WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Help! i'm infected with trojan dropper agent .

Started by caz86 , Jan 21 2008 04:11 PM

This topic is locked

16 replies to this topic

#1 caz86

New Member

New Member
9 posts

Posted 21 January 2008 - 04:11 PM

hi, a couple of weeks ago i got infected with trogan dropper agent .git by a zip file that was sent by msn messenger making it look like it was an innocent message from my friend. after doing several avg scans i have lots of infected files and lots of programs wont work inc avg...i turned off my computer for a while because trying to find a cure was stressing me too much, but now is the time to sort things out! can anyone give me a helping hand?

the viruses i have (according to avg virus vault) are:
trojan horse dropper agent .git
trojan horse backdoor.ircbot.CQZ
trojan horse backdoor.agent.pta
trojan horse generic9.amqn

the files/programs infected are:
java, msn messenger,itunes, sony erricsson, nero, quicktime, adobe acrobat, avg, broadband medic, cyberlink power dvd, a few system 32 files

because they didnt work, i've now uninstalled some of these, however kontiki\khost.exe which runs 4oD refuses to either uninstall or reinstall because it needs to use the file that avg has put in the virus vault!

i have been able to reinstall avg once which seemed to make it work again, but now it says that the email scanner and resident shield isnt working, and it doesnt want to complete any updates, so i'm guessing its stll infected.

it has also infected system restore files so i cant restore to before it was infected.

i have done a hijack this log....posted below. i'd be very greatful for any help you can give as i'm really stuck and need to get on with my uni work! many thanks caroline

Logfile of HijackThis v1.99.1
Scan saved at 21:23:46, on 21/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5118DC72-BFD4-44AC-A0A9-421C191DBE39} - C:\WINDOWS\system32\wvuttqn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {F69196B4-ACB1-466C-BDBC-F0595E06F2C9} - C:\WINDOWS\system32\mljjh.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://www.kontiki.i...m/bbcfn/kdx.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsphot...opcuploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuttqn - C:\WINDOWS\SYSTEM32\wvuttqn.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

Advertisements

Register to Remove

#2 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 23 January 2008 - 07:30 PM

Hi caz86 and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#3 caz86

New Member

New Member
9 posts

Posted 24 January 2008 - 06:12 PM

Hi Dave,

thank you for your reply, and agreeing to help me solve my virus problems!

yesterday i got an error message that read:

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to computer
****WXYZ.sys - Address F73120AE base at C00000, Date Stamp 366072AE
Kernel Debugger Using: COM2(Part 0x028f, Baud rate 192000)

when i booted today i got the following error message that i also thought i should tell you about, although i dont know what it means!

During a scan of files at system startup potential errors in the file system registry were found
p-07-0100 irql: IF SYSVER 0x00024
NT_Kernel error 1256
KMODE_EXCEPTION_HANDLED

below are the combofix logs and an upto date hijackthis log. thanks again for you help, its much appricated!

caroline

ComboFix 08-01-23.1C - Administrator 2008-01-24 23:51:28.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.327 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\My Documents\pos3EB.tmp
C:\Documents and Settings\Administrator\My Documents\pos3EC.tmp
C:\Documents and Settings\Administrator\My Documents\pos3ED.tmp
C:\Documents and Settings\Administrator\My Documents\pos3EE.tmp
C:\Documents and Settings\Administrator\My Documents\pos3EF.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F0.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F1.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F2.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F3.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F4.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F5.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F6.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F7.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F8.tmp
C:\Documents and Settings\Administrator\My Documents\pos3F9.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FA.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FB.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FC.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FD.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FE.tmp
C:\Documents and Settings\Administrator\My Documents\pos3FF.tmp
C:\Documents and Settings\Administrator\My Documents\pos400.tmp
C:\Documents and Settings\Administrator\My Documents\pos401.tmp
C:\Documents and Settings\Administrator\My Documents\pos402.tmp
C:\Documents and Settings\Administrator\My Documents\pos403.tmp
C:\Documents and Settings\Administrator\My Documents\pos404.tmp
C:\Documents and Settings\Administrator\My Documents\pos405.tmp
C:\Documents and Settings\Administrator\My Documents\pos406.tmp
C:\Documents and Settings\Administrator\My Documents\pos407.tmp
C:\Documents and Settings\Administrator\My Documents\pos408.tmp
C:\Documents and Settings\Administrator\My Documents\pos409.tmp
C:\Documents and Settings\Administrator\My Documents\pos40A.tmp
C:\Documents and Settings\Administrator\My Documents\pos40B.tmp
C:\Documents and Settings\Administrator\My Documents\pos40C.tmp
C:\Documents and Settings\Administrator\My Documents\pos40D.tmp
C:\Documents and Settings\Administrator\My Documents\pos40E.tmp
C:\Documents and Settings\Administrator\My Documents\pos40F.tmp
C:\Documents and Settings\Administrator\My Documents\pos410.tmp
C:\Documents and Settings\Administrator\My Documents\pos411.tmp
C:\Documents and Settings\Administrator\My Documents\pos412.tmp
C:\Documents and Settings\Administrator\My Documents\pos413.tmp
C:\Documents and Settings\Administrator\My Documents\pos414.tmp
C:\Documents and Settings\Administrator\My Documents\pos415.tmp
C:\Documents and Settings\Administrator\My Documents\pos416.tmp
C:\Documents and Settings\Administrator\My Documents\pos417.tmp
C:\Documents and Settings\Administrator\My Documents\pos418.tmp
C:\Documents and Settings\Administrator\My Documents\pos419.tmp
C:\Documents and Settings\Administrator\My Documents\pos41A.tmp
C:\Documents and Settings\Administrator\My Documents\pos41B.tmp
C:\Documents and Settings\Administrator\My Documents\pos41C.tmp
C:\Documents and Settings\Administrator\My Documents\pos41D.tmp
C:\Documents and Settings\Administrator\My Documents\pos41E.tmp
C:\Documents and Settings\Administrator\My Documents\pos41F.tmp
C:\Documents and Settings\Administrator\My Documents\pos420.tmp
C:\Documents and Settings\Administrator\My Documents\pos421.tmp
C:\Documents and Settings\Administrator\My Documents\pos422.tmp
C:\Documents and Settings\Administrator\My Documents\pos423.tmp
C:\Documents and Settings\Administrator\My Documents\pos424.tmp
C:\Documents and Settings\Administrator\My Documents\pos425.tmp
C:\Documents and Settings\Administrator\My Documents\pos426.tmp
C:\Documents and Settings\Administrator\My Documents\pos427.tmp
C:\Documents and Settings\Administrator\My Documents\pos428.tmp
C:\Documents and Settings\Administrator\My Documents\pos429.tmp
C:\Documents and Settings\Administrator\My Documents\pos42A.tmp
C:\Documents and Settings\Administrator\My Documents\pos42B.tmp
C:\Documents and Settings\Administrator\My Documents\pos42C.tmp
C:\Documents and Settings\Administrator\My Documents\pos42D.tmp
C:\Documents and Settings\Administrator\My Documents\pos42E.tmp
C:\Documents and Settings\Administrator\My Documents\pos42F.tmp
C:\Documents and Settings\Administrator\My Documents\pos430.tmp
C:\Documents and Settings\Administrator\My Documents\pos431.tmp
C:\Documents and Settings\Administrator\My Documents\pos432.tmp
C:\Documents and Settings\Administrator\My Documents\pos433.tmp
C:\Documents and Settings\Administrator\My Documents\pos434.tmp
C:\Documents and Settings\Administrator\My Documents\pos435.tmp
C:\Documents and Settings\Administrator\My Documents\pos436.tmp
C:\Documents and Settings\Administrator\My Documents\pos437.tmp
C:\Documents and Settings\Administrator\My Documents\pos438.tmp
C:\Documents and Settings\Administrator\My Documents\pos439.tmp
C:\Documents and Settings\Administrator\My Documents\pos43A.tmp
C:\Documents and Settings\Administrator\My Documents\pos43B.tmp
C:\Documents and Settings\Administrator\My Documents\pos43C.tmp
C:\Documents and Settings\Administrator\My Documents\pos43D.tmp
C:\Documents and Settings\Administrator\My Documents\pos43E.tmp
C:\Documents and Settings\Administrator\My Documents\pos43F.tmp
C:\Documents and Settings\Administrator\My Documents\pos440.tmp
C:\Documents and Settings\Administrator\My Documents\pos441.tmp
C:\Documents and Settings\Administrator\My Documents\pos442.tmp
C:\Documents and Settings\Administrator\My Documents\pos443.tmp
C:\Documents and Settings\Administrator\My Documents\pos444.tmp
C:\Documents and Settings\Administrator\My Documents\pos445.tmp
C:\Documents and Settings\Administrator\My Documents\pos446.tmp
C:\Documents and Settings\Administrator\My Documents\pos447.tmp
C:\Documents and Settings\Administrator\My Documents\pos448.tmp
C:\Documents and Settings\Administrator\My Documents\pos449.tmp
C:\Documents and Settings\Administrator\My Documents\pos44A.tmp
C:\Documents and Settings\Administrator\My Documents\pos44B.tmp
C:\Documents and Settings\Administrator\My Documents\pos44C.tmp
C:\Documents and Settings\Administrator\My Documents\pos44D.tmp
C:\Documents and Settings\Administrator\My Documents\pos44E.tmp
C:\Documents and Settings\Administrator\My Documents\pos44F.tmp
C:\Documents and Settings\Administrator\My Documents\pos450.tmp
C:\Documents and Settings\Administrator\My Documents\pos451.tmp
C:\Documents and Settings\Administrator\My Documents\pos452.tmp
C:\Documents and Settings\Administrator\My Documents\pos453.tmp
C:\Documents and Settings\Administrator\My Documents\pos454.tmp
C:\Documents and Settings\Administrator\My Documents\pos455.tmp
C:\Documents and Settings\Administrator\My Documents\pos456.tmp
C:\Documents and Settings\Administrator\My Documents\pos457.tmp
C:\Documents and Settings\Administrator\My Documents\pos458.tmp
C:\Documents and Settings\Administrator\My Documents\pos459.tmp
C:\Documents and Settings\Administrator\My Documents\pos45A.tmp
C:\Documents and Settings\Administrator\My Documents\pos45B.tmp
C:\Documents and Settings\Administrator\My Documents\pos45C.tmp
C:\Documents and Settings\Administrator\My Documents\pos45D.tmp
C:\Documents and Settings\Administrator\My Documents\pos45E.tmp
C:\Documents and Settings\Administrator\My Documents\pos45F.tmp
C:\Documents and Settings\Administrator\My Documents\pos460.tmp
C:\Documents and Settings\Administrator\My Documents\pos461.tmp
C:\Documents and Settings\Administrator\My Documents\pos462.tmp
C:\Documents and Settings\Administrator\My Documents\pos463.tmp
C:\Documents and Settings\Administrator\My Documents\pos464.tmp
C:\Documents and Settings\Administrator\My Documents\pos465.tmp
C:\Documents and Settings\Administrator\My Documents\pos466.tmp
C:\Documents and Settings\Administrator\My Documents\pos467.tmp
C:\Documents and Settings\Administrator\My Documents\pos468.tmp
C:\Documents and Settings\Administrator\My Documents\pos469.tmp
C:\Documents and Settings\Administrator\My Documents\pos46A.tmp
C:\Documents and Settings\Administrator\My Documents\pos46B.tmp
C:\Documents and Settings\Administrator\My Documents\pos46C.tmp
C:\Documents and Settings\Administrator\My Documents\pos46D.tmp
C:\Documents and Settings\Administrator\My Documents\pos46E.tmp
C:\Documents and Settings\Administrator\My Documents\pos46F.tmp
C:\Documents and Settings\Administrator\My Documents\pos470.tmp
C:\Documents and Settings\Administrator\My Documents\pos471.tmp
C:\Documents and Settings\Administrator\My Documents\pos472.tmp
C:\Documents and Settings\Administrator\My Documents\pos473.tmp
C:\Documents and Settings\Administrator\My Documents\pos474.tmp
C:\Documents and Settings\Administrator\My Documents\pos475.tmp
C:\Documents and Settings\Administrator\My Documents\pos476.tmp
C:\Documents and Settings\Administrator\My Documents\pos477.tmp
C:\Documents and Settings\Administrator\My Documents\pos478.tmp
C:\Documents and Settings\Administrator\My Documents\pos479.tmp
C:\Documents and Settings\Administrator\My Documents\pos47A.tmp
C:\Documents and Settings\Administrator\My Documents\pos47B.tmp
C:\Documents and Settings\Administrator\My Documents\pos47C.tmp
C:\Documents and Settings\Administrator\My Documents\pos47D.tmp
C:\Documents and Settings\Administrator\My Documents\pos47E.tmp
C:\Documents and Settings\Administrator\My Documents\pos47F.tmp
C:\Documents and Settings\Administrator\My Documents\pos480.tmp
C:\Documents and Settings\Administrator\My Documents\pos481.tmp
C:\Documents and Settings\Administrator\My Documents\pos482.tmp
C:\Documents and Settings\Administrator\My Documents\pos483.tmp
C:\Documents and Settings\Administrator\My Documents\pos484.tmp
C:\Documents and Settings\Administrator\My Documents\pos485.tmp
C:\Documents and Settings\Administrator\My Documents\pos486.tmp
C:\Documents and Settings\Administrator\My Documents\pos487.tmp
C:\Documents and Settings\Administrator\My Documents\pos488.tmp
C:\Documents and Settings\Administrator\My Documents\pos489.tmp
C:\Documents and Settings\Administrator\My Documents\pos48A.tmp
C:\Documents and Settings\Administrator\My Documents\pos48B.tmp
C:\Documents and Settings\Administrator\My Documents\pos48C.tmp
C:\Documents and Settings\Administrator\My Documents\pos48D.tmp
C:\Documents and Settings\Administrator\My Documents\pos48E.tmp
C:\Documents and Settings\Administrator\My Documents\pos48F.tmp
C:\Documents and Settings\Administrator\My Documents\pos490.tmp
C:\Documents and Settings\Administrator\My Documents\pos491.tmp
C:\Documents and Settings\Administrator\My Documents\pos492.tmp
C:\Documents and Settings\Administrator\My Documents\pos493.tmp
C:\Documents and Settings\Administrator\My Documents\pos494.tmp
C:\Documents and Settings\Administrator\My Documents\pos495.tmp
C:\Documents and Settings\Administrator\My Documents\pos496.tmp
C:\Documents and Settings\Administrator\My Documents\pos497.tmp
C:\Documents and Settings\Administrator\My Documents\pos498.tmp
C:\Documents and Settings\Administrator\My Documents\pos499.tmp
C:\Documents and Settings\Administrator\My Documents\pos49A.tmp
C:\Documents and Settings\Administrator\My Documents\pos49B.tmp
C:\Documents and Settings\Administrator\My Documents\pos49C.tmp
C:\Documents and Settings\Administrator\My Documents\pos49D.tmp
C:\Documents and Settings\Administrator\My Documents\pos49E.tmp
C:\Documents and Settings\Administrator\My Documents\pos49F.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A0.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A1.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A2.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A3.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A4.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A5.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A6.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A7.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A8.tmp
C:\Documents and Settings\Administrator\My Documents\pos4A9.tmp
C:\Documents and Settings\Administrator\My Documents\pos4AA.tmp
C:\Documents and Settings\Administrator\My Documents\pos4AB.tmp
C:\Documents and Settings\Administrator\My Documents\pos4AC.tmp
C:\Documents and Settings\Administrator\My Documents\pos4AD.tmp
C:\Documents and Settings\Administrator\My Documents\pos4AE.tmp
C:\Documents and Settings\Administrator\My Documents\pos4AF.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B0.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B1.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B2.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B3.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B4.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B5.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B6.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B7.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B8.tmp
C:\Documents and Settings\Administrator\My Documents\pos4B9.tmp
C:\Documents and Settings\Administrator\My Documents\pos4BA.tmp
C:\Documents and Settings\Administrator\My Documents\pos4BB.tmp
C:\Documents and Settings\Administrator\My Documents\pos4BC.tmp
C:\Documents and Settings\Administrator\My Documents\pos4BD.tmp
C:\Documents and Settings\Administrator\My Documents\pos4BE.tmp
C:\Documents and Settings\Administrator\My Documents\pos4BF.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C0.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C1.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C2.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C3.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C4.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C5.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C6.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C7.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C8.tmp
C:\Documents and Settings\Administrator\My Documents\pos4C9.tmp
C:\Documents and Settings\Administrator\My Documents\pos4CA.tmp
C:\Documents and Settings\Administrator\My Documents\pos4CB.tmp
C:\Documents and Settings\Administrator\My Documents\pos4CC.tmp
C:\Documents and Settings\Administrator\My Documents\pos4CD.tmp
C:\Documents and Settings\Administrator\My Documents\pos4CE.tmp
C:\Documents and Settings\Administrator\My Documents\pos4CF.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D0.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D1.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D2.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D3.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D4.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D5.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D6.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D7.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D8.tmp
C:\Documents and Settings\Administrator\My Documents\pos4D9.tmp
C:\Documents and Settings\Administrator\My Documents\pos4DA.tmp
C:\Documents and Settings\Administrator\My Documents\pos4DB.tmp
C:\Documents and Settings\Administrator\My Documents\pos4DC.tmp
C:\Documents and Settings\Administrator\My Documents\pos4DD.tmp
C:\Documents and Settings\Administrator\My Documents\pos4DE.tmp
C:\Documents and Settings\Administrator\My Documents\pos4DF.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E0.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E1.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E2.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E3.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E4.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E5.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E6.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E7.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E8.tmp
C:\Documents and Settings\Administrator\My Documents\pos4E9.tmp
C:\Documents and Settings\Administrator\My Documents\pos4EA.tmp
C:\Documents and Settings\Administrator\My Documents\pos4EB.tmp
C:\Documents and Settings\Administrator\My Documents\pos4EC.tmp
C:\Documents and Settings\Administrator\My Documents\pos4ED.tmp
C:\Documents and Settings\Administrator\My Documents\pos4EE.tmp
C:\Documents and Settings\Administrator\My Documents\pos4EF.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F0.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F1.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F2.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F3.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F4.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F5.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F6.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F7.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F8.tmp
C:\Documents and Settings\Administrator\My Documents\pos4F9.tmp
C:\Documents and Settings\Administrator\My Documents\pos4FA.tmp
C:\Documents and Settings\Administrator\My Documents\pos4FB.tmp
C:\Documents and Settings\Administrator\My Documents\pos4FC.tmp
C:\Documents and Settings\Administrator\My Documents\pos4FD.tmp
C:\Documents and Settings\Administrator\My Documents\pos4FE.tmp
C:\Documents and Settings\Administrator\My Documents\pos4FF.tmp
C:\Documents and Settings\Administrator\My Documents\pos500.tmp
C:\Documents and Settings\Administrator\My Documents\pos501.tmp
C:\Documents and Settings\Administrator\My Documents\pos502.tmp
C:\Documents and Settings\Administrator\My Documents\pos503.tmp
C:\Documents and Settings\Administrator\My Documents\pos504.tmp
C:\Documents and Settings\Administrator\My Documents\pos505.tmp
C:\Documents and Settings\Administrator\My Documents\pos506.tmp
C:\Documents and Settings\Administrator\My Documents\pos507.tmp
C:\Documents and Settings\Administrator\My Documents\pos508.tmp
C:\Documents and Settings\Administrator\My Documents\pos509.tmp
C:\Documents and Settings\Administrator\My Documents\pos50A.tmp
C:\Documents and Settings\Administrator\My Documents\pos50B.tmp
C:\Documents and Settings\Administrator\My Documents\pos50C.tmp
C:\Documents and Settings\Administrator\My Documents\pos50D.tmp
C:\Documents and Settings\Administrator\My Documents\pos50E.tmp
C:\Documents and Settings\Administrator\My Documents\pos50F.tmp
C:\Documents and Settings\Administrator\My Documents\pos510.tmp
C:\Documents and Settings\Administrator\My Documents\pos511.tmp
C:\Documents and Settings\Administrator\My Documents\pos512.tmp
C:\Documents and Settings\Administrator\My Documents\pos513.tmp
C:\Documents and Settings\Administrator\My Documents\pos514.tmp
C:\Documents and Settings\Administrator\My Documents\pos515.tmp
C:\Documents and Settings\Administrator\My Documents\pos516.tmp
C:\Documents and Settings\Administrator\My Documents\pos517.tmp
C:\Documents and Settings\Administrator\My Documents\pos518.tmp
C:\Documents and Settings\Administrator\My Documents\pos519.tmp
C:\Documents and Settings\Administrator\My Documents\pos51A.tmp
C:\Documents and Settings\Administrator\My Documents\pos51B.tmp
C:\Documents and Settings\Administrator\My Documents\pos51C.tmp
C:\Documents and Settings\Administrator\My Documents\pos51D.tmp
C:\Documents and Settings\Administrator\My Documents\pos51E.tmp
C:\Documents and Settings\Administrator\My Documents\pos51F.tmp
C:\Documents and Settings\Administrator\My Documents\pos520.tmp
C:\Documents and Settings\Administrator\My Documents\pos521.tmp
C:\Documents and Settings\Administrator\My Documents\pos522.tmp
C:\Documents and Settings\Administrator\My Documents\pos523.tmp
C:\Documents and Settings\Administrator\My Documents\pos524.tmp
C:\Documents and Settings\Administrator\My Documents\pos525.tmp
C:\Documents and Settings\Administrator\My Documents\pos526.tmp
C:\Documents and Settings\Administrator\My Documents\pos527.tmp
C:\Documents and Settings\Administrator\My Documents\pos528.tmp
C:\Documents and Settings\Administrator\My Documents\pos529.tmp
C:\Documents and Settings\Administrator\My Documents\pos52A.tmp
C:\Documents and Settings\Administrator\My Documents\pos52B.tmp
C:\Documents and Settings\Administrator\My Documents\pos52C.tmp
C:\Documents and Settings\Administrator\My Documents\pos52D.tmp
C:\Documents and Settings\Administrator\My Documents\pos52E.tmp
C:\Documents and Settings\Administrator\My Documents\pos52F.tmp
C:\Documents and Settings\Administrator\My Documents\pos530.tmp
C:\Documents and Settings\Administrator\My Documents\pos531.tmp
C:\Documents and Settings\Administrator\My Documents\pos532.tmp
C:\Documents and Settings\Administrator\My Documents\pos533.tmp
C:\Documents and Settings\Administrator\My Documents\pos534.tmp
C:\Documents and Settings\Administrator\My Documents\pos535.tmp
C:\Documents and Settings\Administrator\My Documents\pos536.tmp
C:\Documents and Settings\Administrator\My Documents\pos537.tmp
C:\Documents and Settings\Administrator\My Documents\pos538.tmp
C:\Documents and Settings\Administrator\My Documents\pos539.tmp
C:\Documents and Settings\Administrator\My Documents\pos53A.tmp
C:\Documents and Settings\Administrator\My Documents\pos53B.tmp
C:\Documents and Settings\Administrator\My Documents\pos53C.tmp
C:\Documents and Settings\Administrator\My Documents\pos53D.tmp
C:\Documents and Settings\Administrator\My Documents\pos53E.tmp
C:\Documents and Settings\Administrator\My Documents\pos53F.tmp
C:\Documents and Settings\Administrator\My Documents\pos540.tmp
C:\Documents and Settings\Administrator\My Documents\pos541.tmp
C:\Documents and Settings\Administrator\My Documents\pos542.tmp
C:\Documents and Settings\Administrator\My Documents\pos543.tmp
C:\Documents and Settings\Administrator\My Documents\pos544.tmp
C:\Documents and Settings\Administrator\My Documents\pos545.tmp
C:\Documents and Settings\Administrator\My Documents\pos546.tmp
C:\Documents and Settings\Administrator\My Documents\pos547.tmp
C:\Documents and Settings\Administrator\My Documents\pos548.tmp
C:\Documents and Settings\Administrator\My Documents\pos549.tmp
C:\Documents and Settings\Administrator\My Documents\pos54A.tmp
C:\Documents and Settings\Administrator\My Documents\pos54B.tmp
C:\Documents and Settings\Administrator\My Documents\pos54C.tmp
C:\Documents and Settings\Administrator\My Documents\pos54D.tmp
C:\Documents and Settings\Administrator\My Documents\pos54E.tmp
C:\Documents and Settings\Administrator\My Documents\pos54F.tmp
C:\Documents and Settings\Administrator\My Documents\pos550.tmp
C:\Documents and Settings\Administrator\My Documents\pos551.tmp
C:\Documents and Settings\Administrator\My Documents\pos552.tmp
C:\Documents and Settings\Administrator\My Documents\pos553.tmp
C:\Documents and Settings\Administrator\My Documents\pos554.tmp
C:\Documents and Settings\Administrator\My Documents\pos555.tmp
C:\Documents and Settings\Administrator\My Documents\pos556.tmp
C:\Documents and Settings\Administrator\My Documents\pos557.tmp
C:\Documents and Settings\Administrator\My Documents\pos558.tmp
C:\Documents and Settings\Administrator\My Documents\pos559.tmp
C:\Documents and Settings\Administrator\My Documents\pos55A.tmp
C:\Documents and Settings\Administrator\My Documents\pos55B.tmp
C:\Documents and Settings\Administrator\My Documents\pos55C.tmp
C:\Documents and Settings\Administrator\My Documents\pos55D.tmp
C:\Documents and Settings\Administrator\My Documents\pos55E.tmp
C:\Documents and Settings\Administrator\My Documents\pos55F.tmp
C:\Documents and Settings\Administrator\My Documents\pos560.tmp
C:\Documents and Settings\Administrator\My Documents\pos561.tmp
C:\Documents and Settings\Administrator\My Documents\pos562.tmp
C:\Documents and Settings\Administrator\My Documents\pos563.tmp
C:\Documents and Settings\Administrator\My Documents\pos564.tmp
C:\Documents and Settings\Administrator\My Documents\pos565.tmp
C:\Documents and Settings\Administrator\My Documents\pos566.tmp
C:\Documents and Settings\Administrator\My Documents\pos567.tmp
C:\Documents and Settings\Administrator\My Documents\pos568.tmp
C:\Documents and Settings\Administrator\My Documents\pos569.tmp
C:\Documents and Settings\Administrator\My Documents\pos56A.tmp
C:\Documents and Settings\Administrator\My Documents\pos56B.tmp
C:\Documents and Settings\Administrator\My Documents\pos56C.tmp
C:\Documents and Settings\Administrator\My Documents\pos56D.tmp
C:\Documents and Settings\Administrator\My Documents\pos56E.tmp
C:\Documents and Settings\Administrator\My Documents\pos56F.tmp
C:\Documents and Settings\Administrator\My Documents\pos570.tmp
C:\Documents and Settings\Administrator\My Documents\pos571.tmp
C:\Documents and Settings\Administrator\My Documents\pos572.tmp
C:\Documents and Settings\Administrator\My Documents\pos573.tmp
C:\Documents and Settings\Administrator\My Documents\pos574.tmp
C:\Documents and Settings\Administrator\My Documents\pos575.tmp
C:\Documents and Settings\Administrator\My Documents\pos576.tmp
C:\Documents and Settings\Administrator\My Documents\pos577.tmp
C:\Documents and Settings\Administrator\My Documents\pos578.tmp
C:\Documents and Settings\Administrator\My Documents\pos579.tmp
C:\Documents and Settings\Administrator\My Documents\pos57A.tmp
C:\Documents and Settings\Administrator\My Documents\pos57B.tmp
C:\Documents and Settings\Administrator\My Documents\pos57C.tmp
C:\Documents and Settings\Administrator\My Documents\pos57D.tmp
C:\Documents and Settings\Administrator\My Documents\pos57E.tmp
C:\Documents and Settings\Administrator\My Documents\pos57F.tmp
C:\Documents and Settings\Administrator\My Documents\pos580.tmp
C:\Documents and Settings\Administrator\My Documents\pos581.tmp
C:\Documents and Settings\Administrator\My Documents\pos582.tmp
C:\Documents and Settings\Administrator\My Documents\pos583.tmp
C:\Documents and Settings\Administrator\My Documents\pos584.tmp
C:\Documents and Settings\Administrator\My Documents\pos585.tmp
C:\Documents and Settings\Administrator\My Documents\pos586.tmp
C:\Documents and Settings\Administrator\My Documents\pos587.tmp
C:\Documents and Settings\Administrator\My Documents\pos588.tmp
C:\Documents and Settings\Administrator\My Documents\pos589.tmp
C:\Documents and Settings\Administrator\My Documents\pos58A.tmp
C:\Documents and Settings\Administrator\My Documents\pos58B.tmp
C:\Documents and Settings\Administrator\My Documents\pos58C.tmp
C:\Documents and Settings\Administrator\My Documents\pos58D.tmp
C:\Documents and Settings\Administrator\My Documents\pos58E.tmp
C:\Documents and Settings\Administrator\My Documents\pos58F.tmp
C:\Documents and Settings\Administrator\My Documents\pos590.tmp
C:\Documents and Settings\Administrator\My Documents\pos591.tmp
C:\Documents and Settings\Administrator\My Documents\pos592.tmp
C:\Documents and Settings\Administrator\My Documents\pos593.tmp
C:\Documents and Settings\Administrator\My Documents\pos594.tmp
C:\Documents and Settings\Administrator\My Documents\pos595.tmp
C:\Documents and Settings\Administrator\My Documents\pos596.tmp
C:\Documents and Settings\Administrator\My Documents\pos597.tmp
C:\Documents and Settings\Administrator\My Documents\pos598.tmp
C:\Documents and Settings\Administrator\My Documents\pos599.tmp
C:\Documents and Settings\Administrator\My Documents\pos59A.tmp
C:\Documents and Settings\Administrator\My Documents\pos59B.tmp
C:\Documents and Settings\Administrator\My Documents\pos59C.tmp
C:\Documents and Settings\Administrator\My Documents\pos59D.tmp
C:\Documents and Settings\Administrator\My Documents\pos59E.tmp
C:\Documents and Settings\Administrator\My Documents\pos59F.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A0.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A1.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A2.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A3.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A4.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A5.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A6.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A7.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A8.tmp
C:\Documents and Settings\Administrator\My Documents\pos5A9.tmp
C:\Documents and Settings\Administrator\My Documents\pos5AA.tmp
C:\Documents and Settings\Administrator\My Documents\pos5AB.tmp
C:\Documents and Settings\Administrator\My Documents\pos5AC.tmp
C:\Documents and Settings\Administrator\My Documents\pos5AD.tmp
C:\Documents and Settings\Administrator\My Documents\pos5AE.tmp
C:\Documents and Settings\Administrator\My Documents\pos5AF.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B0.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B1.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B2.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B3.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B4.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B5.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B6.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B7.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B8.tmp
C:\Documents and Settings\Administrator\My Documents\pos5B9.tmp
C:\Documents and Settings\Administrator\My Documents\pos5BA.tmp
C:\Documents and Settings\Administrator\My Documents\pos5BB.tmp
C:\Documents and Settings\Administrator\My Documents\pos5BC.tmp
C:\Documents and Settings\Administrator\My Documents\pos5BD.tmp
C:\Documents and Settings\Administrator\My Documents\pos5BE.tmp
C:\Documents and Settings\Administrator\My Documents\pos5BF.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C0.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C1.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C2.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C3.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C4.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C5.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C6.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C7.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C8.tmp
C:\Documents and Settings\Administrator\My Documents\pos5C9.tmp
C:\Documents and Settings\Administrator\My Documents\pos5CA.tmp
C:\Documents and Settings\Administrator\My Documents\pos5CB.tmp
C:\Documents and Settings\Administrator\My Documents\pos5CC.tmp
C:\Documents and Settings\Administrator\My Documents\pos5CD.tmp
C:\Documents and Settings\Administrator\My Documents\pos5CE.tmp
C:\Documents and Settings\Administrator\My Documents\pos5CF.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D0.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D1.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D2.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D3.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D4.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D5.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D6.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D7.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D8.tmp
C:\Documents and Settings\Administrator\My Documents\pos5D9.tmp
C:\Documents and Settings\Administrator\My Documents\pos5DA.tmp
C:\Documents and Settings\Administrator\My Documents\pos5DB.tmp
C:\Documents and Settings\Administrator\My Documents\pos5DC.tmp
C:\Documents and Settings\Administrator\My Documents\pos5DD.tmp
C:\Documents and Settings\Administrator\My Documents\pos5DE.tmp
C:\pos1.tmp
C:\pos10.tmp
C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos103.tmp
C:\pos104.tmp
C:\pos105.tmp
C:\pos106.tmp
C:\pos107.tmp
C:\pos108.tmp
C:\pos109.tmp
C:\pos10A.tmp
C:\pos10B.tmp
C:\pos10C.tmp
C:\pos10D.tmp
C:\pos10E.tmp
C:\pos10F.tmp
C:\pos11.tmp
C:\pos110.tmp
C:\pos111.tmp
C:\pos112.tmp
C:\pos113.tmp
C:\pos114.tmp
C:\pos115.tmp
C:\pos116.tmp
C:\pos117.tmp
C:\pos118.tmp
C:\pos119.tmp
C:\pos11A.tmp
C:\pos11B.tmp
C:\pos11C.tmp
C:\pos11D.tmp
C:\pos11E.tmp
C:\pos11F.tmp
C:\pos12.tmp
C:\pos120.tmp
C:\pos121.tmp
C:\pos122.tmp
C:\pos123.tmp
C:\pos124.tmp
C:\pos125.tmp
C:\pos126.tmp
C:\pos127.tmp
C:\pos128.tmp
C:\pos129.tmp
C:\pos12A.tmp
C:\pos12B.tmp
C:\pos12C.tmp
C:\pos12D.tmp
C:\pos12E.tmp
C:\pos12F.tmp
C:\pos13.tmp
C:\pos130.tmp
C:\pos131.tmp
C:\pos132.tmp
C:\pos133.tmp
C:\pos134.tmp
C:\pos135.tmp
C:\pos136.tmp
C:\pos137.tmp
C:\pos138.tmp
C:\pos139.tmp
C:\pos13A.tmp
C:\pos13B.tmp
C:\pos13C.tmp
C:\pos13D.tmp
C:\pos13E.tmp
C:\pos13F.tmp
C:\pos14.tmp
C:\pos140.tmp
C:\pos141.tmp
C:\pos142.tmp
C:\pos143.tmp
C:\pos144.tmp
C:\pos145.tmp
C:\pos146.tmp
C:\pos147.tmp
C:\pos148.tmp
C:\pos149.tmp
C:\pos14A.tmp
C:\pos14B.tmp
C:\pos14C.tmp
C:\pos14D.tmp
C:\pos14E.tmp
C:\pos14F.tmp
C:\pos15.tmp
C:\pos150.tmp
C:\pos151.tmp
C:\pos152.tmp
C:\pos153.tmp
C:\pos154.tmp
C:\pos155.tmp
C:\pos156.tmp
C:\pos157.tmp
C:\pos158.tmp
C:\pos159.tmp
C:\pos15A.tmp
C:\pos15B.tmp
C:\pos15C.tmp
C:\pos15D.tmp
C:\pos15E.tmp
C:\pos15F.tmp
C:\pos16.tmp
C:\pos160.tmp
C:\pos161.tmp
C:\pos162.tmp
C:\pos163.tmp
C:\pos164.tmp
C:\pos165.tmp
C:\pos166.tmp
C:\pos167.tmp
C:\pos168.tmp
C:\pos169.tmp
C:\pos16A.tmp
C:\pos16B.tmp
C:\pos16C.tmp
C:\pos16D.tmp
C:\pos16E.tmp
C:\pos16F.tmp
C:\pos17.tmp
C:\pos170.tmp
C:\pos171.tmp
C:\pos172.tmp
C:\pos173.tmp
C:\pos174.tmp
C:\pos175.tmp
C:\pos176.tmp
C:\pos177.tmp
C:\pos178.tmp
C:\pos179.tmp
C:\pos17A.tmp
C:\pos17B.tmp
C:\pos17C.tmp
C:\pos17D.tmp
C:\pos17E.tmp
C:\pos17F.tmp
C:\pos18.tmp
C:\pos180.tmp
C:\pos181.tmp
C:\pos182.tmp
C:\pos183.tmp
C:\pos184.tmp
C:\pos185.tmp
C:\pos186.tmp
C:\pos187.tmp
C:\pos188.tmp
C:\pos189.tmp
C:\pos18A.tmp
C:\pos18B.tmp
C:\pos18C.tmp
C:\pos18D.tmp
C:\pos18E.tmp
C:\pos18F.tmp
C:\pos19.tmp
C:\pos190.tmp
C:\pos191.tmp
C:\pos192.tmp
C:\pos193.tmp
C:\pos194.tmp
C:\pos195.tmp
C:\pos196.tmp
C:\pos197.tmp
C:\pos198.tmp
C:\pos199.tmp
C:\pos19A.tmp
C:\pos19B.tmp
C:\pos19C.tmp
C:\pos19D.tmp
C:\pos19E.tmp
C:\pos19F.tmp
C:\pos1A.tmp
C:\pos1A0.tmp
C:\pos1A1.tmp
C:\pos1A2.tmp
C:\pos1A3.tmp
C:\pos1A4.tmp
C:\pos1A5.tmp
C:\pos1A6.tmp
C:\pos1A7.tmp
C:\pos1A8.tmp
C:\pos1A9.tmp
C:\pos1AA.tmp
C:\pos1AB.tmp
C:\pos1AC.tmp
C:\pos1AD.tmp
C:\pos1AE.tmp
C:\pos1AF.tmp
C:\pos1B.tmp
C:\pos1B0.tmp
C:\pos1B1.tmp
C:\pos1B2.tmp
C:\pos1B3.tmp
C:\pos1B4.tmp
C:\pos1B5.tmp
C:\pos1B6.tmp
C:\pos1B7.tmp
C:\pos1B8.tmp
C:\pos1B9.tmp
C:\pos1BA.tmp
C:\pos1BB.tmp
C:\pos1BC.tmp
C:\pos1BD.tmp
C:\pos1BE.tmp
C:\pos1BF.tmp
C:\pos1C.tmp
C:\pos1C0.tmp
C:\pos1C1.tmp
C:\pos1C2.tmp
C:\pos1C3.tmp
C:\pos1C4.tmp
C:\pos1C5.tmp
C:\pos1C6.tmp
C:\pos1C7.tmp
C:\pos1C8.tmp
C:\pos1C9.tmp
C:\pos1CA.tmp
C:\pos1CB.tmp
C:\pos1CC.tmp
C:\pos1CD.tmp
C:\pos1CE.tmp
C:\pos1CF.tmp
C:\pos1D.tmp
C:\pos1D0.tmp
C:\pos1D1.tmp
C:\pos1D2.tmp
C:\pos1D3.tmp
C:\pos1D4.tmp
C:\pos1D5.tmp
C:\pos1D6.tmp
C:\pos1D7.tmp
C:\pos1D8.tmp
C:\pos1D9.tmp
C:\pos1DA.tmp
C:\pos1DB.tmp
C:\pos1DC.tmp
C:\pos1DD.tmp
C:\pos1DE.tmp
C:\pos1DF.tmp
C:\pos1E.tmp
C:\pos1E0.tmp
C:\pos1E1.tmp
C:\pos1E2.tmp
C:\pos1E3.tmp
C:\pos1E4.tmp
C:\pos1E5.tmp
C:\pos1E6.tmp
C:\pos1E7.tmp
C:\pos1E8.tmp
C:\pos1E9.tmp
C:\pos1EA.tmp
C:\pos1EB.tmp
C:\pos1EC.tmp
C:\pos1ED.tmp
C:\pos1EE.tmp
C:\pos1EF.tmp
C:\pos1F.tmp
C:\pos1F0.tmp
C:\pos1F1.tmp
C:\pos1F2.tmp
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos1FC.tmp
C:\pos1FD.tmp
C:\pos1FE.tmp
C:\pos1FF.tmp
C:\pos2.tmp
C:\pos20.tmp
C:\pos200.tmp
C:\pos201.tmp
C:\pos202.tmp
C:\pos203.tmp
C:\pos204.tmp
C:\pos205.tmp
C:\pos206.tmp
C:\pos207.tmp
C:\pos208.tmp
C:\pos209.tmp
C:\pos20A.tmp
C:\pos20B.tmp
C:\pos20C.tmp
C:\pos20D.tmp
C:\pos20E.tmp
C:\pos20F.tmp
C:\pos21.tmp
C:\pos210.tmp
C:\pos211.tmp
C:\pos212.tmp
C:\pos213.tmp
C:\pos214.tmp
C:\pos215.tmp
C:\pos216.tmp
C:\pos217.tmp
C:\pos218.tmp
C:\pos219.tmp
C:\pos21A.tmp
C:\pos21B.tmp
C:\pos21C.tmp
C:\pos21D.tmp
C:\pos21E.tmp
C:\pos21F.tmp
C:\pos22.tmp
C:\pos220.tmp
C:\pos221.tmp
C:\pos222.tmp
C:\pos223.tmp
C:\pos224.tmp
C:\pos225.tmp
C:\pos226.tmp
C:\pos227.tmp
C:\pos228.tmp
C:\pos229.tmp
C:\pos22A.tmp
C:\pos22B.tmp
C:\pos22C.tmp
C:\pos22D.tmp
C:\pos22E.tmp
C:\pos22F.tmp
C:\pos23.tmp
C:\pos230.tmp
C:\pos231.tmp
C:\pos232.tmp
C:\pos233.tmp
C:\pos234.tmp
C:\pos235.tmp
C:\pos236.tmp
C:\pos237.tmp
C:\pos238.tmp
C:\pos239.tmp
C:\pos23A.tmp
C:\pos23B.tmp
C:\pos23C.tmp
C:\pos23D.tmp
C:\pos23E.tmp
C:\pos23F.tmp
C:\pos24.tmp
C:\pos240.tmp
C:\pos241.tmp
C:\pos242.tmp
C:\pos243.tmp
C:\pos244.tmp
C:\pos245.tmp
C:\pos246.tmp
C:\pos247.tmp
C:\pos248.tmp
C:\pos249.tmp
C:\pos24A.tmp
C:\pos24B.tmp
C:\pos24C.tmp
C:\pos24D.tmp
C:\pos24E.tmp
C:\pos24F.tmp
C:\pos25.tmp
C:\pos250.tmp
C:\pos251.tmp
C:\pos252.tmp
C:\pos253.tmp
C:\pos254.tmp
C:\pos255.tmp
C:\pos256.tmp
C:\pos257.tmp
C:\pos258.tmp
C:\pos259.tmp
C:\pos25A.tmp
C:\pos25B.tmp
C:\pos25C.tmp
C:\pos25D.tmp
C:\pos25E.tmp
C:\pos25F.tmp
C:\pos26.tmp
C:\pos260.tmp
C:\pos261.tmp
C:\pos262.tmp
C:\pos263.tmp
C:\pos264.tmp
C:\pos265.tmp
C:\pos266.tmp
C:\pos267.tmp
C:\pos268.tmp
C:\pos269.tmp
C:\pos26A.tmp
C:\pos26B.tmp
C:\pos26C.tmp
C:\pos26D.tmp
C:\pos26E.tmp
C:\pos26F.tmp
C:\pos27.tmp
C:\pos270.tmp
C:\pos271.tmp
C:\pos272.tmp
C:\pos273.tmp
C:\pos274.tmp
C:\pos275.tmp
C:\pos276.tmp
C:\pos277.tmp
C:\pos278.tmp
C:\pos279.tmp
C:\pos27A.tmp
C:\pos27B.tmp
C:\pos27C.tmp
C:\pos27D.tmp
C:\pos27E.tmp
C:\pos27F.tmp
C:\pos28.tmp
C:\pos280.tmp
C:\pos281.tmp
C:\pos282.tmp
C:\pos283.tmp
C:\pos284.tmp
C:\pos285.tmp
C:\pos286.tmp
C:\pos287.tmp
C:\pos288.tmp
C:\pos289.tmp
C:\pos28A.tmp
C:\pos28B.tmp
C:\pos28C.tmp
C:\pos28D.tmp
C:\pos28E.tmp
C:\pos28F.tmp
C:\pos29.tmp
C:\pos290.tmp
C:\pos291.tmp
C:\pos292.tmp
C:\pos293.tmp
C:\pos294.tmp
C:\pos295.tmp
C:\pos296.tmp
C:\pos297.tmp
C:\pos298.tmp
C:\pos299.tmp
C:\pos29A.tmp
C:\pos29C.tmp
C:\pos29D.tmp
C:\pos29E.tmp
C:\pos29F.tmp
C:\pos2A.tmp
C:\pos2A0.tmp
C:\pos2A1.tmp
C:\pos2A2.tmp
C:\pos2A3.tmp
C:\pos2A4.tmp
C:\pos2A5.tmp
C:\pos2A6.tmp
C:\pos2A7.tmp
C:\pos2A8.tmp
C:\pos2A9.tmp
C:\pos2AA.tmp
C:\pos2AB.tmp
C:\pos2AC.tmp
C:\pos2AD.tmp
C:\pos2AE.tmp
C:\pos2AF.tmp
C:\pos2B.tmp
C:\pos2B0.tmp
C:\pos2B1.tmp
C:\pos2B2.tmp
C:\pos2B3.tmp
C:\pos2B4.tmp
C:\pos2B5.tmp
C:\pos2B6.tmp
C:\pos2B7.tmp
C:\pos2B8.tmp
C:\pos2B9.tmp
C:\pos2BA.tmp
C:\pos2BB.tmp
C:\pos2BC.tmp
C:\pos2BD.tmp
C:\pos2BE.tmp
C:\pos2BF.tmp
C:\pos2C.tmp
C:\pos2C0.tmp
C:\pos2C1.tmp
C:\pos2C2.tmp
C:\pos2C3.tmp
C:\pos2C4.tmp
C:\pos2C5.tmp
C:\pos2C6.tmp
C:\pos2C7.tmp
C:\pos2C8.tmp
C:\pos2C9.tmp
C:\pos2CA.tmp
C:\pos2CB.tmp
C:\pos2CC.tmp
C:\pos2CD.tmp
C:\pos2CE.tmp
C:\pos2CF.tmp
C:\pos2D.tmp
C:\pos2D0.tmp
C:\pos2D1.tmp
C:\pos2D2.tmp
C:\pos2D3.tmp
C:\pos2D4.tmp
C:\pos2D5.tmp
C:\pos2D6.tmp
C:\pos2D7.tmp
C:\pos2D8.tmp
C:\pos2D9.tmp
C:\pos2DA.tmp
C:\pos2DB.tmp
C:\pos2DC.tmp
C:\pos2DD.tmp
C:\pos2DE.tmp
C:\pos2DF.tmp
C:\pos2E.tmp
C:\pos2E0.tmp
C:\pos2E1.tmp
C:\pos2E2.tmp
C:\pos2E3.tmp
C:\pos2E4.tmp
C:\pos2E5.tmp
C:\pos2E6.tmp
C:\pos2E7.tmp
C:\pos2E8.tmp
C:\pos2E9.tmp
C:\pos2EA.tmp
C:\pos2EB.tmp
C:\pos2EC.tmp
C:\pos2ED.tmp
C:\pos2EE.tmp
C:\pos2EF.tmp
C:\pos2F.tmp
C:\pos2F0.tmp
C:\pos2F1.tmp
C:\pos2F2.tmp
C:\pos2F3.tmp
C:\pos2F4.tmp
C:\pos2F5.tmp
C:\pos2F6.tmp
C:\pos2F7.tmp
C:\pos2F8.tmp
C:\pos2F9.tmp
C:\pos2FA.tmp
C:\pos2FB.tmp
C:\pos2FC.tmp
C:\pos2FD.tmp
C:\pos2FE.tmp
C:\pos2FF.tmp
C:\pos30.tmp
C:\pos300.tmp
C:\pos301.tmp
C:\pos302.tmp
C:\pos303.tmp
C:\pos304.tmp
C:\pos305.tmp
C:\pos306.tmp
C:\pos307.tmp
C:\pos308.tmp
C:\pos309.tmp
C:\pos30A.tmp
C:\pos30B.tmp
C:\pos30C.tmp
C:\pos30D.tmp
C:\pos30E.tmp
C:\pos30F.tmp
C:\pos31.tmp
C:\pos310.tmp
C:\pos311.tmp
C:\pos312.tmp
C:\pos313.tmp
C:\pos314.tmp
C:\pos315.tmp
C:\pos316.tmp
C:\pos317.tmp
C:\pos318.tmp
C:\pos319.tmp
C:\pos31A.tmp
C:\pos31B.tmp
C:\pos31C.tmp
C:\pos31D.tmp
C:\pos31E.tmp
C:\pos31F.tmp
C:\pos32.tmp
C:\pos320.tmp
C:\pos321.tmp
C:\pos322.tmp
C:\pos323.tmp
C:\pos324.tmp
C:\pos325.tmp
C:\pos326.tmp
C:\pos327.tmp
C:\pos328.tmp
C:\pos329.tmp
C:\pos32A.tmp
C:\pos32B.tmp
C:\pos32C.tmp
C:\pos32D.tmp
C:\pos32E.tmp
C:\pos32F.tmp
C:\pos33.tmp
C:\pos330.tmp
C:\pos331.tmp
C:\pos332.tmp
C:\pos333.tmp
C:\pos334.tmp
C:\pos335.tmp
C:\pos336.tmp
C:\pos337.tmp
C:\pos338.tmp
C:\pos339.tmp
C:\pos33A.tmp
C:\pos33B.tmp
C:\pos33C.tmp
C:\pos33D.tmp
C:\pos33E.tmp
C:\pos33F.tmp
C:\pos34.tmp
C:\pos340.tmp
C:\pos341.tmp
C:\pos342.tmp
C:\pos343.tmp
C:\pos344.tmp
C:\pos345.tmp
C:\pos346.tmp
C:\pos347.tmp
C:\pos348.tmp
C:\pos349.tmp
C:\pos34A.tmp
C:\pos34B.tmp
C:\pos34C.tmp
C:\pos34D.tmp
C:\pos34E.tmp
C:\pos34F.tmp
C:\pos35.tmp
C:\pos350.tmp
C:\pos351.tmp
C:\pos352.tmp
C:\pos353.tmp
C:\pos354.tmp
C:\pos355.tmp
C:\pos356.tmp
C:\pos357.tmp
C:\pos358.tmp
C:\pos359.tmp
C:\pos35A.tmp
C:\pos35B.tmp
C:\pos35C.tmp
C:\pos35D.tmp
C:\pos35E.tmp
C:\pos35F.tmp
C:\pos36.tmp
C:\pos360.tmp
C:\pos361.tmp
C:\pos362.tmp
C:\pos363.tmp
C:\pos364.tmp
C:\pos365.tmp
C:\pos366.tmp
C:\pos367.tmp
C:\pos368.tmp
C:\pos369.tmp
C:\pos36A.tmp
C:\pos36B.tmp
C:\pos36C.tmp
C:\pos36D.tmp
C:\pos36E.tmp
C:\pos36F.tmp
C:\pos37.tmp
C:\pos370.tmp
C:\pos371.tmp
C:\pos372.tmp
C:\pos373.tmp
C:\pos374.tmp
C:\pos375.tmp
C:\pos376.tmp
C:\pos377.tmp
C:\pos378.tmp
C:\pos379.tmp
C:\pos37A.tmp
C:\pos37B.tmp
C:\pos37C.tmp
C:\pos37D.tmp
C:\pos37E.tmp
C:\pos37F.tmp
C:\pos38.tmp
C:\pos380.tmp
C:\pos381.tmp
C:\pos382.tmp
C:\pos383.tmp
C:\pos384.tmp
C:\pos385.tmp
C:\pos386.tmp
C:\pos387.tmp
C:\pos388.tmp
C:\pos389.tmp
C:\pos38A.tmp
C:\pos38B.tmp
C:\pos38C.tmp
C:\pos38D.tmp
C:\pos38E.tmp
C:\pos38F.tmp
C:\pos39.tmp
C:\pos390.tmp
C:\pos391.tmp
C:\pos392.tmp
C:\pos393.tmp
C:\pos394.tmp
C:\pos395.tmp
C:\pos396.tmp
C:\pos397.tmp
C:\pos398.tmp
C:\pos399.tmp
C:\pos39A.tmp
C:\pos39B.tmp
C:\pos39C.tmp
C:\pos39D.tmp
C:\pos39E.tmp
C:\pos39F.tmp
C:\pos3A.tmp
C:\pos3A0.tmp
C:\pos3A1.tmp
C:\pos3A2.tmp
C:\pos3A3.tmp
C:\pos3A4.tmp
C:\pos3A5.tmp
C:\pos3A6.tmp
C:\pos3A7.tmp
C:\pos3A8.tmp
C:\pos3A9.tmp
C:\pos3AA.tmp
C:\pos3AB.tmp
C:\pos3AC.tmp
C:\pos3AD.tmp
C:\pos3AE.tmp
C:\pos3AF.tmp
C:\pos3B.tmp
C:\pos3B0.tmp
C:\pos3B1.tmp
C:\pos3B2.tmp
C:\pos3B3.tmp
C:\pos3B4.tmp
C:\pos3B5.tmp
C:\pos3B6.tmp
C:\pos3B7.tmp
C:\pos3B8.tmp
C:\pos3B9.tmp
C:\pos3BA.tmp
C:\pos3BB.tmp
C:\pos3BC.tmp
C:\pos3BD.tmp
C:\pos3BE.tmp
C:\pos3BF.tmp
C:\pos3C.tmp
C:\pos3C0.tmp
C:\pos3C1.tmp
C:\pos3C2.tmp
C:\pos3C3.tmp
C:\pos3C4.tmp
C:\pos3C5.tmp
C:\pos3C6.tmp
C:\pos3C7.tmp
C:\pos3C8.tmp
C:\pos3C9.tmp
C:\pos3CA.tmp
C:\pos3CB.tmp
C:\pos3CC.tmp
C:\pos3CD.tmp
C:\pos3CE.tmp
C:\pos3CF.tmp
C:\pos3D.tmp
C:\pos3D0.tmp
C:\pos3D1.tmp
C:\pos3D2.tmp
C:\pos3D3.tmp
C:\pos3D4.tmp
C:\pos3D5.tmp
C:\pos3D6.tmp
C:\pos3D7.tmp
C:\pos3D8.tmp
C:\pos3D9.tmp
C:\pos3DA.tmp
C:\pos3DB.tmp
C:\pos3DC.tmp
C:\pos3DD.tmp
C:\pos3DE.tmp
C:\pos3DF.tmp
C:\pos3E.tmp
C:\pos3E0.tmp
C:\pos3E1.tmp
C:\pos3E2.tmp
C:\pos3E3.tmp
C:\pos3E4.tmp
C:\pos3E5.tmp
C:\pos3E6.tmp
C:\pos3E7.tmp
C:\pos3E8.tmp
C:\pos3E9.tmp
C:\pos3EA.tmp
C:\pos3F.tmp
C:\pos4.tmp
C:\pos40.tmp
C:\pos41.tmp
C:\pos42.tmp
C:\pos43.tmp
C:\pos44.tmp
C:\pos45.tmp
C:\pos46.tmp
C:\pos47.tmp
C:\pos48.tmp
C:\pos49.tmp
C:\pos4A.tmp
C:\pos4B.tmp
C:\pos4C.tmp
C:\pos4D.tmp
C:\pos4E.tmp
C:\pos4F.tmp
C:\pos5.tmp
C:\pos50.tmp
C:\pos51.tmp
C:\pos52.tmp
C:\pos53.tmp
C:\pos54.tmp
C:\pos55.tmp
C:\pos56.tmp
C:\pos57.tmp
C:\pos58.tmp
C:\pos59.tmp
C:\pos5A.tmp
C:\pos5B.tmp
C:\pos5C.tmp
C:\pos5D.tmp
C:\pos5E.tmp
C:\pos5F.tmp
C:\pos6.tmp
C:\pos60.tmp
C:\pos61.tmp
C:\pos62.tmp
C:\pos63.tmp
C:\pos64.tmp
C:\pos65.tmp
C:\pos66.tmp
C:\pos67.tmp
C:\pos68.tmp
C:\pos69.tmp
C:\pos6A.tmp
C:\pos6B.tmp
C:\pos6C.tmp
C:\pos6D.tmp
C:\pos6E.tmp
C:\pos6F.tmp
C:\pos7.tmp
C:\pos70.tmp
C:\pos71.tmp
C:\pos72.tmp
C:\pos73.tmp
C:\pos74.tmp
C:\pos75.tmp
C:\pos76.tmp
C:\pos77.tmp
C:\pos78.tmp
C:\pos79.tmp
C:\pos7A.tmp
C:\pos7B.tmp
C:\pos7C.tmp
C:\pos7D.tmp
C:\pos7E.tmp
C:\pos7F.tmp
C:\pos8.tmp
C:\pos80.tmp
C:\pos81.tmp
C:\pos82.tmp
C:\pos83.tmp
C:\pos84.tmp
C:\pos85.tmp
C:\pos86.tmp
C:\pos87.tmp
C:\pos88.tmp
C:\pos89.tmp
C:\pos8A.tmp
C:\pos8B.tmp
C:\pos8C.tmp
C:\pos8D.tmp
C:\pos8E.tmp
C:\pos8F.tmp
C:\pos9.tmp
C:\pos90.tmp
C:\pos91.tmp
C:\pos92.tmp
C:\pos93.tmp
C:\pos94.tmp
C:\pos95.tmp
C:\pos96.tmp
C:\pos97.tmp
C:\pos98.tmp
C:\pos99.tmp
C:\pos9A.tmp
C:\pos9B.tmp
C:\pos9C.tmp
C:\pos9D.tmp
C:\pos9E.tmp
C:\pos9F.tmp
C:\posA.tmp
C:\posA0.tmp
C:\posA1.tmp
C:\posA2.tmp
C:\posA3.tmp
C:\posA4.tmp
C:\posA5.tmp
C:\posA6.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC.tmp
C:\posC0.tmp
C:\posC1.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\WINDOWS\system32\adaejxsc.dll
C:\WINDOWS\system32\auwaakqb.dll
C:\WINDOWS\system32\auwaakqb.dllbox
C:\WINDOWS\system32\cbxyxvu.dll
C:\WINDOWS\system32\csxjeada.ini
C:\WINDOWS\system32\hgggdda.dll
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qdoqxhic.dll
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\rvgnollb.exe
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\wvuttqn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 23:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 23:00 . 2008-01-23 23:00 1,117,442 ---hs---- C:\WINDOWS\system32\vmyukgap.ini
2008-01-21 22:23 . 2008-01-21 22:23 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 10:37 . 2007-12-29 10:37 <DIR> d-------- C:\Program Files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 12:08 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 11:53 --------- d-----w C:\Program Files\Kontiki
2008-01-09 11:03 --------- d-----w C:\Program Files\FinePixViewer
2008-01-09 11:02 --------- d-----w C:\Program Files\Apple Software Update
2008-01-09 10:42 --------- d-----w C:\Program Files\CyberLink
2008-01-09 10:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 10:25 --------- d-----w C:\Program Files\Common Files\Real
2008-01-09 10:24 --------- d-----w C:\Program Files\Ahead
2007-12-30 16:16 --------- d-----w C:\Program Files\Azureus
2007-12-30 13:52 --------- d-----w C:\Program Files\Microsoft AntiSpyware
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e1516007-8b74-4df3-9004-edcfadf3c385}]
C:\WINDOWS\system32\ebtfajne.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F69196B4-ACB1-466C-BDBC-F0595E06F2C9}]
C:\WINDOWS\system32\mljjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 14:29 7561216]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 14:29 86016]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-09 10:17 219136]

R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-10-15 11:28]
S3 PAC207;USB PC Cam Plus;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-02-24 11:29]

.
Contents of the 'Scheduled Tasks' folder
"2007-09-05 07:43:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 23:59:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 0:03:51 - machine was rebooted [Caroline]
ComboFix-quarantined-files.txt 2008-01-25 00:03:48
.
2008-01-09 17:02:13 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 00:12, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {583c3fda-fcde-4009-3fd4-47b87006151e} - {e1516007-8b74-4df3-9004-edcfadf3c385} - C:\WINDOWS\system32\ebtfajne.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {F69196B4-ACB1-466C-BDBC-F0595E06F2C9} - C:\WINDOWS\system32\mljjh.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://www.kontiki.i...m/bbcfn/kdx.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsphot...opcuploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

#4 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 24 January 2008 - 06:37 PM

Hi,

Yes, you are (and hopefully soon were) very infected here.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\vmyukgap.ini
C:\WINDOWS\system32\ebtfajne.dll
C:\WINDOWS\system32\mljjh.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e1516007-8b74-4df3-9004-edcfadf3c385}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F69196B4-ACB1-466C-BDBC-F0595E06F2C9}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Please also let me know how it's running at this point. Any errors continuing ect...

We will still need to do some scans and cleanup here just want to see where we're at.

Thanks,
Dave

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#5 caz86

New Member

New Member
9 posts

Posted 25 January 2008 - 12:36 PM

Hi, i have done the cfscript task. and the combofix log and new hjt log is posted below.

i have been running in safe mode recently to try and reduce risks of virus spreading....things seem to be ok, i didnt get any error messages at startup just now

however, an avg scan revealed more viruses called trojan horse generic9.aqno, trojan horse generic9.arvp and trojan horse generic9.aosi, these infected files are all contained within a zip folder that appeared on the desktop after the combofix task. combofix asked me to upload a file for analysis, and it was this file: C:\Documents and Settings\Administrator\Desktop.\[4]-Submit_2008-01-25@18.18.zip

....bit confused about that one!

anyway, here are the logs. thanks for you help!

ComboFix 08-01-23.1C - Administrator 2008-01-25 18:18:04.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.365 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\ebtfajne.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\vmyukgap.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vmyukgap.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-24 23:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 22:23 . 2008-01-21 22:23 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 10:37 . 2007-12-29 10:37 <DIR> d-------- C:\Program Files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 12:08 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 11:53 --------- d-----w C:\Program Files\Kontiki
2008-01-09 11:03 --------- d-----w C:\Program Files\FinePixViewer
2008-01-09 11:02 --------- d-----w C:\Program Files\Apple Software Update
2008-01-09 10:42 --------- d-----w C:\Program Files\CyberLink
2008-01-09 10:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 10:25 --------- d-----w C:\Program Files\Common Files\Real
2008-01-09 10:24 --------- d-----w C:\Program Files\Ahead
2007-12-30 16:16 --------- d-----w C:\Program Files\Azureus
2007-12-30 13:52 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-25_ 0.03.36.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 23:51:08 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-25 18:17:50 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 23:51:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-25 18:17:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 23:51:08 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-25 18:17:50 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 23:51:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-25 18:17:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 23:51:08 720,896 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-25 18:17:50 741,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-24 23:51:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-25 18:17:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 14:29 7561216]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 14:29 86016]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-09 10:17 219136]

R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-10-15 11:28]
S3 PAC207;USB PC Cam Plus;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-02-24 11:29]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-05 07:43:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 18:20:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 18:20:28
ComboFix-quarantined-files.txt 2008-01-25 18:20:21
ComboFix2.txt 2008-01-25 00:03:51
.
2008-01-09 17:02:13 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 18:36:03, on 25/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://www.kontiki.i...m/bbcfn/kdx.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsphot...opcuploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

#6 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 25 January 2008 - 01:11 PM

however, an avg scan revealed more viruses called trojan horse generic9.aqno, trojan horse generic9.arvp and trojan horse generic9.aosi, these infected files are all contained within a zip folder that appeared on the desktop after the combofix task. combofix asked me to upload a file for analysis, and it was this file: C:\Documents and Settings\Administrator\Desktop.\[4]-Submit_2008-01-25@18.18.zip

Not sure why that happened? There is a command to have that happen but I didn't have you run it? Well, the files are harmless in the zipped folder (unless you run them so...), go ahead and delete that folder.

Looking better and glad to hear it's running better. Some scans in order now.

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:

Click the Update icon at the top and under Manual Update click the Start update button.
The program will either update or inform you that no update was available.
It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).

Please set up the program as follows:

Click the Shield icon at the top and under Resident shield is... click active. This should now
change to inactive.
Click the Update icon and untick the automatic update option.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act? - make sure that Quarantine is selected.
Under How to scan? - All checkboxes should be ticked.
Under Possibly unwanted software - All checkboxes should be ticked.
Under Reports - Select Do not automatically generate reports.
Under What to scan? - Select Scan every file.

Close all open windows.

Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
Click the Empty Selected button.
NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine,
amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Run AVG

Click on Scanner on the toolbar.
Click on Complete System Scan to start the scan process.
Let the program scan your computer.
When the scan has finished, follow the instructions below:
- Make sure that Set all elements to: shows Quarantine
- Important: Click on the Apply all Actions button This must done before saving the report
- When the program has finished, it will display the message All actions have been applied.
- Then click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Tray Icon and select Exit.
Now copy the report back to this topic.

Restart into normal mode and post the AVG Log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Using Internet Explorer, click on Kaspersky Online Scanner * Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.
Please post the Kaspersky report and a new HijackThis log.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#7 caz86

New Member

New Member
9 posts

Posted 26 January 2008 - 11:28 AM

Hi,

i have done the scans you suggested....logs are posted below

yesterday i also did a avg 7.5 scan as well which found infected files found in C:\QooBox\Quarantine\WINDOWS\system32 i've never heard of this 'qoobox' can you enlighten me.....?

thanks so much for your continued help :-)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:50:57 26/01/2008

+ Scan result:

C:\System Volume Information\_restore{D96AABB4-326F-41AC-BE89-06DCF05E8657}\RP488\A0163140.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).

::Report end

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 26, 2008 5:15:16 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/01/2008
Kaspersky Anti-Virus database records: 533449
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 117712
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:01:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Documents\Study Image\Jeremy\My Documents\My Downloaded Files\Installed Software\FirstPage\fp2006-final-3.00-setup.exe/file1626 Infected: not-virus:BadJoke.JS.RJump skipped
C:\Documents and Settings\All Users\Documents\Study Image\Jeremy\My Documents\My Downloaded Files\Installed Software\FirstPage\fp2006-final-3.00-setup.exe Inno: infected - 1 skipped
C:\Documents and Settings\Caroline\Application Data\Sun\Java\Deployment\cache\6.0\38\295aa0e6-22b68a16/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Caroline\Application Data\Sun\Java\Deployment\cache\6.0\38\295aa0e6-22b68a16/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Caroline\Application Data\Sun\Java\Deployment\cache\6.0\38\295aa0e6-22b68a16/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Caroline\Application Data\Sun\Java\Deployment\cache\6.0\38\295aa0e6-22b68a16 ZIP: infected - 3 skipped
C:\Documents and Settings\Caroline\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Caroline\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Caroline\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Caroline\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Caroline\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Caroline\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Caroline\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Caroline\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D96AABB4-326F-41AC-BE89-06DCF05E8657}\RP488\A0163146.exe Object is locked skipped
C:\System Volume Information\_restore{D96AABB4-326F-41AC-BE89-06DCF05E8657}\RP488\A0163147.dll Object is locked skipped
C:\System Volume Information\_restore{D96AABB4-326F-41AC-BE89-06DCF05E8657}\RP488\A0163148.dll Object is locked skipped
C:\System Volume Information\_restore{D96AABB4-326F-41AC-BE89-06DCF05E8657}\RP488\A0163149.dll Object is locked skipped
C:\System Volume Information\_restore{D96AABB4-326F-41AC-BE89-06DCF05E8657}\RP488\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1898078F-A8DE-449D-B9CD-6CF27484307D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_788.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 17:21, on 2008-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://www.kontiki.i...m/bbcfn/kdx.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsphot...opcuploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

#8 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 26 January 2008 - 11:44 AM

C:\QooBox is combofix's quarantine folder, and we can clean that up now.

Only a couple of small things in Kaspersky log.

C:\Documents and Settings\All Users\Documents\Study Image\Jeremy\My Documents\My Downloaded Files\Installed Software\FirstPage\fp2006-final-3.00-setup.exe
C:\Documents and Settings\Caroline\Application Data\Sun\Java\Deployment\cache\6.0\38\295aa0e6-22b68a16 ZIP

They can be removed, not sure what that first one is, maybe you know.

Java has yet again just been recently updated...

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 4.

Go to the Sun Java Website
Click on the download button next to Java Runtime Environment (JRE) 6 Update 4
Select your Operating System and language, then check the box next to I agree to the Java SE Runtime Environment 6 License Agreement and click Continue.
Click on the link under Windows Offline Installation and save the downloaded file to your hard disk.
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
Reboot your computer
Delete the folder C:\Program Files\Java if present
Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
Reboot your computer

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Reboot, and post a new Hijackthis log, please also let me know how it's running now.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#9 caz86

New Member

New Member
9 posts

Posted 27 January 2008 - 08:27 AM

Hi,

i have installed the java that you suggested and deleted the old stuff. also done the combofix task

the file you werent sure of is in the image of my dads computer - saved on this machine - that he did when having problems with his hard drive, i've looked it up and its an installer for a web page design tool i think.

i need to reinstall avg 7.5, and need to uninstall what i have first, but what happens to the stuff thats in the virus vault when i uninstall what i already have?(its is corrupted and why i need to reinstall) just wanted to check its ok to uninstall and reinstall!

things seem to be running well so far

below is the hjt log

thanks, caroline

Logfile of HijackThis v1.99.1
Scan saved at 14:21, on 2008-01-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://www.kontiki.i...m/bbcfn/kdx.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsphot...opcuploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

#10 caz86

New Member

New Member
9 posts

Posted 27 January 2008 - 08:29 AM

oh yeah, and i've done an avg full scan which was clean, and avg antispy just found tracking cookies

Advertisements

Register to Remove

#11 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 27 January 2008 - 10:46 AM

Hi,

Glad to hear it's running better Caroline.

i need to reinstall avg 7.5, and need to uninstall what i have first, but what happens to the stuff thats in the virus vault when i uninstall what i already have?(its is corrupted and why i need to reinstall) just wanted to check its ok to uninstall and reinstall!

The stuff in the vault should just be removed. An uninstall/re-install is exactly what is needed. You should be fine after that.

Now that you are clean, check out these simple steps in order to keep your computer clean and secure:

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Spybot: Search And Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install Ad-Aware - Ad-Aware SE You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Use IESpy-Ad -
IESpy-Ad will block access to malicious websites so you cannot be redirected to them from an infected site or email. Instructions for set up and use can be found at the website.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Here is a great link to a post here on securing your PC after an attack.
http://www.geekstogo...;page=How_did_I

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#12 caz86

New Member

New Member
9 posts

Posted 27 January 2008 - 02:07 PM

Hi, i've got as far as spybot and something has come up....below i have posted the search log: --- Search result list --- Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride Tradedoubler: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Caroline) (Cookie, nothing done) DoubleClick: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Caroline) (Cookie, nothing done) ErrorSafe: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done) ErrorSafe: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done) i know its ok to delete the cookies, but i'm not sure what the first entry means, is it ok to fix this problem too, or should i leave it? thanks for all your help! i think we're nearly there!

#13 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 27 January 2008 - 02:34 PM

--- Search result list ---
Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

I believe this means....

Go into Start > Control Panel > Security Center > look at the right hand side of the window and check the settings under "Virus Protection" (expanding if necessary). I believe that you have overridden the protections and that you will find a button labeled "Recommendations". If you click on the "Recommendations" button I believe that you will get a window that indicates something like:

* I have an antivirus program that I'll monitor myself.

Note: with these setting Windows won't monitor your virus protection status and won't send you alerts if it is off or out of date.

Does that make sense?

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#14 caz86

New Member

New Member
9 posts

Posted 27 January 2008 - 02:42 PM

yup, that makes sense! thanks adaware was clean, now installing spyware blaster....

#15 caz86

New Member

New Member
9 posts

Posted 27 January 2008 - 03:11 PM

hi, i have downloaded all the suggested programs and things seem to be working well! thank you so much for all your help and advice! caroline

Body Background

skin color theme