Jump to content

Reply deleted...still have nasty virus


Recommended Posts

Yesterday I posted a problem and got a reply this morning. I went back to check on whether there was any progress towards a solution and noticed the reply had been deleted.

Can someone else help?

I originally could not load MWB or any other Anti virus, malware remover or HJT. Eventually by renaming I was able to load SAS, MWB, and HJT. Ran all and posted. MWB removed 4 infected files (1 trojan, WinPC virus, Adware mysearch, and some others). Eventually I got to the point where everything came back clean... however the version of MWB I loaded was not up to date.

The reply said I needed to download an updated version. I deleted the old version and downloaded an up to date version from GT500. My problem now is that I cannot get it to load. It opens, extracts but no application.

The remaining problems include inability to open firewall settings and inability to connect to the internet.

Can someone advise me on how to get MWB to load and run in the infected laptop?

Here's the HJT file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:03:10 PM, on 4/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lee-county.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: ZyAIR.lnk = C:\Program Files\ZyAIR PCcard Utility\ZyAIR.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190396349469

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190396342158

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 5612 bytes

Link to post
Share on other sites

Just wondering why you're running in safe mode with networking rather than normal mode?

Please run the following programs in normal mode.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click

  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot.

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • Disable the active protection component (guard) of your antivirus)- this can usually be accomplished by right-clicking your AV's system tray icon, and then selecting the disable feature from the context menu.
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

Re-enable the active protection component (guard) of your antivirus.

Download DDS and save it to your desktop from here or here

dds_scr.gif

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

    [*]Save both reports to your desktop

    [*]Please copy and paste both logs into your next reply

Also, copy/paste the RootRepeal log into your next reply and try not to reboot until I respond.

Link to post
Share on other sites

Everything was done via flash drive as this system won't connect. I appreciate the help and hope I did everything right

root repeal:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:03:10 PM, on 4/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lee-county.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: ZyAIR.lnk = C:\Program Files\ZyAIR PCcard Utility\ZyAIR.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190396349469

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190396342158

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 5612 bytes

DDS (Ver_09-03-16.01) - NTFSx86

Run by Administrator at 0:36:44.89 on Fri 05/01/2009

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.177 [GMT -4:00]

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\WINDOWS\system32\tp4mon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\CBTWlanSrv.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

c:\program files\linksys\wpc54gv3\wpc54gv3.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.yahoo.com/

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.lee-county.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [TrackPointSrv] tp4mon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyair.lnk - c:\program files\zyair pccard utility\ZyAIR.exe

IE: &Search

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190396349469

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190396342158

DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-28 64160]

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2006-6-20 10880]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-27 325640]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-27 27656]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-27 298264]

R2 CBTWlanSrv;CBT Wlan Service;c:\windows\CBTWlanSrv.exe [2008-11-1 106496]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2007-12-12 802683]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]

S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-27 108552]

S2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]

S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\drivers\cbpmp50.sys --> c:\windows\system32\drivers\CBPMp50.sys [?]

S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [2008-11-1 27072]

S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2008-7-14 67424]

S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [2008-12-28 38656]

S3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\drivers\WPC54Gv3.SYS [2008-11-1 610816]

S3 ZD1201C;ZyAIR B-120 IEEE 802.11b Wireless LAN Driver (PCMCIA);c:\windows\system32\drivers\zd1201c.sys --> c:\windows\system32\drivers\zd1201c.sys [?]

S3 ZDNDIS5;ZDNDIS5 Protocol Driver;\??\c:\windows\system32\zdndis5.sys --> c:\windows\system32\ZDNDIS5.SYS [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*

scrfile="%1" %*

=============== Created Last 30 ================

2009-04-30 19:33 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-04-30 19:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-30 08:10 <DIR> --d----- c:\program files\Trend Micro

2009-04-29 16:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-04-29 13:33 <DIR> --d----- c:\program files\CCleaner

2009-04-28 03:15 15,688 a------- c:\windows\system32\lsdelete.exe

2009-04-28 01:56 64,160 a------- c:\windows\system32\drivers\Lbd.sys

2009-04-28 01:55 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-04-28 01:54 <DIR> --d----- c:\program files\Lavasoft

2009-04-27 21:03 1,152 a------- c:\windows\system32\windrv.sys

2009-04-27 19:51 <DIR> --d----- c:\program files\Loaris Trojan Remover

2009-04-27 14:37 <DIR> --d-h--- C:\$AVG8.VAULT$

2009-04-27 14:15 10,520 a------- c:\windows\system32\avgrsstx.dll

2009-04-27 14:15 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

2009-04-27 14:15 325,640 a------- c:\windows\system32\drivers\avgldx86.sys

2009-04-27 14:15 <DIR> --d----- c:\windows\system32\drivers\Avg

2009-04-27 14:15 <DIR> --d----- c:\program files\AVG

2009-04-27 13:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

2009-04-16 20:11 284,160 -c------ c:\windows\system32\dllcache\pdh.dll

2009-04-16 20:11 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll

2009-04-16 20:11 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll

2009-04-16 20:11 110,592 -c------ c:\windows\system32\dllcache\services.exe

2009-04-16 20:11 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-16 20:11 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe

2009-04-16 20:11 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll

2009-04-16 20:11 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll

2009-04-16 20:11 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll

2009-04-16 20:04 2,560 -------- c:\windows\system32\xpsp4res.dll

2009-04-16 20:04 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb

2009-04-16 20:04 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

2009-04-03 10:30 81,920 a------- c:\windows\system32\ieencode.dll

2009-04-03 10:28 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll

2009-04-02 07:56 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

2009-04-01 09:03 <DIR> --d----- c:\windows\system32\XPSViewer

2009-04-01 09:01 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-04-01 09:01 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll

2009-04-01 09:01 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-04-01 09:01 575,488 -------- c:\windows\system32\xpsshhdr.dll

2009-04-01 09:01 117,760 -------- c:\windows\system32\prntvpt.dll

2009-04-01 09:01 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll

2009-04-01 09:01 1,676,288 -------- c:\windows\system32\xpssvcs.dll

2009-04-01 09:01 <DIR> --d----- C:\4edb8fbc66f362cb4231c3046e1aec

==================== Find3M ====================

2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll

2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll

2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll

2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll

2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys

2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe

2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe

2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe

2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe

2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 0:37:00.62 ===============

Attach.zip

Attach.zip

Link to post
Share on other sites

You did fine.

So there were no hidden files detected by RootRepeal then?

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:

HERE

or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as daveyc.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post ARK.txt and C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Sorry for the delay,

In my bleary-eyed-ness, I must have cut and pasted the wrong file. below is the root repeal log as well as a MWB log after that. My service provider (Comcast-who I hate) decided to have an outage last night in the middle of our "project". I went ahead and removed the file found by MWB.

I am reviewing your reply and downloading and preparing to do what you recommended. One note... You suggested turning off firewall. I can't change the settings in firewall because of the virus, or if I can, I can't seem to figure out how. Is this a necessity?

Based on the root repeal log and the new MWB log, should I still continue with ComboFix as you suggested? I'll assume so and prepare but won't run anything until I hear from you.

Thanks again!

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/05/01 00:34

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\Avenger\uacinit.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACebyiwktantdewvg.log

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACietqenntyijujvx.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnpcslouhemxxiri.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqllrxmqjkdmcxow.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACteqrrhswwqeelpf.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvbrftegbospivrb.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyqxwkbodulhylkd.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACxlthpavmttapqme.sys

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\UAC6592.tmp

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].postImageCommentConfirm%2526friendID%253D139062974%2526albumID%253D449048%2526imageID%253D6233130

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging.myspace.com%252Findex[1].sent%2526type%253D%2526messageID%253D0%2526fed%253DTrue%2526compose%253D0%2526friendID%253D52613963

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAERxBQDdfA8AYd8EAAIAPkIAAP8AAAADDAIADwKMrgEAHD4HAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAJrmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgenu67%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQA48gkA3tYDAAAAvkIAAAcAAQADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAA.8qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tidvt70%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCMrAgAEucDAAIAdkIAAP8AAAADDQIABgOMrgEAr0sFAPncBQAAAAAAAAAAA

AAAAAAAAAAAAAAAAAjuqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t33m8hm%2FM%3D674272[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCYDRAARjQEAAIAMkIAAP8AAAABDAIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAaUjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D2008102514,;ord=1217172486

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA5kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAK4Pq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbb5v50%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAckMAAAsAAwADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAMgrq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t67kk3s%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAhkMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAPAtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5tq2fh%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAskMAAAcABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAOE3q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tnvfkah%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAukMAAAgABgADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAMY6q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdsc6de%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBPjgwA-jMEAAIAQkMAAP8AAAADEAIABgKMrgEA4EkGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFweq0gAAAAA,

http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5p0fc7%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBUEgoA908FAAIAIkMAAP8AAAADEAIABgKMrgEADuIHAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAABYbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tduc9r2%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBylA4AmqgEAAIAKkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP2j1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tf51cse%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAAA-kIAAAkAAwADEAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkYq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150voamm1%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAIAAkIAAP8AAAAHFgIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150f3bbcr%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA0kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAPoNq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbpo6c6%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBd3w0Aho0EAAIArkMAAP8AAAADEgIABgKMrgEAoccGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAOM2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t2o1ig8%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAERxBQBPBgoAuIADAAIBjkMAAP8AAAADEQIADwKMrgEAik0FAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAEkxq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgelce4%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAKFxBQA28gkA3tYDAAIA0kMAAP8AAAADEwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAHxKq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150l50hua%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIAJkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tl0c5i1%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIALkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tfgjeg3%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAKFxBQBPRwoARKIEAAAAJkIAAAkAAgABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFmTjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D1207918661,;ord=1217172313

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_

7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0

;

mage=0;area=d[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAFVyBQBhYgoA3tYDAAIAOkIAAP8AAAADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAJPmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D1507c6tf7%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAHNxBQA48gkA3tYDAAIAukIAAP8AAAADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAANf6qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdd112b%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA4kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKsPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tm91fmn%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAekMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAIwtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14teeqbg7%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAKkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACQbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tgcmgl0%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAlkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFY1q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ttpuk4p%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAmkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAGA2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tclgj7m%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQBylA4AmqgEAAIAHkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tuv5b4b%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQDHBgoAq3QFAAIAGkMAAP8AAAADEAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAMMaq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tvh1of0%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA3kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKgPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14te0e931%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAERxBQBPBgoAuIADAAIAMkIAAP8AAAAHFgIADwKMrgEAik0FAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAek1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vmcfi13%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\6rnd%3D006006792%26neg%3D1%26ega%3D16%26uhpt%3D16%26ged%3D0%3A0%3AYjQ1YzdlNjg0OWRmZTVlY_S0h08m3fTgveBpjSG6GdrUJQ6Sv3lzY9lbuBPAUoU2NJC5jwUVX9biVT

8oY7GZJNCQ_a1XFBY2Xj2NDUHk1oj&r=0

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_

7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0

;

mage=0;area=d[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fwww[1].asp%253Fpartner%253Daccuweather%2526traveler%253D1%2526zipChg%253D1%2526zipcode%253D33948%2526metric%253D0%2526site%253DFLS%2526large%253D0

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBPRwoARKIEAAIAAkIAAP8AAAABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKuOjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3Dfj80vvrn0ekeq,;ord=1217171115

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].viewProfile_commentForm%2526friendID%253D139062974%2526MyToken%253D987aea37-1af8-4217-b620-addda9b3755c

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAHNxBQDf6w4Av8EEAAIAbkIAAP8AAAADDAIABgKMrgEATxMHAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAGbtqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14taa4ecm%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBhYgoA3tYDAAAAZkIAAAkAAQADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAHLsqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150rcaopu%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAERxBQAzuAkALDADAAIA9kIAAP8AAAADDwIADwKMrgEAht8EAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKAXq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgup2li%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA7kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACQUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ta06788%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA8kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFYVq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14telousf%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAAYkMAAAoAAwADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAPAkq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t3af3av%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQBylA4AmqgEAAIAPkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB6k1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t26ndng%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCXbA8AP-sEAAIB4kMAAP8AAAADFAIABgKMrgEAHFAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB9Vq0gAAAAA,h

ttp%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tds3bl8%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCYDRAARjQEAAIAQkIAAP8AAAAHFgIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACKk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tr1hrk2%2FM%3D674272[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQDHBgoAq3QFAAAA3kMAAAsAAQADFAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAB1Vq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t37o0pr%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAKFxBQBhYgoA3tYDAAAA6kIAAAsAAgADDwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACIUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150fruna5%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAP2dBQAFDxMAZ1IEAAIAOkIAAP8AAAAHFgIADwKSrgEAPHMGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAABmk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15ps4s95m%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAANkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAK0bq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tka870d%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\YXSX4583\click,VaUDAHNxBQCMrAgAEucDAAIAekIAAP8AAAADDQIABgOMrgEA1cMEAPncBQAAAAAAAAAAA

AAAAAAAAAAAAAAAAA.uqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t21j2t3%2FM%3D674272[2]

Status: Locked to the Windows API!

MWB log:

Malwarebytes' Anti-Malware 1.36

Database version: 2060

Windows 5.1.2600 Service Pack 3

5/1/2009 2:17:29 AM

mbam-log-2009-05-01 (02-17-29).txt

Scan type: Quick Scan

Objects scanned: 74731

Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

You can try this first, but ultimately Combofix should be run to detect and remove all hidden files present.

Disabling the firewall is not that important but AV should definitely be disabled.!

Relaunch RootRepeal (prescan)

Repeat the hidden file scan as per my previous instructions with all security protection disabled.

After the scan identifies and displays the hidden files present on your system, use your mouse to highlight the following file in the Rootrepeal window.

C:\WINDOWS\system32\drivers\UACxlthpavmttapqme.sys

If not exactly matching the above file name, It will be a SYS which begins with UAC, s followed by a long string of random characters and ends in a SYS file extension.

Next right-click the file noted above, and select the *wipe file* option only.

Exit RootRepeal and immediately reboot!

Upon reboot,

  • Relaunch MBAM
  • Select the Update tab -> Check for Updates
  • After MBAM updates, select the Scanner tab.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

Repeat the RootRepeal file scan (post-scan) and see if any hidden items remain.

Post back RootRepeal logs (prescan & post-scan in that order ) and a new MBAM scan report.

Link to post
Share on other sites

ran root repeal as directed...log below

wiped out sys file as directed. immediate reboot

upon reboot was given a "generic host process for Win32 Services" error... needed to shutdown? asked if i wanted to send a report. Said no (no internet connection anyway). View report and here's some info:

error signature

szAppname svchost.exe version 5.1.2600.5512

szModname upnphost.dll version 5.1.2600.5512

offset 00016f8

error listed at 4/29 3:44 (which was not the time of the reboot)

ran MWB but not an updated version as I have not attempted to connect to the internet (part of the issue was inability to do so. I removed the wireless card so it could not attempt)

log attatched

removed selected.

MWB asked for a reboot to complete removal. I did NOT reboot.

Ran Root repeal a second time

log attached

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/05/01 11:53

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\Avenger\uacinit.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACebyiwktantdewvg.log

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACietqenntyijujvx.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnpcslouhemxxiri.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqllrxmqjkdmcxow.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACteqrrhswwqeelpf.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvbrftegbospivrb.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyqxwkbodulhylkd.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACxlthpavmttapqme.sys

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\UAC6592.tmp

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].postImageCommentConfirm%2526friendID%253D139062974%2526albumID%253D449048%2526imageID%253D6233130

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging.myspace.com%252Findex[1].sent%2526type%253D%2526messageID%253D0%2526fed%253DTrue%2526compose%253D0%2526friendID%253D52613963

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAERxBQDdfA8AYd8EAAIAPkIAAP8AAAADDAIADwKMrgEAHD4HAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAJrmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgenu67%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQA48gkA3tYDAAAAvkIAAAcAAQADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAA.8qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tidvt70%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCMrAgAEucDAAIAdkIAAP8AAAADDQIABgOMrgEAr0sFAPncBQAAAAAAAAAAA

AAAAAAAAAAAAAAAAAjuqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t33m8hm%2FM%3D674272[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCYDRAARjQEAAIAMkIAAP8AAAABDAIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAaUjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D2008102514,;ord=1217172486

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA5kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAK4Pq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbb5v50%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAckMAAAsAAwADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAMgrq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t67kk3s%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAhkMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAPAtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5tq2fh%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAskMAAAcABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAOE3q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tnvfkah%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAukMAAAgABgADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAMY6q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdsc6de%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBPjgwA-jMEAAIAQkMAAP8AAAADEAIABgKMrgEA4EkGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFweq0gAAAAA,

http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5p0fc7%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBUEgoA908FAAIAIkMAAP8AAAADEAIABgKMrgEADuIHAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAABYbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tduc9r2%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBylA4AmqgEAAIAKkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP2j1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tf51cse%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAAA-kIAAAkAAwADEAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkYq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150voamm1%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAIAAkIAAP8AAAAHFgIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150f3bbcr%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA0kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAPoNq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbpo6c6%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBd3w0Aho0EAAIArkMAAP8AAAADEgIABgKMrgEAoccGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAOM2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t2o1ig8%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAERxBQBPBgoAuIADAAIBjkMAAP8AAAADEQIADwKMrgEAik0FAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAEkxq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgelce4%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAKFxBQA28gkA3tYDAAIA0kMAAP8AAAADEwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAHxKq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150l50hua%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIAJkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tl0c5i1%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIALkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tfgjeg3%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAKFxBQBPRwoARKIEAAAAJkIAAAkAAgABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFmTjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D1207918661,;ord=1217172313

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_

7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0

;

mage=0;area=d[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAFVyBQBhYgoA3tYDAAIAOkIAAP8AAAADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAJPmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D1507c6tf7%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAHNxBQA48gkA3tYDAAIAukIAAP8AAAADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAANf6qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdd112b%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA4kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKsPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tm91fmn%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAekMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAIwtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14teeqbg7%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAKkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACQbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tgcmgl0%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAlkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFY1q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ttpuk4p%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAmkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAGA2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tclgj7m%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQBylA4AmqgEAAIAHkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tuv5b4b%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQDHBgoAq3QFAAIAGkMAAP8AAAADEAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAMMaq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tvh1of0%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA3kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKgPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14te0e931%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAERxBQBPBgoAuIADAAIAMkIAAP8AAAAHFgIADwKMrgEAik0FAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAek1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vmcfi13%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\6rnd%3D006006792%26neg%3D1%26ega%3D16%26uhpt%3D16%26ged%3D0%3A0%3AYjQ1YzdlNjg0OWRmZTVlY_S0h08m3fTgveBpjSG6GdrUJQ6Sv3lzY9lbuBPAUoU2NJC5jwUVX9biVT

8oY7GZJNCQ_a1XFBY2Xj2NDUHk1oj&r=0

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_

7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0

;

mage=0;area=d[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fwww[1].asp%253Fpartner%253Daccuweather%2526traveler%253D1%2526zipChg%253D1%2526zipcode%253D33948%2526metric%253D0%2526site%253DFLS%2526large%253D0

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBPRwoARKIEAAIAAkIAAP8AAAABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKuOjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3Dfj80vvrn0ekeq,;ord=1217171115

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].viewProfile_commentForm%2526friendID%253D139062974%2526MyToken%253D987aea37-1af8-4217-b620-addda9b3755c

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAHNxBQDf6w4Av8EEAAIAbkIAAP8AAAADDAIABgKMrgEATxMHAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAGbtqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14taa4ecm%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBhYgoA3tYDAAAAZkIAAAkAAQADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAHLsqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150rcaopu%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAERxBQAzuAkALDADAAIA9kIAAP8AAAADDwIADwKMrgEAht8EAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKAXq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgup2li%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA7kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACQUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ta06788%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA8kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFYVq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14telousf%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAAYkMAAAoAAwADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAPAkq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t3af3av%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQBylA4AmqgEAAIAPkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB6k1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t26ndng%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCXbA8AP-sEAAIB4kMAAP8AAAADFAIABgKMrgEAHFAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB9Vq0gAAAAA,h

ttp%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tds3bl8%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCYDRAARjQEAAIAQkIAAP8AAAAHFgIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACKk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tr1hrk2%2FM%3D674272[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQDHBgoAq3QFAAAA3kMAAAsAAQADFAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAB1Vq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t37o0pr%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAKFxBQBhYgoA3tYDAAAA6kIAAAsAAgADDwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACIUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150fruna5%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAP2dBQAFDxMAZ1IEAAIAOkIAAP8AAAAHFgIADwKSrgEAPHMGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAABmk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15ps4s95m%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAANkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAK0bq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tka870d%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\YXSX4583\click,VaUDAHNxBQCMrAgAEucDAAIAekIAAP8AAAADDQIABgOMrgEA1cMEAPncBQAAAAAAAAAAA

AAAAAAAAAAAAAAAAA.uqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t21j2t3%2FM%3D674272[2]

Status: Locked to the Windows API!

Post Scan:

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/05/01 12:23

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].postImageCommentConfirm%2526friendID%253D139062974%2526albumID%253D449048%2526imageID%253D6233130

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging.myspace.com%252Findex[1].sent%2526type%253D%2526messageID%253D0%2526fed%253DTrue%2526compose%253D0%2526friendID%253D52613963

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAERxBQDdfA8AYd8EAAIAPkIAAP8AAAADDAIADwKMrgEAHD4HAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAJrmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgenu67%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQA48gkA3tYDAAAAvkIAAAcAAQADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAA.8qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tidvt70%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCMrAgAEucDAAIAdkIAAP8AAAADDQIABgOMrgEAr0sFAPncBQAAAAAAAAAAA

AAAAAAAAAAAAAAAAAjuqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t33m8hm%2FM%3D674272[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCYDRAARjQEAAIAMkIAAP8AAAABDAIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAaUjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D2008102514,;ord=1217172486

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA5kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAK4Pq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbb5v50%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAckMAAAsAAwADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAMgrq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t67kk3s%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAhkMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAPAtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5tq2fh%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAskMAAAcABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAOE3q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tnvfkah%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAukMAAAgABgADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAMY6q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdsc6de%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBPjgwA-jMEAAIAQkMAAP8AAAADEAIABgKMrgEA4EkGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFweq0gAAAAA,

http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5p0fc7%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBUEgoA908FAAIAIkMAAP8AAAADEAIABgKMrgEADuIHAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAABYbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tduc9r2%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBylA4AmqgEAAIAKkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP2j1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tf51cse%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAAA-kIAAAkAAwADEAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkYq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150voamm1%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAIAAkIAAP8AAAAHFgIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150f3bbcr%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA0kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAPoNq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbpo6c6%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBd3w0Aho0EAAIArkMAAP8AAAADEgIABgKMrgEAoccGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAOM2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t2o1ig8%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAERxBQBPBgoAuIADAAIBjkMAAP8AAAADEQIADwKMrgEAik0FAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAEkxq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgelce4%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAKFxBQA28gkA3tYDAAIA0kMAAP8AAAADEwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAHxKq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150l50hua%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIAJkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tl0c5i1%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIALkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tfgjeg3%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAKFxBQBPRwoARKIEAAAAJkIAAAkAAgABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFmTjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D1207918661,;ord=1217172313

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_

7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0

;

mage=0;area=d[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAFVyBQBhYgoA3tYDAAIAOkIAAP8AAAADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAJPmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D1507c6tf7%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAHNxBQA48gkA3tYDAAIAukIAAP8AAAADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAANf6qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdd112b%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA4kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKsPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tm91fmn%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAekMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAIwtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14teeqbg7%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAKkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACQbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tgcmgl0%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAlkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFY1q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ttpuk4p%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAmkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAGA2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tclgj7m%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQBylA4AmqgEAAIAHkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tuv5b4b%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQDHBgoAq3QFAAIAGkMAAP8AAAADEAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAMMaq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tvh1of0%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA3kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKgPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14te0e931%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAERxBQBPBgoAuIADAAIAMkIAAP8AAAAHFgIADwKMrgEAik0FAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAek1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vmcfi13%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\6rnd%3D006006792%26neg%3D1%26ega%3D16%26uhpt%3D16%26ged%3D0%3A0%3AYjQ1YzdlNjg0OWRmZTVlY_S0h08m3fTgveBpjSG6GdrUJQ6Sv3lzY9lbuBPAUoU2NJC5jwUVX9biVT

8oY7GZJNCQ_a1XFBY2Xj2NDUHk1oj&r=0

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_

7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0

;

mage=0;area=d[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fwww[1].asp%253Fpartner%253Daccuweather%2526traveler%253D1%2526zipChg%253D1%2526zipcode%253D33948%2526metric%253D0%2526site%253DFLS%2526large%253D0

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBPRwoARKIEAAIAAkIAAP8AAAABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKuOjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3Dfj80vvrn0ekeq,;ord=1217171115

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].viewProfile_commentForm%2526friendID%253D139062974%2526MyToken%253D987aea37-1af8-4217-b620-addda9b3755c

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAHNxBQDf6w4Av8EEAAIAbkIAAP8AAAADDAIABgKMrgEATxMHAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAGbtqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14taa4ecm%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBhYgoA3tYDAAAAZkIAAAkAAQADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAHLsqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150rcaopu%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAERxBQAzuAkALDADAAIA9kIAAP8AAAADDwIADwKMrgEAht8EAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAKAXq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgup2li%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA7kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACQUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ta06788%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA8kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAFYVq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14telousf%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAAYkMAAAoAAwADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAPAkq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t3af3av%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQBylA4AmqgEAAIAPkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB6k1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t26ndng%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCXbA8AP-sEAAIB4kMAAP8AAAADFAIABgKMrgEAHFAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB9Vq0gAAAAA,h

ttp%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tds3bl8%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCYDRAARjQEAAIAQkIAAP8AAAAHFgIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACKk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tr1hrk2%2FM%3D674272[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQDHBgoAq3QFAAAA3kMAAAsAAQADFAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAB1Vq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t37o0pr%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAKFxBQBhYgoA3tYDAAAA6kIAAAsAAgADDwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAACIUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150fruna5%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAP2dBQAFDxMAZ1IEAAIAOkIAAP8AAAAHFgIADwKSrgEAPHMGAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAABmk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15ps4s95m%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAANkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAK0bq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tka870d%2FM%3D674272[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\YXSX4583\click,VaUDAHNxBQCMrAgAEucDAAIAekIAAP8AAAADDQIABgOMrgEA1cMEAPncBQAAAAAAAAAAA

AAAAAAAAAAAAAAAAA.uqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t21j2t3%2FM%3D674272[2]

Status: Locked to the Windows API!

MWB Log:

Malwarebytes' Anti-Malware 1.36

Database version: 2060

Windows 5.1.2600 Service Pack 3

5/1/2009 12:15:32 PM

mbam-log-2009-05-01 (12-15-32).txt

Scan type: Quick Scan

Objects scanned: 75065

Time elapsed: 11 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\UACietqenntyijujvx.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACnpcslouhemxxiri.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACqllrxmqjkdmcxow.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACteqrrhswwqeelpf.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACyqxwkbodulhylkd.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\UACxlthpavmttapqme.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

OK...

I will get to work on running ComboFix. I'm off to work so it may be awhile until the next reply.

Thank you so much for the help thus far. I'll attempt to update by tomorrow.

Is there a problem with trying to connect? Should I? (I'm guessing it won't connect anyway because of the firewall issue)

Fingers crossed and staying positive!

Link to post
Share on other sites

You're welcome!

Everything was done via flash drive as this system won't connect.

I was under the impression you couldn't connect, but let's solve the rootkit issue first and then we'll deal with the connection issues.

Some tools you should grab for use later are the following:

Winsockfix:

http://majorgeeks.com/download4372.html

Using this download:

http://majorgeeks.com/downloadget.php?id=4...f302c260093894b

Avenger:

http://swandog46.geekstogo.com/avenger2/download.php

Do NOT use without my supervision please!

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.