Malwarebytes, HJT, SAS, msconfig, won't run

[tallisall]

Hi,

A friend brought me his clone machine (AMD Athlon-3200, 512mb ram, xp-pro-sp2) and it is infected with WinPC Defender and System Security. It blocks all of the removal tools that I have tried to load such as Malwarebytes, HJT, SAS, ProcessExplorer, and RootRepeal. It also will not let me run msconfig and the Security Center icon is missing in Control Panel. It did let me backup his docs and other stuff to an external hard drive. I am not sure what to try next. I read some of the posts here, but I lack the knowledge of the forum experts.

I need some help. Thanks in advance.

[AdvancedSetup]

Please take a look at the following posts and see if they help you to resolve this or not.

Potential Malware infection issues to review to get MBAM running

• MB won't run(Fix) - Total-Security (FakeAlert)
• MBAM wont run (Fix) - av360 (Fakealert)
  
• MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC
  

If so then please update and run MBAM and do a Quick Scan.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then post back the MBAM log and a new Hijackthis log.

Then run DDS

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt
   
   

• Save both reports to your desktop
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt
  
  

[tallisall]

Hi,

I have attempted to run ProcessExplorer and RootRepeal. When I try to launch any exe file the malware pops up a message that says that exe is infected and has been stopped from running. I tried DDS.scr and got the same results. Also it does the same thing with every executable that I have tried. (Word, Excel, Acrobat, etc.) When I tried to bootup in safe mode, it came up for about 30 seconds, then got blue screen of death (system halted, etc) I have not been able to run any exe so far except Windows Explorer

Thanks

[AdvancedSetup]

This sounds like it's been hit with the Virut virus. If it has then you'll need to wipe the box and reinstall Windows.

You can try to download and run this from SAFE MODE and it will tell us for sure.

Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked
    

  [*]On the Log file tab leave the Log to file checked.

  [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

  [*]Log mode = Append

  [*]Encoding = ANSI

  [*]Details Leave Names of file packers and Statistics checked.

  [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

  [*]On the General tab leave the Scan Priority on High

  [*]Click the Apply button at the bottom, and then the OK button.

  [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

  [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

  [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

  [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

  [*]Click 'Yes to all' if it asks if you want to cure/move the files.

  [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

  [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

  [*]Save the report to your Desktop. The report will be called DrWeb.csv

  [*]Close Dr.Web Cureit.

  [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

  [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

  

If it won't run then run this.

Download and burn this from a clean computer and run it on the infected computer. Write down what it finds.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the
  Avira AntiVir Rescue System
  from
  here
• Place a blank CD in your burner and double-click on the downloaded file named
  rescuecd.exe
  
  
• The program will automatically burn the CD for you.
  
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
  
• Click on the
  Configuration
  button.
  
  
  • Select
    Scan all files
  • Select
    Try to repair infected files
    and
    Rename files, if they cannot be removed
    
    
  • Select
    Scan for dialers
    
    
  • Select
    Scan for joke programs (Jokes)
    
    
  • Select
    Scan for games
    
    
  • Select
    Scan for spyware (SPR)
    
    
  [*]
  Click on
  Virus scanner
  [*]
  Click on
  Start scanner
  at the bottom of the screen
  [*]
  Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

1. Please see the post
   here
   if you're unable to view the entire screen of Avira.
2. You can also review this one
   Fixed Rescue CD Resolution Probs with Dell Video
   
   
3. Currently only the German keyboard is supported.
   Command Line not working
   English keyboards require work arounds.
   
   
4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.
   
   

[tallisall]

Hi,

I downloaded the drweb and the avira antivir rescue system file, and burned the cd. I ran the drweb in safe mode 3 times because it never finished. During 1st run it finished the mem scan and I configured it as per your last post for full scan. It ran for approx. 5 minutes and rebooted. I ran 2nd time and it didnot finish mem scan before it msod with this error-kernel_data_inpage_error stop:0x0000007a. I ran 3rd time and got to complete scan, it ran about 5 minutes and bsod with this error kernek_stack_inpage_error stop: 0x00000077 (0xc000000e, 0x00000000, 0x00437000) I did not know if I should run the Avira disk now or wait for more instructions. Here are the logs from drweb.

=============================================================================

Dr.Web Scanner for Windows v5.00.3 (5.00.3.05144)

© 1992-2009 Igor Daniloff. All rights reserved.

Log generated on: 2009-05-31, 16:59:55 [sKRABANEK1][Ray]

Command line: "C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\xs89q.exe" /lng /ini:setup_XP.ini

Operating system: Windows XP Professional x86 (Build 2600), Service Pack 3

=============================================================================

DwShield started

Engine version: 5.00 (5.00.0.12182)

Engine API version: 2.02

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\f671d3b7 - 8 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\8a30a138 - 4697 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\26c4a9a8 - 2792 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\f4801f85 - 5841 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\2a2c9eb2 - 2260 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\c3507a3b - 4796 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\10f165db - 5098 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\c30d7126 - 4891 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\22607e50 - 5033 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\8da58e3f - 3254 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\12b05264 - 5241 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\420da9c5 - 7585 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\184b18b4 - 5298 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\addf37e1 - 5947 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\70c32e12 - 6039 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\582511ce - 5309 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\53be5c47 - 3511 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\ea3f461d - 2495 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\4574c000 - 4565 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\28359015 - 4467 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\6985649d - 5196 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\9fc197f7 - 2359 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\459ec2c5 - 1938 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\892c9d50 - 3335 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\aca5ce68 - 3185 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\69b3bc95 - 1468 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\3849b0fe - 280 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\cc643a6e - 567 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\c7b99081 - 1194 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\b44f0849 - 423328 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\c69f92cb - 461 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\329cdeb4 - 626 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\ce775dd1 - 425 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\67986041 - 925 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\12e227a1 - 840 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\ca785525 - 3316 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\15cf1944 - 19303 virus records

Total virus records: 557873

[self-checking] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\xs89q.exe

Key file: C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\setup.key

License key number: 0010537607

Registered to: A User

License key activates on: 2008-12-05

License key expires on: 2009-06-07

Process in memory: System:4 - OK

Process in memory: \SystemRoot\System32\smss.exe:184 - OK

Process in memory: \??\C:\WINDOWS\system32\csrss.exe:232 - OK

Process in memory: \??\C:\WINDOWS\system32\winlogon.exe:256 - OK

Process in memory: C:\WINDOWS\system32\services.exe:304 - OK

Process in memory: C:\WINDOWS\system32\lsass.exe:316 - OK

Process in memory: C:\WINDOWS\system32\svchost.exe:476 - OK

Process in memory: C:\WINDOWS\system32\svchost.exe:552 - OK

Process in memory: C:\WINDOWS\system32\svchost.exe:608 - OK

Process in memory: C:\WINDOWS\Explorer.EXE:920 - OK

Process in memory: C:\Program Files\Internet Explorer\Iexplore.exe:960 - OK

Process in memory: C:\WINDOWS\system32\ctfmon.exe:1036 - OK

Process in memory: C:\Documents and Settings\Ray\Desktop\drweb-cureit.exe:1216 - OK

Process in memory: C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\68clxk.exe:1284 - OK

Process in memory: C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\xs89q.exe:1296 - OK

[Memory scanning] No viruses found

Master Boot Record HDD1 - OK

[scan path] c:\documents and settings\all users\application data\13335464\13335464.exe

c:\documents and settings\all users\application data\13335464\13335464.exe packed by FLY-CODE

>c:\documents and settings\all users\application data\13335464\13335464.exe - OK

[scan path] c:\documents and settings\all users\start menu\programs\startup\desktop.ini

c:\documents and settings\all users\start menu\programs\startup\desktop.ini - OK

[scan path] c:\documents and settings\default user\start menu\programs\startup\desktop.ini

c:\documents and settings\default user\start menu\programs\startup\desktop.ini - OK

[scan path] c:\documents and settings\ray\application data\pcdefender.exe

c:\documents and settings\ray\application data\pcdefender.exe infected with Trojan.Packed.2463 - incurable - moved

[scan path] c:\documents and settings\ray\desktop\drweb-cureit.exe

c:\documents and settings\ray\desktop\drweb-cureit.exe - archive ZIP

>c:\documents and settings\ray\desktop\drweb-cureit.exe/be-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/bg-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/cn-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/cs-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/de-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/dwebio16.dll - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/dwebio32.dll packed by ASPACK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/dwebio32.dll - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/el-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm - archive CHM

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/#IDXHDR - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/#ITBITS - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/#IVB - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/#STRINGS - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/#SYSTEM - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/#TOPICS - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/#URLSTR - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/#URLTBL - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/#WINDOWS - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/$FIftiMain - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/$OBJINST - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/$WWAssociativeLinks/BTree - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/$WWAssociativeLinks/Data - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/$WWAssociativeLinks/Map - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/$WWAssociativeLinks/Property - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/$WWKeywordLinks/Property - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/bull.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/butpause2.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/butstart1.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/butstop3.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/com_params.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/CSHelp.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/default.css - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/en-drwebgui.hhc - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/en-drwebgui_popup_text.js - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/helpman_topicinit.js - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_aboutbox.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_curesettings.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_dialog_main.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_dialog_scan.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_dialog_scan_path.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_dialog_stat.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_proppage_actions.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_proppage_common.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_proppage_log.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_proppage_scan.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/idd_proppage_types.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/intro.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/legal.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/open.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/ph_adv.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc01.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc02.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc03.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_action.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_action_adv.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_drweb_logo.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_general.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_inf.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_log.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_path_mask.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_scan.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_stat.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/sc_types.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/scan_params.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/scan_settings.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm/scanning.htm - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/en-drwebgui.chm - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/eo-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/es-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/et-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/fr-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/hu-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/it-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/ja-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/ko-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/lt-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/lv-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/nl-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/no-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/pl-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/pt-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm - archive CHM

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/#IDXHDR - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/#ITBITS - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/#IVB - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/#STRINGS - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/#SYSTEM - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/#TOPICS - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/#URLSTR - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/#URLTBL - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/#WINDOWS - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/$FIftiMain - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/$OBJINST - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/$WWAssociativeLinks/BTree - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/$WWAssociativeLinks/Data - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/$WWAssociativeLinks/Map - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/$WWAssociativeLinks/Property - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/$WWKeywordLinks/Property - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/bull.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/butpause.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/butstart.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/butstop.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/com_params.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/CSHelp.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/default.css - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/helpman_topicinit.js - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_aboutbox.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_curesettings.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_dialog_main.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_dialog_scan.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_dialog_scan_path.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_dialog_stat.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_proppage_actions.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_proppage_common.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_proppage_log.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_proppage_scan.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/idd_proppage_types.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/intro.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/open.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/ph_adv.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/ru-drwebgui.hhc - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/ru-drwebgui_popup_text.js - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc01.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc02.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc03.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_action.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_action_adv.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_drweb_logo.zoom76.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_general.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_inf.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_log.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_path_mask.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_scan.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_stat.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/sc_types.png - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/scan_params.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/scan_settings.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/scanning.htm - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm/topic.htm - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/ru-drwebgui.chm - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/setup.dll - archive BINARYRES

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/setup.dll/data001 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/setup.dll - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/setup.key - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/setup_me.ini - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/setup_xp.ini - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/sk-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/tr-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/uk-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/uz-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/zh-cureit.dwl - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat - archive ZIP

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_cureit.ico - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ar-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ar-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ar-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ar-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ar-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ar-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ar.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/be-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/be-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/be-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/be-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/be-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/be-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/be.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/bg-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/bg-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/bg-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/bg-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/bg-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/bg-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/bg.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cn-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cn-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cn-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cn-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cn.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cs-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cs-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cs-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cs-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cs-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cs-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cs.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/de-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/de-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/de-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/de-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/de-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/de-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/de.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/el-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/el-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/el-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/el-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/el-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/el-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/el.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/en-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/en-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/en-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/en-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/en-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/en-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/en.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/eo-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/eo-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/eo-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/eo-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/eo-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/eo-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/eo.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/es-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/es-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/es-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/es-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/es-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/es-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/es.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/et-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/et-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/et-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/et-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/et-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/et-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/et.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fa-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fa-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fa-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fa-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fa-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fa-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fa.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fi-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fi-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fi-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fi-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fi-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fi-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fi.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fr-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fr-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fr-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fr-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fr-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fr-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fr.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hu-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hu-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hu-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hu-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hu-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hu-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hu.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hy-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hy-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hy-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hy-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hy-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hy-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hy.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/it-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/it-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/it-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/it-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/it-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/it.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ja-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ja-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ja-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ja-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ja.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ka-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ka-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ka-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ka-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ka-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ka-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ka.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ko-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ko-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ko-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ko-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ko.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lt-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lt-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lt-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lt-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lt-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lt-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lt.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lv-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lv-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lv-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lv-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lv-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lv-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lv.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/nl-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/nl-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/nl-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/nl-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/nl.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/no-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/no-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/no-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/no.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pl-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pl-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pl-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pl-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pl-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pl-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pl.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pt-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pt-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pt-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pt-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pt-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pt-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pt.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-banner0.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-banner1.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-history.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sk-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sk-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sk-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sk-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sk-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sk-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sk.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sl-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sl-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sl-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sl-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sl-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sl-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sl.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/th-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/th-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/th-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/th-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/th-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/th-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/th.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/tr-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/tr-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/tr-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/tr-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/tr-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/tr-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/tr.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk-history.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uz-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uz-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uz-slogan.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uz-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uz-title.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uz-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uz.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/vi-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/vi-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/vi-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/vi-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/vi.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/zh-2.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/zh-action.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/zh-start.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/zh-update.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/zh.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_exit.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_globe.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_green.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_help-mirror.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_help.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_help0-mirror.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_help0.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_history.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_logo.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_main-mirror.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/_main.bmp - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ar-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ar-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/be-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/be-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/bg-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/bg-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cn-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cn-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cs-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/cs-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/de-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/de-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/el-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/el-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/en-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/en-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/eo-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/eo-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/es-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/es-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/et-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/et-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fa-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fa-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fi-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fi-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fr-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/fr-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hu-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hu-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hy-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/hy-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/it-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/it-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ja-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ja-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ka-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ka-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ko-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ko-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lt-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lt-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lv-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/lv-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/nl-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/nl-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/no-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/no-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pl-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pl-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pt-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/pt-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/ru-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sk-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sk-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sl-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/sl-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/th-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/th-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/tr-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/tr-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uk-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uz-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/uz-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/vi-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/vi-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/zh-help.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/zh-start.txt - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat/68clxk.ini - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.dat - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/68clxk.exe - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/xs89q.exe - archive BINARYRES

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/xs89q.exe/data001 packed by ASPACK

>>>c:\documents and settings\ray\desktop\drweb-cureit.exe/xs89q.exe/data001 - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/xs89q.exe/data002 - OK

>>c:\documents and settings\ray\desktop\drweb-cureit.exe/xs89q.exe/data003 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/xs89q.exe - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/c7b99081 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/cc643a6e - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/3849b0fe - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/69b3bc95 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/aca5ce68 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/892c9d50 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/459ec2c5 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/9fc197f7 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/6985649d - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/28359015 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/4574c000 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/ea3f461d - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/53be5c47 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/582511ce - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/70c32e12 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/addf37e1 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/184b18b4 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/420da9c5 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/12b05264 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/8da58e3f - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/22607e50 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/c30d7126 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/10f165db - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/c3507a3b - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/2a2c9eb2 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/f4801f85 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/26c4a9a8 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/8a30a138 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/b44f0849 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/15cf1944 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/ca785525 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/f671d3b7 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/12e227a1 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/67986041 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/ce775dd1 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/329cdeb4 - OK

>c:\documents and settings\ray\desktop\drweb-cureit.exe/c69f92cb - OK

c:\documents and settings\ray\desktop\drweb-cureit.exe - OK

[scan path] c:\documents and settings\ray\local settings\temp\hgu8ynfx.dll

c:\documents and settings\ray\local settings\temp\hgu8ynfx.dll packed by ASPACK

>c:\documents and settings\ray\local settings\temp\hgu8ynfx.dll - OK

[scan path] c:\documents and settings\ray\local settings\temp\rarsfx1\68clxk.exe

c:\documents and settings\ray\local settings\temp\rarsfx1\68clxk.exe - OK

[scan path] c:\documents and settings\ray\local settings\temp\rarsfx1\xs89q.exe

c:\documents and settings\ray\local settings\temp\rarsfx1\xs89q.exe - archive BINARYRES

>c:\documents and settings\ray\local settings\temp\rarsfx1\xs89q.exe/data001 packed by ASPACK

>>c:\documents and settings\ray\local settings\temp\rarsfx1\xs89q.exe/data001 - OK

>c:\documents and settings\ray\local settings\temp\rarsfx1\xs89q.exe/data002 - OK

>c:\documents and settings\ray\local settings\temp\rarsfx1\xs89q.exe/data003 - OK

c:\documents and settings\ray\local settings\temp\rarsfx1\xs89q.exe - OK

[scan path] c:\windows\system32\drivers\uacylkdvjbphewxngi.sys

c:\windows\system32\drivers\uacylkdvjbphewxngi.sys packed by PESTUB

>c:\windows\system32\drivers\uacylkdvjbphewxngi.sys packed by FLY-CODE

>>c:\windows\system32\drivers\uacylkdvjbphewxngi.sys - OK

[scan path] c:\windows\system32\fontext.dll

c:\windows\system32\fontext.dll - archive BINARYRES

>c:\windows\system32\fontext.dll/data001 packed by MS COMPRESS

>>c:\windows\system32\fontext.dll/data001 - OK

>c:\windows\system32\fontext.dll/data002 packed by MS COMPRESS

>>c:\windows\system32\fontext.dll/data002 - OK

c:\windows\system32\fontext.dll - OK

[scan path] c:\windows\system32\macromed\flash\flash9f.ocx

c:\windows\system32\macromed\flash\flash9f.ocx packed by ZLIB

>c:\windows\system32\macromed\flash\flash9f.ocx - archive BINARYRES

>>c:\windows\system32\macromed\flash\flash9f.ocx/data001 - OK

>>c:\windows\system32\macromed\flash\flash9f.ocx/data002 - OK

>>c:\windows\system32\macromed\flash\flash9f.ocx/data003 - OK

>>c:\windows\system32\macromed\flash\flash9f.ocx/data004 - OK

>c:\windows\system32\macromed\flash\flash9f.ocx - OK

-----------------------------------------------------------------------------

Scan statistics

-----------------------------------------------------------------------------

Scanned: 1102

Infected: 1

Modifications: 0

Suspicious: 0

Adware: 0

Dialers: 0

Jokes: 0

Riskware: 0

Hacktools: 0

Cured: 0

Deleted: 0

Renamed: 0

Moved: 1

Ignored: 0

Scan speed: 1472 Kb/s

Scan time: 00:02:09

-----------------------------------------------------------------------------

[scan path] C:\

C:\Google Updater.exe packed by PECOMPACT

>>C:\Google Updater.exe/data004 probably infected with DLOADER.Trojan

>C:\Google Updater.exe - archive contains infected objects - moved

C:\b6d153a670857559c8aa63b15a95ef\MRT.exe packed by BINARYRES

>C:\b6d153a670857559c8aa63b15a95ef\MRT.exe packed by BINARYRES

C:\Documents and Settings\All Users\Application Data\13335464\13335464.exe packed by FLY-CODE

>C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunes.msi/stream000 packed by PESTUB

>>C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunes.msi/stream002/iTunes.exe packed by ZLIB

>>C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\QuickTime.msi/stream000/QuickTimePlayer.exe packed by FLY-CODE

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe packed by BINARYRES

C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads\nos_21278.dat packed by FLY-CODE

C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\C2CD97BCD8524DE79DC188FA2460C61A\Install_SpontaniaVideoCollaboration.exe packed by BINARYRES

C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\C2CD97BCD8524DE79DC188FA2460C61A\uninst.exe packed by BINARYRES

C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\F57B48ADF2224F088EDD1A2B9BAD84E8\Game List.swf packed by ZLIB

>>>C:\Documents and Settings\All Users\Application Data\Skype\{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}\Skype.msi/stream002/PluginManagerUtils/data002 packed by ZLIB

>>C:\Documents and Settings\All Users\Application Data\Skype\{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}\Skype.msi/stream002/Easygame01 packed by ZLIB

Thanks

[tallisall]

Hi,

I have tried to run drweb 3 times in safe mode. 1st time it finished mem scan, then configured per your postand did full scan. After approx 5 min. it rebooted. Reran 2nd time in safe mode and halfway thru the mem scan I got the bsod with error message stop: kernel_data_inpage_error 0x0000007a (0xc03dd9d0). Reboot in safe mode ran 3rd time. Finished mem scan, configed and started full. It ran approx 5 min. and bsod with kernel_stach_inpage_error 0x00000077 (0xc000000e, 0x00000000, 0x00437000). I have not tried the Avira cd yet. I found the log files of drweb and tried to post them but they are to large. I cut the 1st one down and have included it. If you need to see them all I could possibly zip the 3rd since it looks like it has all 3 runs.

Thanks,

=============================================================================

Dr.Web Scanner for Windows v5.00.3 (5.00.3.05144)

© 1992-2009 Igor Daniloff. All rights reserved.

Log generated on: 2009-05-31, 16:59:55 [sKRABANEK1][Ray]

Command line: "C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\xs89q.exe" /lng /ini:setup_XP.ini

Operating system: Windows XP Professional x86 (Build 2600), Service Pack 3

=============================================================================

DwShield started

Engine version: 5.00 (5.00.0.12182)

Engine API version: 2.02

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\f671d3b7 - 8 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\8a30a138 - 4697 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\26c4a9a8 - 2792 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\f4801f85 - 5841 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\2a2c9eb2 - 2260 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\c3507a3b - 4796 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\10f165db - 5098 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\c30d7126 - 4891 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\22607e50 - 5033 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\8da58e3f - 3254 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\12b05264 - 5241 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\420da9c5 - 7585 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\184b18b4 - 5298 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\addf37e1 - 5947 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\70c32e12 - 6039 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\582511ce - 5309 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\53be5c47 - 3511 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\ea3f461d - 2495 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\4574c000 - 4565 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\28359015 - 4467 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\6985649d - 5196 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\9fc197f7 - 2359 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\459ec2c5 - 1938 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\892c9d50 - 3335 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\aca5ce68 - 3185 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\69b3bc95 - 1468 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\3849b0fe - 280 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\cc643a6e - 567 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\c7b99081 - 1194 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\b44f0849 - 423328 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\c69f92cb - 461 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\329cdeb4 - 626 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\ce775dd1 - 425 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\67986041 - 925 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\12e227a1 - 840 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\ca785525 - 3316 virus records

[Virus database] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\15cf1944 - 19303 virus records

Total virus records: 557873

[self-checking] C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\xs89q.exe

Key file: C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\setup.key

License key number: 0010537607

Registered to: A User

License key activates on: 2008-12-05

License key expires on: 2009-06-07

Process in memory: System:4 - OK

Process in memory: \SystemRoot\System32\smss.exe:184 - OK

Process in memory: \??\C:\WINDOWS\system32\csrss.exe:232 - OK

Process in memory: \??\C:\WINDOWS\system32\winlogon.exe:256 - OK

Process in memory: C:\WINDOWS\system32\services.exe:304 - OK

Process in memory: C:\WINDOWS\system32\lsass.exe:316 - OK

Process in memory: C:\WINDOWS\system32\svchost.exe:476 - OK

Process in memory: C:\WINDOWS\system32\svchost.exe:552 - OK

Process in memory: C:\WINDOWS\system32\svchost.exe:608 - OK

Process in memory: C:\WINDOWS\Explorer.EXE:920 - OK

Process in memory: C:\Program Files\Internet Explorer\Iexplore.exe:960 - OK

Process in memory: C:\WINDOWS\system32\ctfmon.exe:1036 - OK

Process in memory: C:\Documents and Settings\Ray\Desktop\drweb-cureit.exe:1216 - OK

Process in memory: C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\68clxk.exe:1284 - OK

Process in memory: C:\DOCUME~1\Ray\LOCALS~1\Temp\RarSFX1\xs89q.exe:1296 - OK

[Memory scanning] No viruses found

Master Boot Record HDD1 - OK

[scan path] c:\documents and settings\all users\application data\13335464\13335464.exe

c:\documents and settings\all users\application data\13335464\13335464.exe packed by FLY-CODE

>c:\documents and settings\all users\application data\13335464\13335464.exe - OK

[scan path] c:\documents and settings\all users\start menu\programs\startup\desktop.ini

c:\documents and settings\all users\start menu\programs\startup\desktop.ini - OK

[scan path] c:\documents and settings\default user\start menu\programs\startup\desktop.ini

c:\documents and settings\default user\start menu\programs\startup\desktop.ini - OK

[scan path] c:\documents and settings\ray\application data\pcdefender.exe

c:\documents and settings\ray\application data\pcdefender.exe infected with Trojan.Packed.2463 - incurable - moved

[scan path] c:\windows\system32\drivers\uacylkdvjbphewxngi.sys

c:\windows\system32\drivers\uacylkdvjbphewxngi.sys packed by PESTUB

>c:\windows\system32\drivers\uacylkdvjbphewxngi.sys packed by FLY-CODE

>>c:\windows\system32\drivers\uacylkdvjbphewxngi.sys - OK

[scan path] c:\windows\system32\fontext.dll

c:\windows\system32\fontext.dll - archive BINARYRES

>c:\windows\system32\fontext.dll/data001 packed by MS COMPRESS

>>c:\windows\system32\fontext.dll/data001 - OK

>c:\windows\system32\fontext.dll/data002 packed by MS COMPRESS

>>c:\windows\system32\fontext.dll/data002 - OK

c:\windows\system32\fontext.dll - OK

[scan path] c:\windows\system32\macromed\flash\flash9f.ocx

c:\windows\system32\macromed\flash\flash9f.ocx packed by ZLIB

>c:\windows\system32\macromed\flash\flash9f.ocx - archive BINARYRES

>>c:\windows\system32\macromed\flash\flash9f.ocx/data001 - OK

>>c:\windows\system32\macromed\flash\flash9f.ocx/data002 - OK

>>c:\windows\system32\macromed\flash\flash9f.ocx/data003 - OK

>>c:\windows\system32\macromed\flash\flash9f.ocx/data004 - OK

>c:\windows\system32\macromed\flash\flash9f.ocx - OK

-----------------------------------------------------------------------------

Scan statistics

-----------------------------------------------------------------------------

Scanned: 1102

Infected: 1

Modifications: 0

Suspicious: 0

Adware: 0

Dialers: 0

Jokes: 0

Riskware: 0

Hacktools: 0

Cured: 0

Deleted: 0

Renamed: 0

Moved: 1

Ignored: 0

Scan speed: 1472 Kb/s

Scan time: 00:02:09

-----------------------------------------------------------------------------

[scan path] C:\

C:\Google Updater.exe packed by PECOMPACT

>>C:\Google Updater.exe/data004 probably infected with DLOADER.Trojan

>C:\Google Updater.exe - archive contains infected objects - moved

C:\b6d153a670857559c8aa63b15a95ef\MRT.exe packed by BINARYRES

>C:\b6d153a670857559c8aa63b15a95ef\MRT.exe packed by BINARYRES

C:\Documents and Settings\All Users\Application Data\13335464\13335464.exe packed by FLY-CODE

>C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunes.msi/stream000 packed by PESTUB

>>C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunes.msi/stream002/iTunes.exe packed by ZLIB

>>C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\QuickTime.msi/stream000/QuickTimePlayer.exe packed by FLY-CODE

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe packed by BINARYRES

C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads\nos_21278.dat packed by FLY-CODE

C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\C2CD97BCD8524DE79DC188FA2460C61A\Install_SpontaniaVideoCollaboration.exe packed by BINARYRES

C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\C2CD97BCD8524DE79DC188FA2460C61A\uninst.exe packed by BINARYRES

C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\F57B48ADF2224F088EDD1A2B9BAD84E8\Game List.swf packed by ZLIB

>>>C:\Documents and Settings\All Users\Application Data\Skype\{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}\Skype.msi/stream002/PluginManagerUtils/data002 packed by ZLIB

>>C:\Documents and Settings\All Users\Application Data\Skype\{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}\Skype.msi/stream002/Easygame01 packed by ZLIB

[AdvancedSetup]

Well good thing is it did not show Virut.

Please see if you can get MBAM to run now in either Normal mode or Safe mode.

Let me know and if it wont' run then we'll try another program.

[tallisall]

Hi,

Malwarebytes still will not run in either real or safe mode, but some of the other exe files now seem to work. I could open Word, Acrobat Reader and others. Also could run msconfig. I still have not run the Avira cd yet. Will wait for your next instructions.

Many thanks

[AdvancedSetup]

Please see if you can get this post to work now and let me know. If not then please try the Avira CD

http://www.malwarebytes.org/forums/index.php?showtopic=12709

[tallisall]

Hi,

Rootrepeal did not work. I'm starting the Avira cd now

Thanks

[tallisall]

Hi,

Just ran Avira cd. Do you need actual file names from log or just results. Still have program open on infected machine.

scanned-147529

alerts-19

renamed-16

warnings-41

Thanks

[AdvancedSetup]

Okay, just make sure nothing says Virut on it. Try to install and run MBAM now in Normal Mode, if not then try Safe Mode.

If that does not work then try downloading and running this alternate installer for MBAM: fixmbam.exe

[tallisall]

Hi,

Malwarebytes will not run in real mode, but starts and runs in safe mode. It finds 6 in registry and 15 total during scan, then the computer reboots before scan is finished, so nothing is cleaned. Have tried twice.

[tallisall]

Forgot. fixmbam would not install. could not uninstall malwarebytes.

[tallisall]

Hi,

Just tried to run hjt in safe mode and was successful. Here is the log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:29:02 PM, on 6/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Search-09\Search.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inreach.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F3 - REG:win.ini: run=

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe

O4 - HKLM\..\Run: [Total Internet] C:\Program Files\WT.Net\Fptool.exe

O4 - HKLM\..\Run: [EssSpkPhone] essspk1.exe -c

O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd

O4 - HKLM\..\Run: [V0470Mon.exe] C:\WINDOWS\V0470Mon.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

O4 - HKLM\..\Run: [13335464] C:\Documents and Settings\All Users\Application Data\13335464\13335464.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_SEB.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [sysav] C:\Documents and Settings\Ray\Application Data\pcdefender.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228433910968

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186018685031

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote1.na.amec.com/dana-cached/set...perSetupSP1.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: oxyase.dll gemqsh.dll saxdrk.dll gmhait.dll cphvev.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Update Service (gupdate1c984c1f914fd5b) (gupdate1c984c1f914fd5b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--

End of file - 7246 bytes

[AdvancedSetup]

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

• F3 - REG:win.ini: run=
  
• O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll
  
• O4 - HKLM\..\Run: [EssSpkPhone] essspk1.exe -c
  
• O4 - HKLM\..\Run: [13335464] C:\Documents and Settings\All Users\Application Data\13335464\13335464.exe
  
• O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
  
• O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_SEB.tmp" /EF "HKCU"
  
• O4 - HKCU\..\Run: [sysav] C:\Documents and Settings\Ray\Application Data\pcdefender.exe
  
• O20 - AppInit_DLLs: oxyase.dll gemqsh.dll saxdrk.dll gmhait.dll cphvev.dll
  Then Quit All Browsers including the one you're reading this in now.
  Then click on Fix checked and then quit HJT
  

STEP 02

Please download Avenger 2.0 from here

Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

Files to delete:
C:\WINDOWS\SYSTEM32\oxyase.dll 
C:\WINDOWS\SYSTEM32\gemqsh.dll 
C:\WINDOWS\SYSTEM32\saxdrk.dll 
C:\WINDOWS\SYSTEM32\gmhait.dll 
C:\WINDOWS\SYSTEM32\cphvev.dll

• Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  
• Close all other running applications
  
• After pasting the text into the main window, click on Execute
  

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.

STEP 03

Now try MBAM again.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then post back the MBAM log and a new Hijackthis log.

[AdvancedSetup]

So how is this going?

[tallisall]

Hi,

We are definitely making progress. Logs below.

Thanks again

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: file "C:\WINDOWS\SYSTEM32\oxyase.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\oxyase.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\gemqsh.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\gemqsh.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\saxdrk.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\saxdrk.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\gmhait.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\gmhait.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\cphvev.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\cphvev.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Malwarebytes' Anti-Malware 1.37

Database version: 2229

Windows 5.1.2600 Service Pack 3

6/4/2009 1:16:59 PM

mbam-log-2009-06-04 (13-16-59).txt

Scan type: Quick Scan

Objects scanned: 81137

Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\wininetapp.wininet (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\wininetapp.wininet.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{4b66e1df-4de3-4cda-83b5-11673eadab0b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{b360243e-09e8-402f-8721-00b6798089ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\WinPC Defender (Rogue.WinPCDefender) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\UACqoenolufvwfdedw.dll.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.

c:\windows\system32\UACrvvmhskiikxiamt.dll.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\drivers\UACylkdvjbphewxngi.sys.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\UACdc22.tmp.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.

c:\documents and settings\Ray\Desktop\WinPC Defender.LNK (Rogue.WinPCDefender) -> Quarantined and deleted successfully.

c:\documents and settings\Ray\start menu\WinPC Defender.LNK (Rogue.WinPCDefender) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:21:14 PM, on 6/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\VIA\RAID\raid_tool.exe

C:\Program Files\WT.Net\Fptool.exe

C:\WINDOWS\V0470Mon.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Search-09\Search.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inreach.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe

O4 - HKLM\..\Run: [Total Internet] C:\Program Files\WT.Net\Fptool.exe

O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd

O4 - HKLM\..\Run: [V0470Mon.exe] C:\WINDOWS\V0470Mon.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228433910968

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186018685031

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote1.na.amec.com/dana-cached/set...perSetupSP1.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Update Service (gupdate1c984c1f914fd5b) (gupdate1c984c1f914fd5b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--

End of file - 7737 bytes

[AdvancedSetup]

Please visit this webpage for instructions for downloading ComboFix to your

DESKTOP

:

how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run

ComboFix.exe

on your DESKTOP and not from any other folder.

Also,

DO NOT

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Note:

The

Windows Recovery Console

will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click
  Yes
  to allow ComboFix to continue scanning for malware.
  
  
• When the tool is finished, it will produce a report for you.
  
  
• Please post the
  C:\ComboFix.txt
  along with a
  new HijackThis log
  so we may continue cleaning the system.
  
  

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt
   
   

• Save both reports to your desktop
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt
  
  

[tallisall]

Hi,

Logs below. Thanks again.

ComboFix 09-06-04.A1 - Ray 06/05/2009 11:20.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.164 [GMT -5:00]

Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ray\x.exe

c:\windows\system32\dacxmtbb.ini

c:\windows\system32\fmxyxjlq.ini

c:\windows\system32\inetres.dll

c:\windows\system32\msoert2.dll

c:\windows\system32\UACltavkbuyxudppww.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))

.

2009-06-03 14:19 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-03 14:19 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-03 14:19 . 2009-06-03 14:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-02 22:58 . 2009-06-02 22:58 27456 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP1.DLL

2009-06-02 22:58 . 2009-06-02 22:58 25408 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.DLL

2009-06-02 15:47 . 2009-06-02 15:47 0 ----a-w- c:\windows\system32\drivers\rootrepeal.sys

2009-05-31 21:59 . 2009-05-31 22:00 -------- d-----w- c:\documents and settings\Ray\DoctorWeb

2009-05-27 18:33 . 2009-06-04 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\13335464

2009-05-26 15:29 . 2009-05-26 15:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-05-26 15:12 . 2009-05-26 15:12 -------- d-----w- c:\documents and settings\Ray\.housecall6.6

2009-05-16 18:01 . 2009-05-16 19:51 -------- d-----w- c:\documents and settings\Ray\Application Data\W Photo Studio

2009-05-16 18:00 . 2009-05-16 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Walgreens

2009-05-16 18:00 . 2009-05-16 18:00 -------- d-----w- c:\program files\Common Files\HP

2009-05-16 17:57 . 2009-05-16 17:58 -------- d-----w- c:\documents and settings\Ray\Application Data\W Photo Studio Viewer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-05 16:26 . 2007-07-15 00:51 -------- d-----w- c:\documents and settings\Ray\Application Data\Skype

2009-06-05 16:09 . 2007-12-16 14:18 -------- d-----w- c:\documents and settings\Ray\Application Data\skypePM

2009-06-03 17:19 . 2009-03-20 20:39 117760 ----a-w- c:\documents and settings\Ray\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-06-02 11:02 . 2006-06-02 23:07 -------- d-----w- c:\program files\NavExcel Search Toolbar

2009-05-27 18:41 . 2008-09-26 16:58 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-05-27 18:05 . 2008-03-14 11:37 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-05-26 13:26 . 2009-05-26 13:26 0 ----a-w- c:\documents and settings\Ray\Application Data\~ygw.tmp

2009-05-23 22:20 . 2007-09-01 22:22 -------- d-----w- c:\documents and settings\Ray\Application Data\ZoomBrowser EX

2009-05-23 22:14 . 2007-09-01 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2009-05-16 18:00 . 2006-06-29 22:43 -------- d-----w- c:\documents and settings\Ray\Application Data\Walgreens

2009-05-13 00:02 . 2008-08-05 20:46 -------- d-----w- c:\program files\Google

2009-05-07 00:06 . 2006-06-01 05:36 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-04-27 12:08 . 2009-04-27 12:08 -------- d-----w- c:\program files\WireTron

2008-03-01 18:26 . 2008-03-01 18:26 1156096 ----a-w- c:\program files\iview410_setup.exe

2007-02-03 18:16 . 2007-02-03 18:16 947 ----a-w- c:\program files\sitemap[1].xml

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]

"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-07-19 1056768]

"Total Internet"="c:\program files\WT.Net\Fptool.exe" [1998-01-23 718336]

"3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe" [2005-11-19 73728]

"V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-04-11 32768]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-22 68592]

"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]

"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2008-09-27 1581056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\SkypeSetup.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]

S2 gupdate1c984c1f914fd5b;Google Update Service (gupdate1c984c1f914fd5b);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2009 6:08 PM 133104]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/30/2008 11:15 AM 33752]

S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [8/24/2007 5:15 PM 83552]

S3 s3chipid;s3chipid;\??\c:\docume~1\Ray\LOCALS~1\Temp\s3chipid.sys --> c:\docume~1\Ray\LOCALS~1\Temp\s3chipid.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\system32\drivers\V0470Vid.sys [12/9/2007 5:03 PM 146368]

.

Contents of the 'Scheduled Tasks' folder

2009-06-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 23:08]

2009-06-05 c:\windows\Tasks\User_Feed_Synchronization-{1495B2FC-3459-45CE-9763-C8F813F4EB70}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 00:36]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-USRpdA - (no file)

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://inreach.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-05 11:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1812)

c:\program files\Google\Quick Search Box\bin\1.1.1038.9122\qsb.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\WT.Net\FPSETUP.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2009-06-05 11:30 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-05 16:30

Pre-Run: 29,238,685,696 bytes free

Post-Run: 29,268,119,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

158 --- E O F --- 2009-05-13 11:43

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:58:19 AM, on 6/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\VIA\RAID\raid_tool.exe

C:\Program Files\WT.Net\Fptool.exe

C:\WINDOWS\V0470Mon.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Search-09\Search.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inreach.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe

O4 - HKLM\..\Run: [Total Internet] C:\Program Files\WT.Net\Fptool.exe

O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd

O4 - HKLM\..\Run: [V0470Mon.exe] C:\WINDOWS\V0470Mon.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228433910968

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186018685031

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote1.na.amec.com/dana-cached/set...perSetupSP1.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Update Service (gupdate1c984c1f914fd5b) (gupdate1c984c1f914fd5b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--

End of file - 7119 bytes

DDS (Ver_09-05-14.01) - NTFSx86

Run by Ray at 11:51:24.73 on Fri 06/05/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.45 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\VIA\RAID\raid_tool.exe

C:\Program Files\WT.Net\Fptool.exe

C:\WINDOWS\V0470Mon.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Ray\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://inreach.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe

mRun: [VTTimer] VTTimer.exe

mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe

mRun: [Total Internet] c:\program files\wt.net\Fptool.exe

mRun: [3c1807pd] c:\windows\system32\3cmlink.exe runservices \device\3cpipe-3c1807pd

mRun: [V0470Mon.exe] c:\windows\V0470Mon.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [C-Media Mixer] Mixer.exe /startup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://photo.walgreens.com/WalgreensOutlookImport.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab

DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228433910968

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186018685031

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1217968590986&h=107fcdc5cae12eb277790ffaaaf5a02c/&filename=jinstall-6u7-windows-i586-jc.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote1.na.amec.com/dana-cached/setup/JuniperSetupSP1.cab

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]

R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]

R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]

R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090522.002\NAVENG.sys [2009-5-23 89104]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090522.002\NAVEX15.sys [2009-5-23 876144]

S2 gupdate1c984c1f914fd5b;Google Update Service (gupdate1c984c1f914fd5b);c:\program files\google\update\GoogleUpdate.exe [2009-2-1 133104]

S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-30 33752]

S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2007-8-24 83552]

S3 s3chipid;s3chipid;\??\c:\docume~1\ray\locals~1\temp\s3chipid.sys --> c:\docume~1\ray\locals~1\temp\s3chipid.sys [?]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]

S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\system32\drivers\V0470Vid.sys [2007-12-9 146368]

=============== Created Last 30 ================

2009-06-05 11:16 <DIR> a-dshr-- C:\cmdcons

2009-06-05 11:14 161,792 a------- c:\windows\SWREG.exe

2009-06-05 11:14 154,624 a------- c:\windows\PEV.exe

2009-06-05 11:14 98,816 a------- c:\windows\sed.exe

2009-06-03 09:19 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-03 09:19 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-06-03 09:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-06-02 10:47 0 a------- c:\windows\system32\drivers\rootrepeal.sys

2009-05-31 16:59 <DIR> --d----- c:\documents and settings\ray\DoctorWeb

2009-05-27 13:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13335464

2009-05-26 10:29 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2009-05-26 10:12 <DIR> --d----- c:\documents and settings\ray\.housecall6.6

2009-05-16 13:01 <DIR> --d----- c:\docume~1\ray\applic~1\W Photo Studio

2009-05-16 13:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Walgreens

2009-05-16 13:00 <DIR> --d----- c:\program files\common files\HP

2009-05-16 12:57 <DIR> --d----- c:\docume~1\ray\applic~1\W Photo Studio Viewer

==================== Find3M ====================

2008-03-01 13:26 1,156,096 a------- c:\program files\iview410_setup.exe

2007-12-16 09:18 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

2007-02-03 13:16 947 a------- c:\program files\sitemap[1].xml

2008-12-04 20:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120420081205\index.dat

============= FINISH: 11:52:00.90 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 12/31/2001 9:50:01 PM

System Uptime: 6/5/2009 11:49:32 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A8V-MX

Processor: AMD Athlon 64 Processor 3200+ | Socket 939 | 2000/200mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 37 GiB total, 27.273 GiB free.

D: is CDROM ()

E: is CDROM ()

G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\ATK0110\1010110

Manufacturer:

Name:

PNP Device ID: ACPI\ATK0110\1010110

Service:

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}

Description: Standard Game Port

Device ID: CMI\CHILD0000\5&5FCF65F&2&0000

Manufacturer: (Standard system devices)

Name: Standard Game Port

PNP Device ID: CMI\CHILD0000\5&5FCF65F&2&0000

Service: gameenum

==== System Restore Points ===================

RP812: 3/8/2009 10:25:43 AM - System Checkpoint

RP813: 3/13/2009 8:21:25 AM - System Checkpoint

RP814: 3/13/2009 6:42:21 PM - Software Distribution Service 3.0

RP815: 3/15/2009 8:26:32 AM - System Checkpoint

RP816: 3/16/2009 6:33:27 PM - System Checkpoint

RP817: 3/19/2009 3:52:50 PM - System Checkpoint

RP818: 3/20/2009 6:35:50 AM - Software Distribution Service 3.0

RP819: 3/21/2009 8:52:07 AM - System Checkpoint

RP820: 3/22/2009 9:01:59 AM - System Checkpoint

RP821: 3/23/2009 9:51:30 AM - System Checkpoint

RP822: 3/24/2009 12:15:07 PM - System Checkpoint

RP823: 3/25/2009 12:33:33 PM - System Checkpoint

RP824: 3/26/2009 12:34:15 PM - System Checkpoint

RP825: 3/27/2009 1:14:11 PM - System Checkpoint

RP826: 3/28/2009 1:29:03 PM - System Checkpoint

RP827: 3/29/2009 2:26:00 PM - System Checkpoint

RP828: 3/30/2009 2:37:44 PM - System Checkpoint

RP829: 3/31/2009 2:51:58 PM - System Checkpoint

RP830: 4/1/2009 2:57:25 PM - System Checkpoint

RP831: 4/2/2009 3:27:36 PM - System Checkpoint

RP832: 4/3/2009 4:22:44 PM - System Checkpoint

RP833: 4/4/2009 5:09:26 PM - System Checkpoint

RP834: 4/5/2009 5:55:17 PM - System Checkpoint

RP835: 4/6/2009 6:06:22 PM - System Checkpoint

RP836: 4/7/2009 6:57:42 PM - System Checkpoint

RP837: 4/8/2009 7:34:23 PM - System Checkpoint

RP838: 4/9/2009 7:48:07 PM - System Checkpoint

RP839: 4/11/2009 6:21:34 AM - System Checkpoint

RP840: 4/12/2009 6:47:19 AM - System Checkpoint

RP841: 4/13/2009 7:12:07 AM - System Checkpoint

RP842: 4/14/2009 8:08:52 AM - System Checkpoint

RP843: 4/15/2009 8:46:57 AM - System Checkpoint

RP844: 4/16/2009 6:57:12 AM - Software Distribution Service 3.0

RP845: 4/17/2009 7:35:27 AM - System Checkpoint

RP846: 4/18/2009 7:43:05 AM - System Checkpoint

RP847: 4/19/2009 8:16:03 AM - System Checkpoint

RP848: 4/20/2009 8:17:19 AM - System Checkpoint

RP849: 4/21/2009 10:19:58 AM - System Checkpoint

RP850: 4/22/2009 11:05:29 AM - System Checkpoint

RP851: 4/23/2009 11:39:01 AM - System Checkpoint

RP852: 4/24/2009 12:25:07 PM - System Checkpoint

RP853: 4/26/2009 8:50:44 AM - System Checkpoint

RP854: 4/27/2009 9:02:37 AM - System Checkpoint

RP855: 4/28/2009 9:35:51 AM - System Checkpoint

RP856: 4/28/2009 12:12:33 PM - Software Distribution Service 3.0

RP857: 4/29/2009 12:34:35 PM - System Checkpoint

RP858: 4/30/2009 1:03:26 PM - System Checkpoint

RP859: 5/1/2009 1:32:59 PM - System Checkpoint

RP860: 5/2/2009 2:09:56 PM - System Checkpoint

RP861: 5/3/2009 5:48:51 PM - System Checkpoint

RP862: 5/4/2009 5:50:57 PM - System Checkpoint

RP863: 5/5/2009 6:35:23 PM - System Checkpoint

RP864: 5/6/2009 7:05:58 PM - Installed Connect Service

RP865: 5/7/2009 7:33:12 PM - System Checkpoint

RP866: 5/9/2009 7:33:49 AM - System Checkpoint

RP867: 5/10/2009 7:39:18 AM - System Checkpoint

RP868: 5/11/2009 8:19:28 AM - System Checkpoint

RP869: 5/12/2009 3:41:10 PM - System Checkpoint

RP870: 5/13/2009 6:41:15 AM - Software Distribution Service 3.0

RP871: 5/14/2009 6:42:07 AM - System Checkpoint

RP872: 5/15/2009 7:06:29 AM - System Checkpoint

RP873: 5/16/2009 8:00:22 AM - System Checkpoint

RP874: 5/16/2009 1:00:17 PM - Installed W Photo Studio

RP875: 5/17/2009 6:02:49 PM - System Checkpoint

RP876: 5/18/2009 6:40:02 PM - System Checkpoint

RP877: 5/19/2009 6:49:21 PM - System Checkpoint

RP878: 5/20/2009 7:42:42 PM - System Checkpoint

RP879: 5/21/2009 8:19:56 PM - System Checkpoint

RP880: 5/23/2009 8:03:34 AM - System Checkpoint

RP881: 5/24/2009 10:07:08 AM - System Checkpoint

RP882: 5/25/2009 10:33:11 AM - System Checkpoint

RP883: 6/3/2009 10:04:26 AM - System Checkpoint

RP884: 6/4/2009 1:43:44 PM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player ActiveX

Adobe Reader 9.1.1

ArcSoft PhotoImpression 6

ArcSoft Print Creations

ArcSoft Print Creations - Photo Calendar

Canon Camera Access Library

Canon Camera Support Core Library

Canon Camera Window DC_DV 5 for ZoomBrowser EX

Canon Camera Window DC_DV 6 for ZoomBrowser EX

Canon Camera Window MC 6 for ZoomBrowser EX

Canon G.726 WMP-Decoder

Canon MovieEdit Task for ZoomBrowser EX

Canon RAW Image Task for ZoomBrowser EX

Canon RemoteCapture Task for ZoomBrowser EX

Canon Utilities EOS Utility

Canon Utilities PhotoStitch

Canon Utilities ZoomBrowser EX

CCleaner (remove only)

Compatibility Pack for the 2007 Office system

Convert

Creative Live! Cam Center

Creative Live! Cam Notebook Driver (1.00.03.0000)

Creative Live! Cam User's Guide

Creative Photo Manager

Creative Software AutoUpdate

Creative System Information

Easy CD & DVD Creator 6

EPSON CX9400 User's Guide

EPSON Printer Software

EPSON Scan

EPSON Stylus CX9400Fax Series Scanner Driver Update

getPlus® for Adobe

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

gPhotoShow v1.6.0

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB952287)

IrfanView (remove only)

iTunes

Java 6 Update 7

Linksys Wireless-G PCI Network Adapter with SpeedBooster

LiveUpdate 1.7 (Symantec Corporation)

Malwarebytes' Anti-Malware

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Outlook 2003

Microsoft Office Professional Edition 2003

Microsoft Visual C++ 2005 Redistributable

MSN

muveeNow 2.0 - Creative

NavExcel Search Toolbar (remove only)

NavHelper

PCI Audio Driver

Platform

QuickTime

Search Assistant Searchersmart

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961373)

Skype

[AdvancedSetup]

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

AtJob::

Driver::
s3chipid

File::
c:\documents and settings\Ray\Application Data\~ygw.tmp
c:\program files\iview410_setup.exe
c:\docume~1\Ray\LOCALS~1\Temp\s3chipid.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.
  

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Java

[AdvancedSetup]

Please post a status update on this.

Thanks.

[tallisall]

Hi,

I was away yesterday. Thankyou so much for the help. Logs below.

ComboFix 09-06-07.07 - Ray 06/08/2009 10:16.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.191 [GMT -5:00]

Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ray\Desktop\CFscript.txt

FILE ::

"c:\docume~1\Ray\LOCALS~1\Temp\s3chipid.sys"

"c:\documents and settings\Ray\Application Data\~ygw.tmp"

"c:\program files\iview410_setup.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ray\Application Data\~ygw.tmp

c:\program files\iview410_setup.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_S3CHIPID

-------\Service_s3chipid

((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))

.

2009-06-03 14:19 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-03 14:19 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-03 14:19 . 2009-06-03 14:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-02 22:58 . 2009-06-02 22:58 27456 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP1.DLL

2009-06-02 22:58 . 2009-06-02 22:58 25408 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.DLL

2009-06-02 15:47 . 2009-06-02 15:47 0 ----a-w- c:\windows\system32\drivers\rootrepeal.sys

2009-05-31 21:59 . 2009-05-31 22:00 -------- d-----w- c:\documents and settings\Ray\DoctorWeb

2009-05-27 18:33 . 2009-06-04 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\13335464

2009-05-26 15:29 . 2009-05-26 15:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-05-26 15:12 . 2009-05-26 15:12 -------- d-----w- c:\documents and settings\Ray\.housecall6.6

2009-05-16 18:01 . 2009-05-16 19:51 -------- d-----w- c:\documents and settings\Ray\Application Data\W Photo Studio

2009-05-16 18:00 . 2009-05-16 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Walgreens

2009-05-16 18:00 . 2009-05-16 18:00 -------- d-----w- c:\program files\Common Files\HP

2009-05-16 17:57 . 2009-05-16 17:58 -------- d-----w- c:\documents and settings\Ray\Application Data\W Photo Studio Viewer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-08 15:20 . 2007-07-15 00:51 -------- d-----w- c:\documents and settings\Ray\Application Data\Skype

2009-06-08 15:11 . 2007-12-16 14:18 -------- d-----w- c:\documents and settings\Ray\Application Data\skypePM

2009-06-05 16:32 . 2008-08-05 20:46 -------- d-----w- c:\program files\Google

2009-06-03 17:19 . 2009-03-20 20:39 117760 ----a-w- c:\documents and settings\Ray\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-06-02 11:02 . 2006-06-02 23:07 -------- d-----w- c:\program files\NavExcel Search Toolbar

2009-05-27 18:41 . 2008-09-26 16:58 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-05-27 18:05 . 2008-03-14 11:37 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-05-23 22:20 . 2007-09-01 22:22 -------- d-----w- c:\documents and settings\Ray\Application Data\ZoomBrowser EX

2009-05-23 22:14 . 2007-09-01 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2009-05-16 18:00 . 2006-06-29 22:43 -------- d-----w- c:\documents and settings\Ray\Application Data\Walgreens

2009-05-07 00:06 . 2006-06-01 05:36 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-04-27 12:08 . 2009-04-27 12:08 -------- d-----w- c:\program files\WireTron

2007-02-03 18:16 . 2007-02-03 18:16 947 ----a-w- c:\program files\sitemap[1].xml

.

((((((((((((((((((((((((((((( SnapShot@2009-06-05_16.25.56 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-08 15:20 . 2009-06-08 15:20 16384 c:\windows\temp\Perflib_Perfdata_43c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]

"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-07-19 1056768]

"Total Internet"="c:\program files\WT.Net\Fptool.exe" [1998-01-23 718336]

"3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe" [2005-11-19 73728]

"V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-04-11 32768]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-22 68592]

"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]

"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2008-09-27 1581056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\SkypeSetup.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/30/2008 11:15 AM 33752]

S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [8/24/2007 5:15 PM 83552]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\system32\drivers\V0470Vid.sys [12/9/2007 5:03 PM 146368]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

.

Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\User_Feed_Synchronization-{1495B2FC-3459-45CE-9763-C8F813F4EB70}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 00:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://inreach.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-08 10:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3304)

c:\program files\Google\Quick Search Box\bin\1.1.1038.9122\qsb.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\WT.Net\FPSETUP.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2009-06-08 10:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-08 15:22

ComboFix2.txt 2009-06-05 16:30

Pre-Run: 29,237,940,224 bytes free

Post-Run: 29,221,257,216 bytes free

151 --- E O F --- 2009-05-13 11:43

JavaRa 1.14 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Jun 08 10:29:58 2009

Found and removed: C:\Windows\System32\jupdate-1.5.0_01-b08.log

Found and removed: SOFTWARE\Classes\JavaPlugin.150_01

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

------------------------------------

Finished reporting.

CLEANING COMPLETE - (2.581 secs)

------------------------------------------------------------------------------------------

3.77MB removed.

------------------------------------------------------------------------------------------

Details of files deleted

------------------------------------------------------------------------------------------

IE Temporary Internet Files (1 files) 77.07KB

C:\Documents and Settings\Ray\Cookies\ray@tracking.realtor[1].txt 115 bytes

C:\Documents and Settings\Ray\Cookies\ray@addresses[1].txt 509 bytes

C:\Documents and Settings\Ray\Cookies\ray@cnet[1].txt 797 bytes

C:\Documents and Settings\Ray\Cookies\ray@yahoo[1].txt 87 bytes

C:\Documents and Settings\Ray\Cookies\ray@mmismm[1].txt 88 bytes

C:\Documents and Settings\Ray\Cookies\ray@events.webflowmetrics[1].txt 124 bytes

C:\Documents and Settings\Ray\Cookies\ray@66.230.188[2].txt 98 bytes

C:\Documents and Settings\Ray\Cookies\ray@google[2].txt 328 bytes

C:\Documents and Settings\Ray\Cookies\ray@looksmart[1].txt 102 bytes

C:\Documents and Settings\Ray\Cookies\ray@smileyadv[1].txt 92 bytes

C:\Documents and Settings\Ray\Cookies\ray@admarketplace[1].txt 123 bytes

C:\Documents and Settings\Ray\Cookies\ray@download.cnet[1].txt 97 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.realtor[1].txt 107 bytes

C:\Documents and Settings\Ray\Cookies\ray@specificclick[2].txt 703 bytes

C:\Documents and Settings\Ray\Cookies\ray@miva[1].txt 153 bytes

C:\Documents and Settings\Ray\Cookies\ray@inreach[1].txt 359 bytes

C:\Documents and Settings\Ray\Cookies\ray@homestore[1].txt 117 bytes

C:\Documents and Settings\Ray\Cookies\ray@homestore.122.2o7[1].txt 125 bytes

C:\Documents and Settings\Ray\Cookies\ray@com[1].txt 93 bytes

C:\Documents and Settings\Ray\Cookies\ray@7569.91423.simonsearch[1].txt 159 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.zoombli[1].txt 358 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.primosearch[1].txt 150 bytes

C:\Documents and Settings\Ray\Cookies\ray@theyellowpages[2].txt 401 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.electronicbillinghost[1].txt 87 bytes

C:\Documents and Settings\Ray\Cookies\ray@myroitracking[2].txt 93 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.chinaontv[3].txt 247 bytes

C:\Documents and Settings\Ray\Cookies\ray@revsci[2].txt 1.14KB

C:\Documents and Settings\Ray\Cookies\ray@zoombli[1].txt 708 bytes

C:\Documents and Settings\Ray\Cookies\ray@malwarebytes[2].txt 402 bytes

C:\Documents and Settings\Ray\Cookies\ray@clickthrough.kanoodle[1].txt 110 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.theyellowpages[2].txt 277 bytes

C:\Documents and Settings\Ray\Cookies\ray@realtor[1].txt 503 bytes

C:\Documents and Settings\Ray\Cookies\ray@search.localdouble[2].txt 428 bytes

C:\Documents and Settings\Ray\Cookies\ray@2payon[2].txt 155 bytes

C:\Documents and Settings\Ray\Cookies\ray@interclick[2].txt 82 bytes

C:\Documents and Settings\Ray\Cookies\ray@bridge2.admarketplace[1].txt 131 bytes

C:\Documents and Settings\Ray\Cookies\ray@roia[1].txt 181 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.addresses[2].txt 289 bytes

C:\Documents and Settings\Ray\Cookies\ray@64.111.196[1].txt 100 bytes

C:\Documents and Settings\Ray\Cookies\ray@feed.ndot[1].txt 99 bytes

C:\Documents and Settings\Ray\Cookies\ray@ads.clicksor[2].txt 92 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.abcjmp[2].txt 144 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.everydayhealth[2].txt 515 bytes

C:\Documents and Settings\Ray\Cookies\ray@66.230.188[1].txt 97 bytes

C:\Documents and Settings\Ray\Cookies\ray@ads.clicksor[1].txt 91 bytes

C:\Documents and Settings\Ray\Cookies\ray@dc.tremormedia[2].txt 114 bytes

C:\Documents and Settings\Ray\Cookies\ray@hjlas[1].txt 1.13KB

C:\Documents and Settings\Ray\Cookies\ray@myroitracking[1].txt 93 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.abcjmp[1].txt 146 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.blastro[2].txt 101 bytes

C:\Documents and Settings\Ray\Cookies\ray@www.chinaontv[2].txt 243 bytes

C:\Documents and Settings\Ray\Cookies\ray@www2.music-tags[2].txt 105 bytes

C:\Documents and Settings\Ray\Cookies\ray@yumenetworks[1].txt 98 bytes

Marked for deletion: C:\Documents and Settings\Ray\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Marked for deletion: C:\Documents and Settings\Ray\Cookies\index.dat

C:\Documents and Settings\Ray\Recent\5-27-09.lnk 544 bytes

C:\Documents and Settings\Ray\Recent\5-29-09.lnk 246 bytes

C:\Documents and Settings\Ray\Recent\6-8-09.lnk 243 bytes

C:\Documents and Settings\Ray\Recent\Attach.txt.lnk 349 bytes

C:\Documents and Settings\Ray\Recent\Avenger.txt.lnk 352 bytes

C:\Documents and Settings\Ray\Recent\avenger1.txt.lnk 357 bytes

C:\Documents and Settings\Ray\Recent\Cleanup Logs.lnk 575 bytes

C:\Documents and Settings\Ray\Recent\combofixlog.txt.lnk 363 bytes

C:\Documents and Settings\Ray\Recent\CureIt1.log.lnk 743 bytes

C:\Documents and Settings\Ray\Recent\DDS.txt.lnk 627 bytes

C:\Documents and Settings\Ray\Recent\hijackthis.log.lnk 365 bytes

C:\Documents and Settings\Ray\Recent\hijackthis1.log.lnk 544 bytes

C:\Documents and Settings\Ray\Recent\hijackthis2.log.lnk 544 bytes

C:\Documents and Settings\Ray\Recent\hijackthisnew.log.lnk 558 bytes

C:\Documents and Settings\Ray\Recent\JavaRa.log.lnk 344 bytes

C:\Documents and Settings\Ray\Recent\mbam-log-2009-06-04 (13-16-59).txt.lnk 445 bytes

C:\Documents and Settings\Ray\Recent\MWB.pdf.lnk 331 bytes

C:\Documents and Settings\Ray\Recent\Process Explorer.pdf.lnk 753 bytes

C:\Documents and Settings\Ray\Recent\Search-09.lnk 388 bytes

Emptied Recycle Bin (4 files) 3.68MB

C:\Documents and Settings\Ray\Local Settings\temp\java_install_reg.log 473 bytes

C:\Documents and Settings\Ray\Application Data\Google\Local Search History\google%2Eweb.w 44 bytes

C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\#SharedObjects\HYZSA55U\images.blastro.com\images\flashplayer\flvPlayer.swf\Lightningcast.sol 54 bytes

C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#images.blastro.com\settings.sol 88 bytes

C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\#SharedObjects\HYZSA55U\is1.j.tv2n.net\dbg.sol 52 bytes

C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#is1.j.tv2n.net\settings.sol 84 bytes

C:\Documents and Settings\Ray\Application Data\Macromedia\Flash Player\#SharedObjects\HYZSA55U\skype.com\#ui\preferences.sol 233 bytes

------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.37

Database version: 2248

Windows 5.1.2600 Service Pack 3

6/8/2009 11:06:06 AM

mbam-log-2009-06-08 (11-06-06).txt

Scan type: Quick Scan

Objects scanned: 78771

Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:17:39 AM, on 6/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\VIA\RAID\raid_tool.exe

C:\Program Files\WT.Net\Fptool.exe

C:\WINDOWS\V0470Mon.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Search-09\Search.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inreach.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe

O4 - HKLM\..\Run: [Total Internet] C:\Program Files\WT.Net\Fptool.exe

O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd

O4 - HKLM\..\Run: [V0470Mon.exe] C:\WINDOWS\V0470Mon.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228433910968

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186018685031

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote1.na.amec.com/dana-cached/set...perSetupSP1.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--

End of file - 6690 bytes

[AdvancedSetup]

Looks good. Please update your Symantec Anti-Virus and do a Full System scan and let me know what it finds.

[tallisall]

Hi,

Updated and did full scan with Norton. Report says nothing found. Looks like everything is clean.

thank you