator\My Documents\pos287.tmp
C:\Documents and Settings\Administrator\My Documents\pos288.tmp
C:\Documents and Settings\Administrator\My Documents\pos289.tmp
C:\Documents and Settings\Administrator\My Documents\pos28A.tmp
C:\Documents and Settings\Administrator\My Documents\pos28B.tmp
C:\Documents and Settings\Administrator\My Documents\pos28C.tmp
C:\Documents and Settings\Administrator\My Documents\pos28D.tmp
C:\Documents and Settings\Administrator\My Documents\pos28E.tmp
C:\Documents and Settings\Administrator\My Documents\pos28F.tmp
C:\Documents and Settings\Administrator\My Documents\pos290.tmp
C:\Documents and Settings\Administrator\My Documents\pos291.tmp
C:\Documents and Settings\Administrator\My Documents\pos292.tmp
C:\Documents and Settings\Administrator\My Documents\pos293.tmp
C:\Documents and Settings\Administrator\My Documents\pos294.tmp
C:\Documents and Settings\Administrator\My Documents\pos295.tmp
C:\Documents and Settings\Administrator\My Documents\pos296.tmp
C:\Documents and Settings\Administrator\My Documents\pos297.tmp
C:\Documents and Settings\Administrator\My Documents\pos298.tmp
C:\Documents and Settings\Administrator\My Documents\pos299.tmp
C:\Documents and Settings\Administrator\My Documents\pos29A.tmp
C:\Documents and Settings\Administrator\My Documents\pos29B.tmp
C:\Documents and Settings\Administrator\My Documents\pos29C.tmp
C:\Documents and Settings\Administrator\My Documents\pos29D.tmp
C:\Documents and Settings\Administrator\My Documents\pos29E.tmp
C:\Documents and Settings\Administrator\My Documents\pos29F.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A0.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A1.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A2.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A3.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A4.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A5.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A6.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A7.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A8.tmp
C:\Documents and Settings\Administrator\My Documents\pos2A9.tmp
C:\Documents and Settings\Administrator\My Documents\pos2AA.tmp
C:\Documents and Settings\Administrator\My Documents\pos2AB.tmp
C:\Documents and Settings\Administrator\My Documents\pos2AC.tmp
C:\Documents and Settings\Administrator\My Documents\pos2AD.tmp
C:\Documents and Settings\Administrator\My Documents\pos2AE.tmp
C:\Documents and Settings\Administrator\My Documents\pos2AF.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B0.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B1.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B2.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B3.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B4.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B5.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B6.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B7.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B8.tmp
C:\Documents and Settings\Administrator\My Documents\pos2B9.tmp
C:\Documents and Settings\Administrator\My Documents\pos2BA.tmp
C:\Documents and Settings\Administrator\My Documents\pos2BB.tmp
C:\Documents and Settings\Administrator\My Documents\pos2BC.tmp
C:\Documents and Settings\Administrator\My Documents\pos2BD.tmp
C:\Documents and Settings\Administrator\My Documents\pos2BE.tmp
C:\Documents and Settings\Administrator\My Documents\pos2BF.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C0.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C1.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C2.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C3.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C4.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C5.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C6.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C7.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C8.tmp
C:\Documents and Settings\Administrator\My Documents\pos2C9.tmp
C:\Documents and Settings\Administrator\My Documents\pos2CA.tmp
C:\Documents and Settings\Administrator\My Documents\pos2CB.tmp
C:\Documents and Settings\Administrator\My Documents\pos2CC.tmp
C:\Documents and Settings\Administrator\My Documents\pos2CD.tmp
C:\Documents and Settings\Administrator\My Documents\pos2CE.tmp
C:\Documents and Settings\Administrator\My Documents\pos2CF.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D0.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D1.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D2.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D3.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D4.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D5.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D6.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D7.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D8.tmp
C:\Documents and Settings\Administrator\My Documents\pos2D9.tmp
C:\Documents and Settings\Administrator\My Documents\pos2DA.tmp
C:\Documents and Settings\Administrator\My Documents\pos2DB.tmp
C:\Documents and Settings\Administrator\My Documents\pos2DC.tmp
C:\Documents and Settings\Administrator\My Documents\pos2DD.tmp
C:\Documents and Settings\Administrator\My Documents\pos2DE.tmp
C:\Documents and Settings\Administrator\My Documents\pos2DF.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E0.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E1.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E2.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E3.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E4.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E5.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E6.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E7.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E8.tmp
C:\Documents and Settings\Administrator\My Documents\pos2E9.tmp
C:\Documents and Settings\Administrator\My Documents\pos2EA.tmp
C:\Documents and Settings\Administrator\My Documents\pos2EB.tmp
C:\Documents and Settings\Administrator\My Documents\pos2EC.tmp
C:\Documents and Settings\Administrator\My Documents\pos2ED.tmp
C:\Documents and Settings\Administrator\My Documents\pos2EE.tmp
C:\Documents and Settings\Administrator\My Documents\pos2EF.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F0.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F1.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F2.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F3.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F4.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F5.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F6.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F7.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F8.tmp
C:\Documents and Settings\Administrator\My Documents\pos2F9.tmp
C:\Documents and Settings\Administrator\My Documents\pos2FA.tmp
C:\Documents and Settings\Administrator\My Documents\pos2FB.tmp
C:\Documents and Settings\Administrator\My Documents\pos2FC.tmp
C:\Documents and Settings\Administrator\My Documents\pos2FD.tmp
C:\Documents and Settings\Administrator\My Documents\pos2FE.tmp
C:\Documents and Settings\Administrator\My Documents\pos2FF.tmp
C:\Documents and Settings\Administrator\My Documents\pos300.tmp
C:\Documents and Settings\Administrator\My Documents\pos301.tmp
C:\Documents and Settings\Administrator\My Documents\pos302.tmp
C:\Documents and Settings\Administrator\My Documents\pos303.tmp
C:\Documents and Settings\Administrator\My Documents\pos304.tmp
C:\Documents and Settings\Administrator\My Documents\pos305.tmp
C:\Documents and Settings\Administrator\My Documents\pos306.tmp
C:\Documents and Settings\Administrator\My Documents\pos307.tmp
C:\Documents and Settings\Administrator\My Documents\pos308.tmp
C:\Documents and Settings\Administrator\My Documents\pos309.tmp
C:\Documents and Settings\Administrator\My Documents\pos30A.tmp
C:\Documents and Settings\Administrator\My Documents\pos30B.tmp
C:\Documents and Settings\Administrator\My Documents\pos30C.tmp
C:\Documents and Settings\Administrator\My Documents\pos30D.tmp
C:\Documents and Settings\Administrator\My Documents\pos30E.tmp
C:\Documents and Settings\Administrator\My Documents\pos30F.tmp
C:\Documents and Settings\Administrator\My Documents\pos310.tmp
C:\Documents and Settings\Administrator\My Documents\pos311.tmp
C:\Documents and Settings\Administrator\My Documents\pos312.tmp
C:\Documents and Settings\Administrator\My Documents\pos313.tmp
C:\Documents and Settings\Administrator\My Documents\pos314.tmp
C:\Documents and Settings\Administrator\My Documents\pos315.tmp
C:\Documents and Settings\Administrator\My Documents\pos316.tmp
C:\Documents and Settings\Administrator\My Documents\pos317.tmp
C:\Documents and Settings\Administrator\My Documents\pos318.tmp
C:\Documents and Settings\Administrator\My Documents\pos319.tmp
C:\Documents and Settings\Administrator\My Documents\pos31A.tmp
C:\Documents and Settings\Administrator\My Documents\pos31B.tmp
C:\Documents and Settings\Administrator\My Documents\pos31C.tmp
C:\Documents and Settings\Administrator\My Documents\pos31D.tmp
C:\Documents and Settings\Administrator\My Documents\pos31E.tmp
C:\Documents and Settings\Administrator\My Documents\pos31F.tmp
C:\Documents and Settings\Administrator\My Documents\pos320.tmp
C:\Documents and Settings\Administrator\My Documents\pos321.tmp
C:\Documents and Settings\Administrator\My Documents\pos322.tmp
C:\Documents and Settings\Administrator\My Documents\pos323.tmp
C:\Documents and Settings\Administrator\My Documents\pos324.tmp
C:\Documents and Settings\Administrator\My Documents\pos325.tmp
C:\Documents and Settings\Administrator\My Documents\pos326.tmp
C:\Documents and Settings\Administrator\My Documents\pos327.tmp
C:\Documents and Settings\Administrator\My Documents\pos328.tmp
C:\Documents and Settings\Administrator\My Documents\pos329.tmp
C:\Documents and Settings\Administrator\My Documents\pos32A.tmp
C:\Documents and Settings\Administrator\My Documents\pos32B.tmp
C:\Documents and Settings\Administrator\My Documents\pos32C.tmp
C:\Documents and Settings\Administrator\My Documents\pos32D.tmp
C:\Documents and Settings\Administrator\My Documents\pos32E.tmp
C:\Documents and Settings\Administrator\My Documents\pos32F.tmp
C:\Documents and Settings\Administrator\My Documents\pos330.tmp
C:\Documents and Settings\Administrator\My Documents\pos331.tmp
C:\Documents and Settings\Administrator\My Documents\pos332.tmp
C:\Documents and Settings\Administrator\My Documents\pos333.tmp
C:\Documents and Settings\Administrator\My Documents\pos334.tmp
C:\Documents and Settings\Administrator\My Documents\pos335.tmp
C:\Documents and Settings\Administrator\My Documents\pos336.tmp
C:\Documents and Settings\Administrator\My Documents\pos337.tmp
C:\Documents and Settings\Administrator\My Documents\pos338.tmp
C:\Documents and Settings\Administrator\My Documents\pos339.tmp
C:\Documents and Settings\Administrator\My Documents\pos33A.tmp
C:\Documents and Settings\Administrator\My Documents\pos33B.tmp
C:\Documents and Settings\Administrator\My Documents\pos33C.tmp
C:\Documents and Settings\Administrator\My Documents\pos33D.tmp
C:\Documents and Settings\Administrator\My Documents\pos33E.tmp
C:\Documents and Settings\Administrator\My Documents\pos33F.tmp
C:\Documents and Settings\Administrator\My Documents\pos340.tmp
C:\Documents and Settings\Administrator\My Documents\pos341.tmp
C:\Documents and Settings\Administrator\My Documents\pos342.tmp
C:\Documents and Settings\Administrator\My Documents\pos343.tmp
C:\Documents and Settings\Administrator\My Documents\pos344.tmp
C:\Documents and Settings\Administrator\My Documents\pos345.tmp
C:\Documents and Settings\Administrator\My Documents\pos346.tmp
C:\Documents and Settings\Administrator\My Documents\pos347.tmp
C:\Documents and Settings\Administrator\My Documents\pos348.tmp
C:\Documents and Settings\Administrator\My Documents\pos349.tmp
C:\Documents and Settings\Administrator\My Documents\pos34A.tmp
C:\Documents and Settings\Administrator\My Documents\pos34B.tmp
C:\Documents and Settings\Administrator\My Documents\pos34C.tmp
C:\Documents and Settings\Administrator\My Documents\pos34D.tmp
C:\Documents and Settings\Administrator\My Documents\pos34E.tmp
C:\Documents and Settings\Administrator\My Documents\pos34F.tmp
C:\Documents and Settings\Administrator\My Documents\pos350.tmp
C:\Documents and Settings\Administrator\My Documents\pos351.tmp
C:\Documents and Settings\Administrator\My Documents\pos352.tmp
C:\Documents and Settings\Administrator\My Documents\pos353.tmp
C:\Documents and Settings\Administrator\My Documents\pos354.tmp
C:\Documents and Settings\Administrator\My Documents\pos355.tmp
C:\Documents and Settings\Administrator\My Documents\pos356.tmp
C:\Documents and Settings\Administrator\My Documents\pos357.tmp
C:\Documents and Settings\Administrator\My Documents\pos358.tmp
C:\Documents and Settings\Administrator\My Documents\pos359.tmp
C:\Documents and Settings\Administrator\My Documents\pos35A.tmp
C:\Documents and Settings\Administrator\My Documents\pos35B.tmp
C:\Documents and Settings\Administrator\My Documents\pos35C.tmp
C:\Documents and Settings\Administrator\My Documents\pos35D.tmp
C:\Documents and Settings\Administrator\My Documents\pos35E.tmp
C:\Documents and Settings\Administrator\My Documents\pos35F.tmp
C:\Documents and Settings\Administrator\My Documents\pos360.tmp
C:\Documents and Settings\Administrator\My Documents\pos361.tmp
C:\Documents and Settings\Administrator\My Documents\pos362.tmp
C:\Documents and Settings\Administrator\My Documents\pos363.tmp
C:\Documents and Settings\Administrator\My Documents\pos364.tmp
C:\Documents and Settings\Administrator\My Documents\pos365.tmp
C:\Documents and Settings\Administrator\My Documents\pos366.tmp
C:\Documents and Settings\Administrator\My Documents\pos367.tmp
C:\Documents and Settings\Administrator\My Documents\pos368.tmp
C:\Documents and Settings\Administrator\My Documents\pos369.tmp
C:\Documents and Settings\Administrator\My Documents\pos36A.tmp
C:\Documents and Settings\Administrator\My Documents\pos36B.tmp
C:\Documents and Settings\Administrator\My Documents\pos36C.tmp
C:\Documents and Settings\Administrator\My Documents\pos36D.tmp
C:\Documents and Settings\Administrator\My Documents\pos36E.tmp
C:\Documents and Settings\Administrator\My Documents\pos36F.tmp
C:\Documents and Settings\Administrator\My Documents\pos370.tmp
C:\Documents and Settings\Administrator\My Documents\pos371.tmp
C:\Documents and Settings\Administrator\My Documents\pos372.tmp
C:\Documents and Settings\Administrator\My Documents\pos373.tmp
C:\Documents and Settings\Administrator\My Documents\pos374.tmp
C:\Documents and Settings\Administrator\My Documents\pos375.tmp
C:\Documents and Settings\Administrator\My Documents\pos376.tmp
C:\Documents and Settings\Administrator\My Documents\pos377.tmp
C:\Documents and Settings\Administrator\My Documents\pos378.tmp
C:\Documents and Settings\Administrator\My Documents\pos379.tmp
C:\Documents and Settings\Administrator\My Documents\pos37A.tmp
C:\Documents and Settings\Administrator\My Documents\pos37B.tmp
C:\Documents and Settings\Administrator\My Documents\pos37C.tmp
C:\Documents and Settings\Administrator\My Documents\pos37D.tmp
C:\Documents and Settings\Administrator\My Documents\pos37E.tmp
C:\Documents and Settings\Administrator\My Documents\pos37F.tmp
C:\Documents and Settings\Administrator\My Documents\pos380.tmp
C:\Documents and Settings\Administrator\My Documents\pos381.tmp
C:\Documents and Settings\Administrator\My Documents\pos382.tmp
C:\Documents and Settings\Administrator\My Documents\pos383.tmp
C:\Documents and Settings\Administrator\My Documents\pos384.tmp
C:\Documents and Settings\Administrator\My Documents\pos385.tmp
C:\Documents and Settings\Administrator\My Documents\pos386.tmp
C:\Documents and Settings\Administrator\My Documents\pos387.tmp
C:\Documents and Settings\Administrator\My Documents\pos388.tmp
C:\Documents and Settings\Administrator\My Documents\pos389.tmp
C:\Documents and Settings\Administrator\My Documents\pos38A.tmp
C:\Documents and Settings\Administrator\My Documents\pos38B.tmp
C:\Documents and Settings\Administrator\My Documents\pos38C.tmp
C:\Documents and Settings\Administrator\My Documents\pos38D.tmp
C:\Documents and Settings\Administrator\My Documents\pos38E.tmp
C:\Documents and Settings\Administrator\My Documents\pos38F.tmp
C:\Documents and Settings\Administrator\My Documents\pos390.tmp
C:\Documents and Settings\Administrator\My Documents\pos391.tmp
C:\Documents and Settings\Administrator\My Documents\pos392.tmp
C:\Documents and Settings\Administrator\My Documents\pos393.tmp
C:\Documents and Settings\Administrator\My Documents\pos394.tmp
C:\Documents and Settings\Administrator\My Documents\pos395.tmp
C:\Documents and Settings\Administrator\My Documents\pos396.tmp
C:\Documents and Settings\Administrator\My Documents\pos397.tmp
C:\Documents and Settings\Administrator\My Documents\pos398.tmp
C:\Documents and Settings\Administrator\My Documents\pos399.tmp
C:\Documents and Settings\Administrator\My Documents\pos39A.tmp
C:\Documents and Settings\Administrator\My Documents\pos39B.tmp
C:\Documents and Settings\Administrator\My Documents\pos39C.tmp
C:\Documents and Settings\Administrator\My Documents\pos39D.tmp
C:\Documents and Settings\Administrator\My Documents\pos39E.tmp
C:\Documents and Settings\Administrator\My Documents\pos39F.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A0.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A1.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A2.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A3.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A4.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A5.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A6.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A7.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A8.tmp
C:\Documents and Settings\Administrator\My Documents\pos3A9.tmp
C:\Documents and Settings\Administrator\My Documents\pos3AA.tmp
C:\Documents and Settings\Administrator\My Documents\pos3AB.tmp
C:\Documents and Settings\Administrator\My Documents\pos3AC.tmp
C:\Documents and Settings\Administrator\My Documents\pos3AD.tmp
C:\Documents and Settings\Administrator\My Documents\pos3AE.tmp
C:\Documents and Settings\Administrator\My Documents\pos3AF.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B0.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B1.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B2.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B3.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B4.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B5.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B6.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B7.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B8.tmp
C:\Documents and Settings\Administrator\My Documents\pos3B9.tmp
C:\Documents and Settings\Administrator\My Documents\pos3BA.tmp
C:\Documents and Settings\Administrator\My Documents\pos3BB.tmp
C:\Documents and Settings\Administrator\My Documents\pos3BC.tmp
C:\Documents and Settings\Administrator\My Documents\pos3BD.tmp
C:\Documents and Settings\Administrator\My Documents\pos3BE.tmp
C:\Documents and Settings\Administrator\My Documents\pos3BF.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C0.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C1.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C2.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C3.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C4.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C5.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C6.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C7.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C8.tmp
C:\Documents and Settings\Administrator\My Documents\pos3C9.tmp
C:\Documents and Settings\Administrator\My Documents\pos3CA.tmp
C:\Documents and Settings\Administrator\My Documents\pos3CB.tmp
C:\Documents and Settings\Administrator\My Documents\pos3CC.tmp
C:\Documents and Settings\Administrator\My Documents\pos3CD.tmp
C:\Documents and Settings\Administrator\My Documents\pos3CE.tmp
C:\Documents and Settings\Administrator\My Documents\pos3CF.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D0.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D1.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D2.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D3.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D4.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D5.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D6.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D7.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D8.tmp
C:\Documents and Settings\Administrator\My Documents\pos3D9.tmp
C:\Documents and Settings\Administrator\My Documents\pos3DA.tmp
C:\Documents and Settings\Administrator\My Documents\pos3DB.tmp
C:\Documents and Settings\Administrator\My Documents\pos3DC.tmp
C:\Documents and Settings\Administrator\My Documents\pos3DD.tmp
C:\Documents and Settings\Administrator\My Documents\pos3DE.tmp
C:\Documents and Settings\Administrator\My Documents\pos3DF.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E0.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E1.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E2.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E3.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E4.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E5.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E6.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E7.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E8.tmp
C:\Documents and Settings\Administrator\My Documents\pos3E9.tmp
C:\Documents and Settings\Administrator\My Documents\pos3EA.tmp
C:\Documents and Settings\Administrator\My Documents\pos3EB.tmp
C:\Documents and Settings\Administrator\My Documents\pos3EC.tmp
C:\Documents and Settings\Administrator\My Documents\pos3ED.tmp
C:\Documents and Settings\Administrator\My Documents\pos3EE.tmp
C:\Documents and Settings\Administrator\My Documents\pos3EF.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F0.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F1.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F2.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F3.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F4.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F5.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F6.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F7.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F8.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F9.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FA.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FB.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FC.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FD.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FE.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FF.tmp
C:\Documents and Settings\Administrator\My Documents\pos400.tmp
C:\Documents and Settings\Administrator\My Documents\pos401.tmp
C:\Documents and Settings\Administrator\My Documents\pos402.tmp
C:\Documents and Settings\Administrator\My Documents\pos403.tmp
C:\Documents and Settings\Administrator\My Documents\pos404.tmp
C:\Documents and Settings\Administrator\My Documents\pos405.tmp
C:\Documents and Settings\Administrator\My Documents\pos406.tmp
C:\Documents and Settings\Administrator\My Documents\pos407.tmp
C:\Documents and Settings\Administrator\My Documents\pos408.tmp
C:\Documents and Settings\Administrator\My Documents\pos409.tmp
C:\Documents and Settings\Administrator\My Documents\pos40A.tmp
C:\Documents and Settings\Administrator\My Documents\pos40B.tmp
C:\Documents and Settings\Administrator\My Documents\pos40C.tmp
C:\Documents and Settings\Administrator\My Documents\pos40D.tmp
C:\Documents and Settings\Administrator\My Documents\pos40E.tmp
C:\Documents and Settings\Administrator\My Documents\pos40F.tmp
C:\Documents and Settings\Administrator\My Documents\pos410.tmp
C:\Documents and Settings\Administrator\My Documents\pos411.tmp
C:\Documents and Settings\Administrator\My Documents\pos412.tmp
C:\Documents and Settings\Administrator\My Documents\pos413.tmp
C:\Documents and Settings\pops\Application Data\inst.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
C:\Program Files\Common Files\Yazzle1848OinUninstaller.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Multimedia Card Reader\shwicon2k .exe
C:\Program Files\quicken se\BILLMIND .EXE
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
C:\WINDOWS\sks~1
C:\WINDOWS\sks~1\??sks\
C:\WINDOWS\system32\crathqet.ini
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\ddccd.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ntgtoxoy.ini
C:\WINDOWS\system32\ryqsijuy.ini
C:\WINDOWS\system32\sgyttzhg.dllbox
C:\WINDOWS\system32\windows

<pre>
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe ---> QooBox
C:\Program Files\Messenger\msmsgs .exe ---> QooBox
C:\Program Files\Multimedia Card Reader\shwicon2k .exe ---> QooBox
C:\Program Files\quicken se\BILLMIND .EXE ---> QooBox
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_IPRIP
-------\DomainService
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-18 20:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 19:35 . 2001-08-23 05:00 237,728 -r-hs---- C:\cmldr
2008-01-18 19:35 . 2008-01-15 07:19 194 --ahs---- C:\BOOT.BAK
2008-01-15 22:14 . 2008-01-15 22:18 <DIR> d-------- C:\Documents and Settings\mama\Application Data\uTorrent
2008-01-15 21:09 . 2008-01-18 20:17 1,072,517,120 --a------ C:\WINDOWS\MEMORY.DMP
2008-01-15 09:24 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2008-01-15 09:24 . 2003-08-25 18:06 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-01-15 07:46 . 2001-08-23 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-15 07:45 . 2001-08-23 05:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-15 07:24 . 2008-01-15 07:24 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-15 07:09 . 2008-01-14 20:11 17,920 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2008-01-15 07:04 . 2001-08-17 12:13 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2008-01-15 07:01 . 2001-08-23 05:00 1,085,913 -ra------ C:\WINDOWS\SETD6.tmp
2008-01-15 07:01 . 2001-08-23 05:00 13,608 -ra------ C:\WINDOWS\SETE2.tmp
2008-01-14 20:18 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-01-14 20:01 . 2001-08-23 05:00 1,085,913 -ra------ C:\WINDOWS\SETD4.tmp
2008-01-14 20:01 . 2001-08-23 05:00 13,608 -ra------ C:\WINDOWS\SETE0.tmp
2008-01-14 19:48 . 2001-08-23 05:00 2,479,104 --a--c--- C:\WINDOWS\system32\dllcache\msoeres.dll
2008-01-14 19:45 . 2001-08-23 05:00 1,266,688 --a--c--- C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-01-14 19:40 . 2001-08-17 14:07 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-01-14 19:40 . 2001-08-17 14:07 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2008-01-14 19:40 . 2001-08-17 14:07 16,256 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2008-01-14 19:40 . 2001-08-17 13:48 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-01-14 19:39 . 2001-08-17 14:00 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-14 19:38 . 2001-08-17 13:51 55,808 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-01-14 19:38 . 2001-08-17 13:53 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-14 19:37 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-01-14 19:37 . 2001-08-17 22:37 84,992 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-01-14 19:37 . 2001-08-17 22:37 55,808 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-01-14 19:37 . 2001-08-17 22:36 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-01-14 19:37 . 2001-08-17 22:37 38,912 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-01-14 19:37 . 2001-08-17 22:37 18,944 --a------ C:\WINDOWS\system32\dshowext.ax
2008-01-14 19:37 . 2001-08-17 22:36 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-01-14 19:11 . 2001-08-17 13:50 181,632 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2008-01-14 19:11 . 2001-08-17 22:38 37,896 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-01-14 19:10 . 2001-08-23 05:00 696,320 --a--c--- C:\WINDOWS\system32\dllcache\sapi.dll
2008-01-14 19:10 . 2001-08-23 05:00 147,456 --a--c--- C:\WINDOWS\system32\dllcache\sapi.cpl
2008-01-14 19:10 . 2001-08-23 05:00 131,584 --a------ C:\WINDOWS\system\WINSPOOL.DRV
2008-01-14 19:10 . 2001-08-17 22:36 70,656 --a------ C:\WINDOWS\system32\storprop.dll
2008-01-14 19:10 . 2001-08-23 05:00 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2008-01-14 19:10 . 2001-08-23 05:00 10,496 --a--c--- C:\WINDOWS\system32\dllcache\irenum.sys
2008-01-14 19:09 . 2001-08-23 05:00 1,085,913 -ra------ C:\WINDOWS\SETD5.tmp
2008-01-14 19:09 . 2001-08-23 05:00 13,608 -ra------ C:\WINDOWS\SETE1.tmp
2008-01-13 00:37 . 2008-01-13 00:37 <DIR> d-------- C:\Documents and Settings\pops\Application Data\Bitdefender
2008-01-12 21:34 . 2008-01-12 21:34 <DIR> d-------- C:\Program Files\Avira
2008-01-12 21:34 . 2008-01-12 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-12 19:41 . 2008-01-12 19:41 <DIR> d-------- C:\Documents and Settings\cole\Application Data\Bitdefender
2008-01-12 15:07 . 2008-01-12 15:07 <DIR> d-------- C:\Documents and Settings\alek\Application Data\Bitdefender
2008-01-12 14:43 . 2008-01-18 20:15 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-01-12 14:37 . 2008-01-12 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-01-01 15:32 . 2008-01-01 15:33 <DIR> d-------- C:\Documents and Settings\pops\Application Data\Vso
2008-01-01 15:32 . 2008-01-01 15:32 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-01 15:32 . 2008-01-01 15:32 47,360 --a------ C:\Documents and Settings\pops\Application Data\pcouffin.sys
2007-12-31 10:14 . 2008-01-15 07:43 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-31 10:14 . 2008-01-15 07:43 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-29 10:18 . 2007-12-29 10:18 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-28 14:54 . 2007-12-28 14:54 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-21 16:03 . 2007-12-21 16:03 <DIR> d-------- C:\Program Files\MSBuild
2007-12-21 15:57 . 2007-12-28 16:19 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-21 15:55 . 2007-12-21 15:55 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-21 15:54 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-21 15:41 . 2007-12-21 15:41 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-21 13:07 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002661_.tmp
2007-12-21 11:41 . 2001-08-23 05:00 209,408 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2007-12-21 11:41 . 2001-08-23 05:00 77,824 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2007-12-21 11:41 . 2001-08-23 05:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2007-12-21 11:41 . 2001-08-23 05:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2007-12-21 11:41 . 2001-08-23 05:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2007-12-21 11:33 . 2004-11-17 11:41 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2007-12-21 11:04 . 2001-08-23 05:00 1,085,913 -ra------ C:\WINDOWS\SETC7.tmp
2007-12-21 11:04 . 2001-08-23 05:00 13,608 -ra------ C:\WINDOWS\SETD3.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 02:14 --------- d-----w C:\Program Files\quicken se
2008-01-19 02:14 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-01-16 04:14 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-11 02:53 --------- d-----w C:\Program Files\MSN Messenger
2008-01-06 03:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-04 03:17 --------- d-----w C:\Documents and Settings\pops\Application Data\uTorrent
2007-12-31 18:46 --------- d-----w C:\Documents and Settings\pops\Application Data\U3
2007-12-28 21:45 --------- d-----w C:\Program Files\Google
2007-12-28 20:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 22:31 79,784 ----a-w C:\Documents and Settings\pops\Application Data\GDIPFONTCACHEV1.DAT
2007-12-08 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-01 21:05 --------- d-----w C:\Program Files\Codec Pack - All In 1
2007-12-01 21:04 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-24 17:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-22 02:07 --------- d-----w C:\Program Files\uTorrent
2007-10-19 13:22 68,336 ----a-w C:\Documents and Settings\mama\Application Data\GDIPFONTCACHEV1.DAT
2007-02-27 23:23 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

<pre>
----a-w			68,856 2008-01-04 22:18:17  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		   132,496 2007-12-28 21:46:17  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 5,674,352 2008-01-03 17:32:41  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w		   300,856 2008-01-04 22:18:13  C:\Program Files\ProStores\StoreMonitor\StoreMonitor .exe
----a-w			69,632 2008-01-13 06:37:24  C:\Program Files\Softwin\BitDefender10\bdagent .exe
----a-w		   290,816 2008-01-13 06:37:16  C:\Program Files\Softwin\BitDefender10\bdmcon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2008-01-18 19:49 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"!AVG Anti-Spyware"="F:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"vptray"="F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-01-14 17:02 77824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwvvu]
byxwvvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sgyttzhg]
sgyttzhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\980ab8f2]
C:\WINDOWS\system32\yoxotgtn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ddccd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rsri]
C:\WINDOWS\SKS~1\ati2evxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)

R0 viasraid;viasraid;C:\WINDOWS\System32\DRIVERS\viasraid.sys [2003-10-30 21:22]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;F:\Program Files\Photoshop Elements\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;F:\Program Files\Photoshop Elements\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
R3 XIRLINK;Veo PC Camera;C:\WINDOWS\System32\DRIVERS\ucdnt.sys [2002-03-12 20:50]
S3 3c1807pd;U.S. Robotics V.92 Fax Win Int;C:\WINDOWS\System32\DRIVERS\3c1807pd.sys [2005-11-18 20:02]
S3 AdWatchDrv;AW Realtime Driver;C:\WINDOWS\system32\drivers\AWRTPD.sys []
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 07:05]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []
S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys []
S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 13:55]
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys [2001-08-17 07:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 21:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-01-19 02:23:19 C:\WINDOWS\Tasks\RegCure Program Check.job"
- f:\Program Files\RegCure\RegCure.exe
"2008-01-13 15:44:24 C:\WINDOWS\Tasks\RegCure.job"
- f:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 20:23:48
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2600.0000]
-> C:\WINDOWS\System32\sockspy.dll
.
Completion time: 2008-01-18 20:27:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 02:26:58
.
2008-01-11 02:25:28 --- E O F ---
-------------------------------------------------------------------------------------------------------
HijackThis file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:27 PM, on 1/18/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Photoshop Elements\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
F:\Program Files\Photoshop Elements\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
F:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115w.bay115...es/MsnPUpld.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective....torLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171839184374
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} (SiteBuilderEditor Class) - http://stores.homest...es/pssbedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6764B366-2522-4F27-9DDF-EE12C8361D53}: NameServer = 192.168.2.1
O20 - Winlogon Notify: byxwvvu - byxwvvu.dll (file missing)
O20 - Winlogon Notify: sgyttzhg - sgyttzhg.dll (file missing)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\Program Files\Photoshop Elements\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DefWatch - Symantec Corporation - F:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - F:\Program Files\Photoshop Elements\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7037 bytes





 install.txt   2.46KB   216 downloads,  ComboFix.txt   46.34KB   224 downloads,  hijackthis_18_Jan_08.txt   6.87KB   221 downloads

[Simon V.]

Hi

Why don't you have any Windows Security Updates installed?

You are operating your computer with multiple Anti-Virus programs running in memory at once:

Avira AntiVir PersonalEdition Classic
BitDefender Free Edition v10
Norton Security Scan
Symantec AntiVirus Client

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two Anti-Virus programs running at the same time can cause your computer to run very slow, become unstable and even crash.

Please uninstall (Click on Start, then Control Panel. Double click on Add or Remove Programs) all but one of them.

---------------------------------------------------------

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

µTorrent
LimeWire 4.14.10

Also remove the following programs:

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1

Then download and install Java Runtime Environment (JRE) 6 Update 4.

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\SETD6.tmp
C:\WINDOWS\SETE2.tmp
C:\WINDOWS\SETD4.tmp
C:\WINDOWS\SETE0.tmp
C:\WINDOWS\SETD5.tmp
C:\WINDOWS\SETE1.tmp
C:\WINDOWS\002661_.tmp
C:\WINDOWS\SETC7.tmp
C:\WINDOWS\SETD3.tmp

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwvvu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sgyttzhg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\980ab8f2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rsri]

Driver::

PsSdk30
SunkFilt6

RenV::

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\ProStores\StoreMonitor\StoreMonitor .exe
C:\Program Files\Softwin\BitDefender10\bdagent .exe
C:\Program Files\Softwin\BitDefender10\bdmcon .exe

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.



Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Close all programs before continuing, and try not to run anything during the scan.

Please do an online scan with Kaspersky WebScanner. (You will need to use Internet Explorer to run this scan)

On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

• The program will launch and then begin downloading the latest definition files.
• Once the files have been downloaded click on Next.
• Now click on Scan Settings.
• In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
  
  Extended (if available, otherwise Standard)

• Scan Options:
  
  Scan Archives
  Scan Mail Bases

• Click OK.
• Now under Select a Target to Scan:
  
  Select My Computer.

• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button and save the file to your desktop.

Step 3

In your next reply, please post:

• the Combofix log (C:\Combofix.txt)
• the Kaspersky Online Scan report
• a new HijackThis log

[patnhank]

Simon V,
Thanks for the quick response. The lack of SP1 & SP2 is that we have had problems for weeks; my oldest was in the process of diagnosing this mess. At the time the problem very much felt like hardware. Mem faults and intermittant BSOD. He eventually tried a windows repair as the system was getting more and more unstable. The repair was not much better and IE was still faulty, we were unable to download SP1 & 2, my corresponance with you is via a laptop and thumbdrive. ALL the Anti-Virus is a consequence of the current mess, someone recommended to stay away from the big popular names as they are a more lucrative target.

Which would you recommend keeping? I will delete the rest.

My kids are fans of the Limeware and UTorrent for music and games, I will discuss with them and we will come to an arrangement.

I will run the procedures pasted below this morning and post after breakfast.

THanks again
Hank

[Simon V.]

Hi

I'd recommend keeping Avira AntiVir PersonalEdition Classic. It's a personal preference though, they all should provide sufficient protection.

[patnhank]

Simon V
you indicate to run the Kaspersky WebScan but I am unable to get to internet, when I launch the IE I get a message

"Procedure entry point SHRegGetValueW could not be located in the dynamic link library SHLWAPI.dll"

Can you offer a way to get onto internet via IE? Some of the AV programs can in fact access the internet to check for updates and in fact download them; therefore the internet is accessible to some programs.

Please recall that due to the problems we had during the month of December which seemed like hardware, my son got a new motherboard, CPU and some new RAM, these items are not cutting edge but are an upgrade to the hardware currently in the system. Total cost was approx $120 from NewEgg. My point is I might as well install but when? I do NOT want to introduce any MORE variables.

currently deleting as you indicated, adding the singular JAVA update (via thumbdrive) but foresee problem with Kaspersky....... awaiting words at your convenience.

sincere;y
Hank

[Simon V.]

Hi

Have you already run the CFScript?

Please do the following:

Copy and paste the text in the code box into Notepad (Go to Start > Run, type Notepad and hit Enter)

@echo off

if exist C:\findfile.txt del /q C:\findfile*.txt
cd \
dir C:\SHLWAPI.dll /s > C:\findfile.txt
start C:\findfile.txt
exit

Go to File > Save As:. Save the file as "Look.bat" (Including the quotes)

Double-click on Look.bat to run the file.

A Notepad file will open. Please post the contents of that file (C:\findfile.txt) in your next reply.

[patnhank]

Simon V, The java won't load as SP2 is not installed. I can pull SP2 file from other computer via Burned CD and install. Do I need to do that now or should I press forward with your indications and then do the SP2 Later? I still owe you the CFScript.txt results and Kaspersky results. Do I put all on hold until I run the "look.bat" ? THanks Hank