Google redirecter/random popups/browser slowdown

Tony360 · July 14, 2010

Hi guys,

I've got a bit of malware that i've had for quite some time. Basically, whenever you click a link to head off to an external site from Google's search results, a lot of the time i'm redirected to some random, infected site. To get around it, I have to copy/paste the link I want to go to into the address bar manually, as opposed to just left-clicking like normal.

Apart from being annoying, i've also noticed my browser to be running a lot slower than normal, which I read is generally another symptom of this malware. The browser i'm using is Firefox 3.6.6 (latest at the time of this post)

Thanks in advance for reading/any help you can provide.

Elise · July 14, 2010

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

Please download OTL from one of the following mirrors:
- This is THE Mirror
[*]Save it to your desktop.
[*]Double click on the icon on your desktop.
[*]Click the "Scan All Users" checkbox.
[*]Push the button.
[*]Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

A detailed description of your problems
A new OTL log (don't forget extra.txt)
GMER log

Tony360 · July 15, 2010

Hey elise025,

Thanks for the response. I've done as you instructed and the OTL log (including extras.txt) is attached.

The only other thing I didn't mention about the problem is that MalwareBytes, Spybot S&D and Avast antivirus have all failed to find any infection.

My GMER log:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-07-15 23:28:03

Windows 6.1.7600

Running: bsloivit.exe; Driver: C:\Users\Anthony\AppData\Local\Temp\uxtdqfow.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E30AF8

INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E30104

INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E303F4

INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E18634

INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E18898

INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E301DC

INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E30958

INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E306F8

INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E30F2C

INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E311A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8EFB2B9C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8EFB29C0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8EFB2AFA]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E90599 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

PAGE ntkrnlpa.exe!ZwLoadDriver 82FEE279 7 Bytes JMP 8EFB2AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83055FA7 5 Bytes JMP 8EFAE5B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObInsertObject + 27 8306FCA7 5 Bytes JMP 8EFAFFD2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!NtCreateSection 8307DD23 7 Bytes JMP 8EFB29C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 83127EAA 7 Bytes JMP 8EFB2BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

? System32\Drivers\spvc.sys The system cannot find the path specified. !

.xreloc C:\Windows\System32\drivers\sfsync04.sys unknown last section [0x88DFF000, 0xC5E, 0x40000040]

.rsrc C:\Windows\System32\drivers\rdyboost.sys entry point in ".rsrc" section [0x89567014]

.text USBPORT.SYS!DllUnload 8FE7BCA0 5 Bytes JMP 867604E0

.text peauth.sys 9F33CC9D 28 Bytes [4F, 50, D2, AD, 1A, 36, 82, ...]

.text peauth.sys 9F33CCC1 28 Bytes [4F, 50, D2, AD, 1A, 36, 82, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1056] ntdll.dll!NtProtectVirtualMemory 76DD5360 5 Bytes JMP 001D000A

.text C:\Windows\system32\svchost.exe[1056] ntdll.dll!NtWriteVirtualMemory 76DD5EE0 5 Bytes JMP 001E000A

.text C:\Windows\system32\svchost.exe[1056] ntdll.dll!KiUserExceptionDispatcher 76DD6448 5 Bytes JMP 001C000A

.text C:\Windows\system32\svchost.exe[1056] ole32.dll!CoCreateInstance 763057FC 5 Bytes JMP 005E000A

.text C:\Windows\system32\svchost.exe[1056] USER32.dll!GetCursorPos 765FC198 5 Bytes JMP 00E1000A

.text C:\Windows\Explorer.EXE[2940] ntdll.dll!NtProtectVirtualMemory 76DD5360 5 Bytes JMP 0038000A

.text C:\Windows\Explorer.EXE[2940] ntdll.dll!NtWriteVirtualMemory 76DD5EE0 5 Bytes JMP 0039000A

.text C:\Windows\Explorer.EXE[2940] ntdll.dll!KiUserExceptionDispatcher 76DD6448 5 Bytes JMP 0037000A

.text C:\Windows\system32\wuauclt.exe[3184] ntdll.dll!NtProtectVirtualMemory 76DD5360 5 Bytes JMP 0017000A

.text C:\Windows\system32\wuauclt.exe[3184] ntdll.dll!NtWriteVirtualMemory 76DD5EE0 5 Bytes JMP 0018000A

.text C:\Windows\system32\wuauclt.exe[3184] ntdll.dll!KiUserExceptionDispatcher 76DD6448 5 Bytes JMP 0016000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88EAD042] \SystemRoot\System32\Drivers\spvc.sys

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88EAD6D6] \SystemRoot\System32\Drivers\spvc.sys

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88EAD800] \SystemRoot\System32\Drivers\spvc.sys

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88EAD13E] \SystemRoot\System32\Drivers\spvc.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 850B31F8

Device \FileSystem\fastfat \FatCdrom 855801F8

Device -> \Driver\atapi \Device\Harddisk0\DR0 850B11F8

Device -> \Driver\atapi \Device\Harddisk0\DR0 85E797B8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x63 0x57 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x87 0xF7 0x12 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@ServiceBinary C:\Windows\system32\drivers\VDRV1000.SYS

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@Group SCSI Miniport

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@ImagePath system32\DRIVERS\vdrv1000.sys

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@ErrorControl 1

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@Start 1

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@Tag 64

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\Enum

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\Enum@0 ROOT\SCSIADAPTER\0000

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\Enum@Count 1

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\Enum@NextInstance 1

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\Enum@INITSTARTFAILED 1

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\parameters

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\parameters\pnpinterface

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\parameters\pnpinterface@1 1

Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\security

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x63 0x57 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x87 0xF7 0x12 ...

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@ServiceBinary C:\Windows\system32\drivers\VDRV1000.SYS

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@Group SCSI Miniport

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@ImagePath system32\DRIVERS\vdrv1000.sys

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@ErrorControl 1

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@Start 1

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@Type 1

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@Tag 64

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\Enum (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\Enum@0 ROOT\SCSIADAPTER\0000

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\Enum@Count 1

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\Enum@NextInstance 1

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\Enum@INITSTARTFAILED 1

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\parameters (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\parameters\pnpinterface (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\parameters\pnpinterface@1 1

Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\security (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

Disk \Device\Harddisk0\DR0 sector 02: copy of MBR

Disk \Device\Harddisk0\DR0 sector 03: copy of MBR

Disk \Device\Harddisk0\DR0 sector 04: copy of MBR

Disk \Device\Harddisk0\DR0 sector 05: copy of MBR

Disk \Device\Harddisk0\DR0 sector 06: copy of MBR

Disk \Device\Harddisk0\DR0 sector 07: copy of MBR

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

Disk \Device\Harddisk0\DR0 sector 10: copy of MBR

Disk \Device\Harddisk0\DR0 sector 11: copy of MBR

Disk \Device\Harddisk0\DR0 sector 12: copy of MBR

Disk \Device\Harddisk0\DR0 sector 13: copy of MBR

Disk \Device\Harddisk0\DR0 sector 14: copy of MBR

Disk \Device\Harddisk0\DR0 sector 15: copy of MBR

Disk \Device\Harddisk0\DR0 sector 16: copy of MBR

Disk \Device\Harddisk0\DR0 sector 17: copy of MBR

Disk \Device\Harddisk0\DR0 sector 18: copy of MBR

Disk \Device\Harddisk0\DR0 sector 19: copy of MBR

Disk \Device\Harddisk0\DR0 sector 20: copy of MBR

Disk \Device\Harddisk0\DR0 sector 21: copy of MBR

Disk \Device\Harddisk0\DR0 sector 22: copy of MBR

Disk \Device\Harddisk0\DR0 sector 23: copy of MBR

Disk \Device\Harddisk0\DR0 sector 24: copy of MBR

Disk \Device\Harddisk0\DR0 sector 25: copy of MBR

Disk \Device\Harddisk0\DR0 sector 26: copy of MBR

Disk \Device\Harddisk0\DR0 sector 27: copy of MBR

Disk \Device\Harddisk0\DR0 sector 28: copy of MBR

Disk \Device\Harddisk0\DR0 sector 29: copy of MBR

Disk \Device\Harddisk0\DR0 sector 30: copy of MBR

Disk \Device\Harddisk0\DR0 sector 31: copy of MBR

Disk \Device\Harddisk0\DR0 sector 32: copy of MBR

Disk \Device\Harddisk0\DR0 sector 33: copy of MBR

Disk \Device\Harddisk0\DR0 sector 34: copy of MBR

Disk \Device\Harddisk0\DR0 sector 35: copy of MBR

Disk \Device\Harddisk0\DR0 sector 36: copy of MBR

Disk \Device\Harddisk0\DR0 sector 37: copy of MBR

Disk \Device\Harddisk0\DR0 sector 38: copy of MBR

Disk \Device\Harddisk0\DR0 sector 39: copy of MBR

Disk \Device\Harddisk0\DR0 sector 40: copy of MBR

Disk \Device\Harddisk0\DR0 sector 41: copy of MBR

Disk \Device\Harddisk0\DR0 sector 42: copy of MBR

Disk \Device\Harddisk0\DR0 sector 43: copy of MBR

Disk \Device\Harddisk0\DR0 sector 44: copy of MBR

Disk \Device\Harddisk0\DR0 sector 45: copy of MBR

Disk \Device\Harddisk0\DR0 sector 46: copy of MBR

Disk \Device\Harddisk0\DR0 sector 47: copy of MBR

Disk \Device\Harddisk0\DR0 sector 48: copy of MBR

Disk \Device\Harddisk0\DR0 sector 49: copy of MBR

Disk \Device\Harddisk0\DR0 sector 50: copy of MBR

Disk \Device\Harddisk0\DR0 sector 51: copy of MBR

Disk \Device\Harddisk0\DR0 sector 52: copy of MBR

Disk \Device\Harddisk0\DR0 sector 53: copy of MBR

Disk \Device\Harddisk0\DR0 sector 54: copy of MBR

Disk \Device\Harddisk0\DR0 sector 55: copy of MBR

Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 57: copy of MBR

Disk \Device\Harddisk0\DR0 sector 58: copy of MBR

Disk \Device\Harddisk0\DR0 sector 59: copy of MBR

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR

Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\rdyboost.sys suspicious modification

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Thanks in advance for any help!

Extras.Txt

OTL.Txt

Elise · July 15, 2010

Good thing that GMER was able to see the infection.

This is a nasty rootkit. Before starting to clean it, please consider the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Tony360 · July 15, 2010

Hey elise025,

Thanks for the response. My ComboFix log is below.

ComboFix 10-07-14.04 - Anthony 16-Jul-10 2:09.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1183 [GMT 10:00]

Running from: c:\users\Anthony\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\install.exe

c:\program files\WinPCap

c:\program files\WinPCap\daemon_mgm.exe

c:\program files\WinPCap\INSTALL.LOG

c:\program files\WinPCap\npf_mgm.exe

c:\program files\WinPCap\rpcapd.exe

c:\program files\WinPCap\Uninstall.exe

c:\users\Anthony\Documents\TaskMgr.exe

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\win.ini

c:\windows\system32\wpcap.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))

.

2010-07-11 03:37 . 2010-07-11 03:37 -------- d-----w- C:\save.sjsp_files

2010-07-10 15:00 . 2010-07-10 15:02 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-10 14:58 . 2010-07-10 14:58 -------- d-----w- c:\program files\QuickTime

2010-07-10 14:57 . 2010-07-10 14:57 -------- d-----w- c:\program files\Apple Software Update

2010-07-10 14:55 . 2010-07-10 14:55 -------- d-----w- c:\program files\Bonjour

2010-07-06 02:52 . 2010-07-13 09:57 -------- d-----w- c:\program files\MW2CU

2010-06-30 13:46 . 2010-06-30 13:46 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-06-30 13:46 . 2010-06-30 13:46 -------- d-----w- c:\program files\Windows Live

2010-06-30 08:49 . 2010-06-30 08:50 -------- d-----w- c:\users\Anthony\AppData\Roaming\vlc

2010-06-30 08:40 . 2010-03-13 07:13 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2010-06-30 08:40 . 2010-03-13 07:13 3181568 ----a-w- c:\windows\system32\mf.dll

2010-06-30 08:40 . 2010-03-13 07:13 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2010-06-30 08:36 . 2010-06-30 12:53 -------- d-----w- c:\users\Anthony\AppData\Local\Windows Live

2010-06-29 07:28 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

2010-06-27 14:18 . 2010-06-27 14:18 -------- d-----w- c:\program files\Handmark

2010-06-22 13:13 . 2010-06-22 13:13 -------- d-----w- c:\users\Anthony\AppData\Local\GPSST

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-15 14:11 . 2009-09-11 12:33 -------- d-----w- c:\program files\Steam

2010-07-12 07:03 . 2009-09-09 13:02 -------- d-----w- c:\program files\Common Files\Apple

2010-07-11 13:57 . 2010-05-27 11:23 -------- d-----w- c:\program files\PocketWorkoutWizard

2010-07-10 15:04 . 2009-09-09 13:07 -------- d-----w- c:\users\Anthony\AppData\Roaming\Apple Computer

2010-07-10 14:58 . 2009-09-09 13:04 -------- d-----w- c:\programdata\Apple Computer

2010-07-03 13:06 . 2009-09-09 13:27 -------- d-----w- c:\users\Anthony\AppData\Roaming\uTorrent

2010-07-01 07:09 . 2010-02-19 13:12 -------- d-----w- c:\program files\NaviComputer

2010-06-30 08:52 . 2009-09-10 15:06 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-28 20:57 . 2010-05-29 05:01 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-06-28 20:37 . 2010-05-29 05:02 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-06-28 20:37 . 2010-05-29 05:02 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-06-28 20:33 . 2010-05-29 05:02 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-06-28 20:32 . 2010-05-29 05:02 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2010-06-28 20:32 . 2010-05-29 05:02 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-06-10 09:38 . 2009-09-10 07:56 -------- d-----w- c:\program files\CLEA

2010-06-09 11:47 . 2010-02-18 12:45 162816 ----a-w- c:\windows\system32\fmod.dll

2010-06-01 12:26 . 2009-12-30 11:29 -------- d-----w- c:\users\Anthony\AppData\Roaming\Internode

2010-05-29 05:01 . 2010-05-29 05:01 -------- d-----w- c:\programdata\Alwil Software

2010-05-29 05:01 . 2010-05-29 05:01 -------- d-----w- c:\program files\Alwil Software

2010-05-29 03:50 . 2010-05-29 03:50 -------- d-----w- c:\program files\Common Files\Java

2010-05-29 03:49 . 2009-09-09 14:45 -------- d-----w- c:\program files\Java

2010-05-26 12:32 . 2010-05-26 12:32 -------- d-----w- c:\users\Anthony\AppData\Roaming\Malwarebytes

2010-05-26 12:32 . 2010-05-26 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-26 12:32 . 2010-05-26 12:32 -------- d-----w- c:\programdata\Malwarebytes

2010-05-26 05:57 . 2009-09-09 13:24 -------- d-----w- c:\program files\DOSBox-0.72

2010-05-23 06:55 . 2009-09-09 13:27 -------- d-----w- c:\program files\uTorrent

2010-05-22 10:09 . 2010-05-22 10:09 -------- d-----w- c:\users\Anthony\AppData\Roaming\Facebook

2010-05-19 06:38 . 2009-09-30 06:13 -------- d-----w- c:\program files\Google

2010-05-18 06:35 . 2010-05-18 06:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 06:35 . 2010-05-18 06:35 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 06:35 . 2010-05-18 06:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-12 01:21 . 2009-10-03 05:59 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-07 09:22 . 2009-09-19 05:15 75 ----a-w- c:\users\Anthony\jagex_runescape_preferences2.dat

2010-05-07 09:22 . 2009-09-19 05:09 41 ----a-w- c:\users\Anthony\jagex_runescape_preferences.dat

2010-04-30 13:01 . 2009-09-12 02:17 189480 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-04-30 12:13 . 2009-09-12 02:17 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-04-29 05:39 . 2010-05-26 12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 05:39 . 2010-05-26 12:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-24 05:19 . 2009-11-04 10:43 127520 ----a-w- c:\users\Anthony\AppData\Local\GDIPFONTCACHEV1.DAT

2010-04-16 17:27 . 2010-04-16 17:27 0 ----a-w- c:\users\Anthony\jagex__preferences3.dat

2009-09-10 07:12 . 2009-09-10 07:12 61 --sh--w- c:\windows\cnerolf.bin

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-06-01 1501064]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-11 198160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]

@="FSFilter System Recovery"

[HKLM\~\startupfolder\C:^Users^Anthony^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\Anthony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2006-12-23 08:05 143360 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 01:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 05:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 12:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2009-10-11 08:57 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VC10Player]

2010-01-11 23:26 402760 ----a-w- c:\program files\Virtual CD v10\System\VC10Play.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]

2007-05-30 22:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 136176]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2007-12-18 11776]

R3 HH10Help.sys;HH10Help.sys;c:\windows\system32\drivers\HH10Help.sys [2008-11-06 18432]

R3 Tileproxy;Tileproxy;c:\windows\system32\DRIVERS\tileproxy.sys [2008-03-09 31616]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-23 1343400]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-03-27 691696]

S0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\System32\drivers\sfdrv01a.sys [2009-02-03 63096]

S1 aswSP;aswSP; [x]

S1 vdrv1000;vdrv1000;c:\windows\system32\DRIVERS\vdrv1000.sys [2009-12-01 183832]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]

S2 VC10SecS;Virtual CD v10 Management Service;c:\program files\Virtual CD v10\System\VC10SecS.exe [2010-01-11 145736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 10:21]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 10:21]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

FF - ProfilePath - c:\users\Anthony\AppData\Roaming\Mozilla\Firefox\Profiles\evkoxd9v.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\components\FFGlobalExtension.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\users\Anthony\AppData\LocalLow\StoneTrip\Web Player\npShiVa3D.dll

FF - plugin: c:\users\Anthony\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

SafeBoot-dmboot.sys

SafeBoot-dmio.sys

SafeBoot-dmload.sys

SafeBoot-dmadmin

SafeBoot-dmserver

SafeBoot-SRService

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

AddRemove-Soldat patch 1.4.2-1.5.0_is1 - f:\windows\Program Files\Soldat\unins001.exe

AddRemove-TileProxy - c:\program files\Microsoft Games\Microsoft Flight Simulator X\Tileproxy\uninstall.exe

AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85A60FF0]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

IoDeviceObjectType -> DumpProcedure -> 0xd46a624f

SecurityProcedure -> 0x84cd64d8

QueryNameProcedure -> 0x84cda318

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vdrv1000]

"ImagePath"="system32\DRIVERS\vdrv1000.sys"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\windows\system32\taskhost.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\conhost.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\WUDFHost.exe

c:\program files\Alwil Software\Avast5\AvastUI.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2010-07-16 02:30:29 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-15 16:30

Pre-Run: 73,947,717,632 bytes free

Post-Run: 74,331,054,080 bytes free

- - End Of File - - 777405B95A14E4EB1BF5B34E0860DB82

Elise · July 15, 2010

That didn't seem to catch it, so lets try it with a script.

CF-SCRIPT

-------------

We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

TDL::
C:\Windows\System32\drivers\rdyboost.sys

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Tony360 · July 16, 2010

Hey elise025,

Thanks. The new ComboFix log is below.

ComboFix 10-07-14.04 - Anthony 16-Jul-10 13:16:20.2.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1144 [GMT 10:00]

Running from: c:\users\Anthony\Desktop\ComboFix.exe

Command switches used :: c:\users\Anthony\Desktop\CFScript.txt

.

((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))

.

2010-07-16 03:26 . 2010-07-16 03:26 -------- d-----w- c:\users\Anthony\AppData\Local\temp

2010-07-16 03:26 . 2010-07-16 03:26 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-07-16 03:26 . 2010-07-16 03:26 -------- d-----w- c:\users\Default\AppData\Local\temp