Malwarebytes Forum > Reply deleted...still have nasty virus

Full Version: Reply deleted...still have nasty virus

Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs

daveyc

Apr 30 2009, 11:24 PM

Yesterday I posted a problem and got a reply this morning. I went back to check on whether there was any progress towards a solution and noticed the reply had been deleted.
Can someone else help?

I originally could not load MWB or any other Anti virus, malware remover or HJT. Eventually by renaming I was able to load SAS, MWB, and HJT. Ran all and posted. MWB removed 4 infected files (1 trojan, WinPC virus, Adware mysearch, and some others). Eventually I got to the point where everything came back clean... however the version of MWB I loaded was not up to date.

The reply said I needed to download an updated version. I deleted the old version and downloaded an up to date version from GT500. My problem now is that I cannot get it to load. It opens, extracts but no application.

The remaining problems include inability to open firewall settings and inability to connect to the internet.

Can someone advise me on how to get MWB to load and run in the infected laptop?

Here's the HJT file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:10 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lee-county.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: ZyAIR.lnk = C:\Program Files\ZyAIR PCcard Utility\ZyAIR.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190396349469
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190396342158
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5612 bytes

negster22

May 1 2009, 03:53 AM

Just wondering why you're running in safe mode with networking rather than normal mode?

Please run the following programs in normal mode.

Please download ATF Cleaner by Atribune

Close Internet Explorer and any other open browsers
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot.

Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip

Extract the archive to a folder you create such as C:\RootRepeal
Disable the active protection component (guard) of your antivirus)- this can usually be accomplished by right-clicking your AV's system tray icon, and then selecting the disable feature from the context menu.
Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
Click the "File" tab (located at the bottom of the RootRepeal screen)
Click the "Scan" button
In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
Click OK and the file scan will begin
When the scan is done, there will be files listed, but most if not all of them will be legitimate
Click the "Save Report" Button
Save the log file to your Documents folder
Post the content of the RootRepeal file scan log in your next reply.

Re-enable the active protection component (guard) of your antivirus.

Download DDS and save it to your desktop from here or here

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
Save both reports to your desktop
Please copy and paste both logs into your next reply

Also, copy/paste the RootRepeal log into your next reply and try not to reboot until I respond.

daveyc

May 1 2009, 04:45 AM

Everything was done via flash drive as this system won't connect. I appreciate the help and hope I did everything right

root repeal:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:10 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lee-county.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: ZyAIR.lnk = C:\Program Files\ZyAIR PCcard Utility\ZyAIR.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190396349469
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190396342158
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5612 bytes

DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 0:36:44.89 on Fri 05/01/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.177 [GMT -4:00]

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\program files\linksys\wpc54gv3\wpc54gv3.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.lee-county.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [TrackPointSrv] tp4mon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyair.lnk - c:\program files\zyair pccard utility\ZyAIR.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190396349469
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190396342158
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-28 64160]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2006-6-20 10880]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-27 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-27 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-27 298264]
R2 CBTWlanSrv;CBT Wlan Service;c:\windows\CBTWlanSrv.exe [2008-11-1 106496]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2007-12-12 802683]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-27 108552]
S2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\drivers\cbpmp50.sys --> c:\windows\system32\drivers\CBPMp50.sys [?]
S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [2008-11-1 27072]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2008-7-14 67424]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [2008-12-28 38656]
S3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\drivers\WPC54Gv3.SYS [2008-11-1 610816]
S3 ZD1201C;ZyAIR B-120 IEEE 802.11b Wireless LAN Driver (PCMCIA);c:\windows\system32\drivers\zd1201c.sys --> c:\windows\system32\drivers\zd1201c.sys [?]
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;\??\c:\windows\system32\zdndis5.sys --> c:\windows\system32\ZDNDIS5.SYS [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-04-30 19:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-30 19:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 08:10 <DIR> --d----- c:\program files\Trend Micro
2009-04-29 16:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 13:33 <DIR> --d----- c:\program files\CCleaner
2009-04-28 03:15 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-28 01:56 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-28 01:55 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-28 01:54 <DIR> --d----- c:\program files\Lavasoft
2009-04-27 21:03 1,152 a------- c:\windows\system32\windrv.sys
2009-04-27 19:51 <DIR> --d----- c:\program files\Loaris Trojan Remover
2009-04-27 14:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-27 14:15 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-27 14:15 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-27 14:15 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-27 14:15 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-27 14:15 <DIR> --d----- c:\program files\AVG
2009-04-27 13:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-16 20:11 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 20:11 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 20:11 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 20:11 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 20:11 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 20:11 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 20:11 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 20:11 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 20:11 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 20:04 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 20:04 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 20:04 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-03 10:30 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-03 10:28 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-02 07:56 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-01 09:03 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-01 09:01 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 09:01 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 09:01 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 09:01 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-01 09:01 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-01 09:01 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 09:01 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-01 09:01 <DIR> --d----- C:\4edb8fbc66f362cb4231c3046e1aec

==================== Find3M ====================

2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 0:37:00.62 ===============

negster22

May 1 2009, 05:53 AM

You did fine.

So there were no hidden files detected by RootRepeal then?

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
Leave your system completely idle while this longer scan is in progress.
When the scan is done, save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:
HERE
or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as daveyc.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.

You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.
Please post ARK.txt and C:\ComboFix.txt in your next reply.

daveyc

May 1 2009, 02:28 PM

Sorry for the delay,

In my bleary-eyed-ness, I must have cut and pasted the wrong file. below is the root repeal log as well as a MWB log after that. My service provider (Comcast-who I hate) decided to have an outage last night in the middle of our "project". I went ahead and removed the file found by MWB.

I am reviewing your reply and downloading and preparing to do what you recommended. One note... You suggested turning off firewall. I can't change the settings in firewall because of the virus, or if I can, I can't seem to figure out how. Is this a necessity?

Based on the root repeal log and the new MWB log, should I still continue with ComboFix as you suggested? I'll assume so and prepare but won't run anything until I hear from you.

Thanks again!

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/01 00:34
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\Avenger\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACebyiwktantdewvg.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACietqenntyijujvx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnpcslouhemxxiri.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqllrxmqjkdmcxow.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACteqrrhswwqeelpf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvbrftegbospivrb.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyqxwkbodulhylkd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACxlthpavmttapqme.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\UAC6592.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].postImageCommentConfirm%2526friendID%253D139062974%2526albumID%253D449048%2526imageID%253D6233130
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging.myspace.com%252Findex[1].sent%2526type%253D%2526messageID%253D0%2526fed%253DTrue%2526compose%253D0%2526friendID%253D52613963
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAERxBQDdfA8AYd8EAAIAPkIAAP8AAAADDAIADwKMrgEAHD4HAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAJrmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgenu67%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQA48gkA3tYDAAAAvkIAAAcAAQADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA.8qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tidvt70%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCMrAgAEucDAAIAdkIAAP8AAAADDQIABgOMrgEAr0sFAPncBQAAAAAAAAAAA
AAAAAAAAAAAAAAAAAjuqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t33m8hm%2FM%3D674272[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCYDRAARjQEAAIAMkIAAP8AAAABDAIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAaUjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D2008102514,;ord=1217172486
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA5kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAK4Pq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbb5v50%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAckMAAAsAAwADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMgrq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t67kk3s%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAhkMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAPAtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5tq2fh%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAskMAAAcABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAOE3q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tnvfkah%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAukMAAAgABgADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMY6q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdsc6de%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBPjgwA-jMEAAIAQkMAAP8AAAADEAIABgKMrgEA4EkGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFweq0gAAAAA,
http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5p0fc7%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBUEgoA908FAAIAIkMAAP8AAAADEAIABgKMrgEADuIHAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAABYbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tduc9r2%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBylA4AmqgEAAIAKkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP2j1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tf51cse%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAAA-kIAAAkAAwADEAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkYq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150voamm1%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAIAAkIAAP8AAAAHFgIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150f3bbcr%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA0kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAPoNq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbpo6c6%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBd3w0Aho0EAAIArkMAAP8AAAADEgIABgKMrgEAoccGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAOM2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t2o1ig8%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAERxBQBPBgoAuIADAAIBjkMAAP8AAAADEQIADwKMrgEAik0FAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAEkxq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgelce4%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAKFxBQA28gkA3tYDAAIA0kMAAP8AAAADEwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAHxKq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150l50hua%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIAJkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tl0c5i1%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIALkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tfgjeg3%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAKFxBQBPRwoARKIEAAAAJkIAAAkAAgABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFmTjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D1207918661,;ord=1217172313
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_
7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0
;
mage=0;area=d[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAFVyBQBhYgoA3tYDAAIAOkIAAP8AAAADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAJPmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D1507c6tf7%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAHNxBQA48gkA3tYDAAIAukIAAP8AAAADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAANf6qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdd112b%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA4kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKsPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tm91fmn%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAekMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAIwtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14teeqbg7%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAKkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACQbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tgcmgl0%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAlkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFY1q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ttpuk4p%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAmkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGA2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tclgj7m%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQBylA4AmqgEAAIAHkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tuv5b4b%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQDHBgoAq3QFAAIAGkMAAP8AAAADEAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMMaq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tvh1of0%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA3kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKgPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14te0e931%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAERxBQBPBgoAuIADAAIAMkIAAP8AAAAHFgIADwKMrgEAik0FAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAek1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vmcfi13%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\6rnd%3D006006792%26neg%3D1%26ega%3D16%26uhpt%3D16%26ged%3D0%3A0%3AYjQ1YzdlNjg0OWRmZTVlY_S0h08m3fTgveBpjSG6GdrUJQ6Sv3lzY9lbuBPAUoU2NJC5jwUVX9biVT
8oY7GZJNCQ_a1XFBY2Xj2NDUHk1oj&r=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_
7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0
;
mage=0;area=d[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fwww[1].asp%253Fpartner%253Daccuweather%2526traveler%253D1%2526zipChg%253D1%2526zipcode%253D33948%2526metric%253D0%2526site%253DFLS%2526large%253D0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBPRwoARKIEAAIAAkIAAP8AAAABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKuOjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3Dfj80vvrn0ekeq,;ord=1217171115
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].viewProfile_commentForm%2526friendID%253D139062974%2526MyToken%253D987aea37-1af8-4217-b620-addda9b3755c
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAHNxBQDf6w4Av8EEAAIAbkIAAP8AAAADDAIABgKMrgEATxMHAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGbtqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14taa4ecm%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBhYgoA3tYDAAAAZkIAAAkAAQADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAHLsqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150rcaopu%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAERxBQAzuAkALDADAAIA9kIAAP8AAAADDwIADwKMrgEAht8EAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKAXq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgup2li%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA7kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACQUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ta06788%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA8kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFYVq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14telousf%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAAYkMAAAoAAwADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAPAkq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t3af3av%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQBylA4AmqgEAAIAPkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB6k1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t26ndng%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCXbA8AP-sEAAIB4kMAAP8AAAADFAIABgKMrgEAHFAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB9Vq0gAAAAA,h
ttp%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tds3bl8%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCYDRAARjQEAAIAQkIAAP8AAAAHFgIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACKk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tr1hrk2%2FM%3D674272[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQDHBgoAq3QFAAAA3kMAAAsAAQADFAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAB1Vq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t37o0pr%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAKFxBQBhYgoA3tYDAAAA6kIAAAsAAgADDwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACIUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150fruna5%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAP2dBQAFDxMAZ1IEAAIAOkIAAP8AAAAHFgIADwKSrgEAPHMGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAABmk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15ps4s95m%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAANkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAK0bq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tka870d%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\YXSX4583\click,VaUDAHNxBQCMrAgAEucDAAIAekIAAP8AAAADDQIABgOMrgEA1cMEAPncBQAAAAAAAAAAA
AAAAAAAAAAAAAAAAA.uqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t21j2t3%2FM%3D674272[2]
Status: Locked to the Windows API!

MWB log:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

5/1/2009 2:17:29 AM
mbam-log-2009-05-01 (02-17-29).txt

Scan type: Quick Scan
Objects scanned: 74731
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

negster22

May 1 2009, 03:27 PM

You can try this first, but ultimately Combofix should be run to detect and remove all hidden files present.

Disabling the firewall is not that important but AV should definitely be disabled.!

Relaunch RootRepeal (prescan)

Repeat the hidden file scan as per my previous instructions with all security protection disabled.
After the scan identifies and displays the hidden files present on your system, use your mouse to highlight the following file in the Rootrepeal window.
C:\WINDOWS\system32\drivers\UACxlthpavmttapqme.sys
If not exactly matching the above file name, It will be a SYS which begins with UAC, s followed by a long string of random characters and ends in a SYS file extension.
Next right-click the file noted above, and select the *wipe file* option only.
Exit RootRepeal and immediately reboot!

Upon reboot,

Relaunch MBAM
Select the Update tab -> Check for Updates
After MBAM updates, select the Scanner tab.
Select Perform quick scan, then click Scan.
When the scan is complete, click OK -> Show Results to view the scan results.
Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

Repeat the RootRepeal file scan (post-scan) and see if any hidden items remain.

Post back RootRepeal logs (prescan & post-scan in that order ) and a new MBAM scan report.

daveyc

May 1 2009, 04:33 PM

ran root repeal as directed...log below
wiped out sys file as directed. immediate reboot

upon reboot was given a "generic host process for Win32 Services" error... needed to shutdown? asked if i wanted to send a report. Said no (no internet connection anyway). View report and here's some info:

error signature
szAppname svchost.exe version 5.1.2600.5512
szModname upnphost.dll version 5.1.2600.5512
offset 00016f8

error listed at 4/29 3:44 (which was not the time of the reboot)

ran MWB but not an updated version as I have not attempted to connect to the internet (part of the issue was inability to do so. I removed the wireless card so it could not attempt)

log attatched
removed selected.

MWB asked for a reboot to complete removal. I did NOT reboot.

Ran Root repeal a second time

log attached

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/01 11:53
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\Avenger\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACebyiwktantdewvg.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACietqenntyijujvx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnpcslouhemxxiri.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqllrxmqjkdmcxow.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACteqrrhswwqeelpf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvbrftegbospivrb.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyqxwkbodulhylkd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACxlthpavmttapqme.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\UAC6592.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].postImageCommentConfirm%2526friendID%253D139062974%2526albumID%253D449048%2526imageID%253D6233130
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging.myspace.com%252Findex[1].sent%2526type%253D%2526messageID%253D0%2526fed%253DTrue%2526compose%253D0%2526friendID%253D52613963
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAERxBQDdfA8AYd8EAAIAPkIAAP8AAAADDAIADwKMrgEAHD4HAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAJrmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgenu67%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQA48gkA3tYDAAAAvkIAAAcAAQADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA.8qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tidvt70%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCMrAgAEucDAAIAdkIAAP8AAAADDQIABgOMrgEAr0sFAPncBQAAAAAAAAAAA
AAAAAAAAAAAAAAAAAjuqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t33m8hm%2FM%3D674272[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCYDRAARjQEAAIAMkIAAP8AAAABDAIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAaUjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D2008102514,;ord=1217172486
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA5kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAK4Pq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbb5v50%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAckMAAAsAAwADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMgrq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t67kk3s%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAhkMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAPAtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5tq2fh%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAskMAAAcABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAOE3q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tnvfkah%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAukMAAAgABgADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMY6q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdsc6de%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBPjgwA-jMEAAIAQkMAAP8AAAADEAIABgKMrgEA4EkGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFweq0gAAAAA,
http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5p0fc7%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBUEgoA908FAAIAIkMAAP8AAAADEAIABgKMrgEADuIHAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAABYbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tduc9r2%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBylA4AmqgEAAIAKkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP2j1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tf51cse%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAAA-kIAAAkAAwADEAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkYq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150voamm1%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAIAAkIAAP8AAAAHFgIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150f3bbcr%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA0kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAPoNq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbpo6c6%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBd3w0Aho0EAAIArkMAAP8AAAADEgIABgKMrgEAoccGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAOM2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t2o1ig8%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAERxBQBPBgoAuIADAAIBjkMAAP8AAAADEQIADwKMrgEAik0FAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAEkxq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgelce4%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAKFxBQA28gkA3tYDAAIA0kMAAP8AAAADEwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAHxKq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150l50hua%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIAJkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tl0c5i1%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIALkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tfgjeg3%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAKFxBQBPRwoARKIEAAAAJkIAAAkAAgABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFmTjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D1207918661,;ord=1217172313
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_
7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0
;
mage=0;area=d[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAFVyBQBhYgoA3tYDAAIAOkIAAP8AAAADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAJPmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D1507c6tf7%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAHNxBQA48gkA3tYDAAIAukIAAP8AAAADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAANf6qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdd112b%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA4kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKsPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tm91fmn%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAekMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAIwtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14teeqbg7%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAKkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACQbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tgcmgl0%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAlkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFY1q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ttpuk4p%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAmkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGA2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tclgj7m%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQBylA4AmqgEAAIAHkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tuv5b4b%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQDHBgoAq3QFAAIAGkMAAP8AAAADEAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMMaq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tvh1of0%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA3kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKgPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14te0e931%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAERxBQBPBgoAuIADAAIAMkIAAP8AAAAHFgIADwKMrgEAik0FAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAek1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vmcfi13%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\6rnd%3D006006792%26neg%3D1%26ega%3D16%26uhpt%3D16%26ged%3D0%3A0%3AYjQ1YzdlNjg0OWRmZTVlY_S0h08m3fTgveBpjSG6GdrUJQ6Sv3lzY9lbuBPAUoU2NJC5jwUVX9biVT
8oY7GZJNCQ_a1XFBY2Xj2NDUHk1oj&r=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_
7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0
;
mage=0;area=d[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fwww[1].asp%253Fpartner%253Daccuweather%2526traveler%253D1%2526zipChg%253D1%2526zipcode%253D33948%2526metric%253D0%2526site%253DFLS%2526large%253D0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBPRwoARKIEAAIAAkIAAP8AAAABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKuOjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3Dfj80vvrn0ekeq,;ord=1217171115
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].viewProfile_commentForm%2526friendID%253D139062974%2526MyToken%253D987aea37-1af8-4217-b620-addda9b3755c
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAHNxBQDf6w4Av8EEAAIAbkIAAP8AAAADDAIABgKMrgEATxMHAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGbtqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14taa4ecm%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBhYgoA3tYDAAAAZkIAAAkAAQADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAHLsqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150rcaopu%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAERxBQAzuAkALDADAAIA9kIAAP8AAAADDwIADwKMrgEAht8EAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKAXq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgup2li%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA7kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACQUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ta06788%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA8kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFYVq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14telousf%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAAYkMAAAoAAwADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAPAkq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t3af3av%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQBylA4AmqgEAAIAPkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB6k1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t26ndng%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCXbA8AP-sEAAIB4kMAAP8AAAADFAIABgKMrgEAHFAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB9Vq0gAAAAA,h
ttp%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tds3bl8%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCYDRAARjQEAAIAQkIAAP8AAAAHFgIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACKk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tr1hrk2%2FM%3D674272[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQDHBgoAq3QFAAAA3kMAAAsAAQADFAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAB1Vq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t37o0pr%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAKFxBQBhYgoA3tYDAAAA6kIAAAsAAgADDwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACIUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150fruna5%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAP2dBQAFDxMAZ1IEAAIAOkIAAP8AAAAHFgIADwKSrgEAPHMGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAABmk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15ps4s95m%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAANkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAK0bq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tka870d%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\YXSX4583\click,VaUDAHNxBQCMrAgAEucDAAIAekIAAP8AAAADDQIABgOMrgEA1cMEAPncBQAAAAAAAAAAA
AAAAAAAAAAAAAAAAA.uqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t21j2t3%2FM%3D674272[2]
Status: Locked to the Windows API!

Post Scan:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/01 12:23
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].postImageCommentConfirm%2526friendID%253D139062974%2526albumID%253D449048%2526imageID%253D6233130
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging.myspace.com%252Findex[1].sent%2526type%253D%2526messageID%253D0%2526fed%253DTrue%2526compose%253D0%2526friendID%253D52613963
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAERxBQDdfA8AYd8EAAIAPkIAAP8AAAADDAIADwKMrgEAHD4HAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAJrmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgenu67%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQA48gkA3tYDAAAAvkIAAAcAAQADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA.8qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tidvt70%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCMrAgAEucDAAIAdkIAAP8AAAADDQIABgOMrgEAr0sFAPncBQAAAAAAAAAAA
AAAAAAAAAAAAAAAAAjuqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t33m8hm%2FM%3D674272[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HATM7GZ\click,VaUDAHNxBQCYDRAARjQEAAIAMkIAAP8AAAABDAIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAaUjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D2008102514,;ord=1217172486
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA5kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAK4Pq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbb5v50%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAckMAAAsAAwADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMgrq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t67kk3s%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAhkMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAPAtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5tq2fh%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAskMAAAcABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAOE3q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tnvfkah%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAAukMAAAgABgADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMY6q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdsc6de%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBPjgwA-jMEAAIAQkMAAP8AAAADEAIABgKMrgEA4EkGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFweq0gAAAAA,
http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5p0fc7%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBUEgoA908FAAIAIkMAAP8AAAADEAIABgKMrgEADuIHAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAABYbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tduc9r2%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBylA4AmqgEAAIAKkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP2j1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tf51cse%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAAA-kIAAAkAAwADEAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkYq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150voamm1%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAKFxBQBhYgoA3tYDAAIAAkIAAP8AAAAHFgIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150f3bbcr%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQA48gkA3tYDAAAA0kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAPoNq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tbpo6c6%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAHNxBQBd3w0Aho0EAAIArkMAAP8AAAADEgIABgKMrgEAoccGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAOM2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t2o1ig8%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\0PEZOLYB\click,VaUDAERxBQBPBgoAuIADAAIBjkMAAP8AAAADEQIADwKMrgEAik0FAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAEkxq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgelce4%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAKFxBQA28gkA3tYDAAIA0kMAAP8AAAADEwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAHxKq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150l50hua%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIAJkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tl0c5i1%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUR09UB\click,VaUDAHNxBQBylA4AmqgEAAIALkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tfgjeg3%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAKFxBQBPRwoARKIEAAAAJkIAAAkAAgABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFmTjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D1207918661,;ord=1217172313
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_
7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0
;
mage=0;area=d[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAFVyBQBhYgoA3tYDAAIAOkIAAP8AAAADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAJPmqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D1507c6tf7%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QX07YV8V\click,VaUDAHNxBQA48gkA3tYDAAIAukIAAP8AAAADDQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAANf6qkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tdd112b%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA4kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKsPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tm91fmn%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAekMAAAcABAADEQIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAIwtq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14teeqbg7%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAKkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACQbq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tgcmgl0%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAlkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFY1q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ttpuk4p%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAAmkMAAAoABQADEgIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGA2q0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tclgj7m%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQBylA4AmqgEAAIAHkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOaj1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tuv5b4b%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQDHBgoAq3QFAAIAGkMAAP8AAAADEAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMMaq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tvh1of0%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAHNxBQA48gkA3tYDAAAA3kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKgPq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14te0e931%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SHQF8HMF\click,VaUDAERxBQBPBgoAuIADAAIAMkIAAP8AAAAHFgIADwKMrgEAik0FAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAek1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vmcfi13%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\6rnd%3D006006792%26neg%3D1%26ega%3D16%26uhpt%3D16%26ged%3D0%3A0%3AYjQ1YzdlNjg0OWRmZTVlY_S0h08m3fTgveBpjSG6GdrUJQ6Sv3lzY9lbuBPAUoU2NJC5jwUVX9biVT
8oY7GZJNCQ_a1XFBY2Xj2NDUHk1oj&r=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\default;dcopt=ist;ap1=0;ap2=0;ap3=0;a0_0=0;a0_4=0;a0_7=0;a0_10=0;a1_0=0;a1_
7=0;a2=0;a3=0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=0;sens=0;m=0
;
mage=0;area=d[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fwww[1].asp%253Fpartner%253Daccuweather%2526traveler%253D1%2526zipChg%253D1%2526zipcode%253D33948%2526metric%253D0%2526site%253DFLS%2526large%253D0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBPRwoARKIEAAIAAkIAAP8AAAABDAIAAgKMrgEAoOUGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKuOjEgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3Dfj80vvrn0ekeq,;ord=1217171115
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fcomment.myspace.com%252Findex[1].viewProfile_commentForm%2526friendID%253D139062974%2526MyToken%253D987aea37-1af8-4217-b620-addda9b3755c
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\dref=http%253A%252F%252Fmessaging[1].reply%2526friendId%253D349274687%2526type%253DInbox%2526messageID%253D53848965%2526MyToken%253Daf4e30a5-c82c-4f81-8659-13e018835409
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAHNxBQDf6w4Av8EEAAIAbkIAAP8AAAADDAIABgKMrgEATxMHAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGbtqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14taa4ecm%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDS1KVE9\click,VaUDAKFxBQBhYgoA3tYDAAAAZkIAAAkAAQADDAIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAHLsqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150rcaopu%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAERxBQAzuAkALDADAAIA9kIAAP8AAAADDwIADwKMrgEAht8EAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAKAXq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vgup2li%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA7kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACQUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ta06788%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAA8kIAAAsAAQADDwIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAFYVq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14telousf%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAAYkMAAAoAAwADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAPAkq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t3af3av%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQBylA4AmqgEAAIAPkIAAP8AAAAHFgIABgKMrgEAN-4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB6k1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t26ndng%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCXbA8AP-sEAAIB4kMAAP8AAAADFAIABgKMrgEAHFAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB9Vq0gAAAAA,h
ttp%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tds3bl8%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQCYDRAARjQEAAIAQkIAAP8AAAAHFgIABgKMrgEAN0oGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACKk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tr1hrk2%2FM%3D674272[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQDHBgoAq3QFAAAA3kMAAAsAAQADFAIABgKMrgEADB8IAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAB1Vq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t37o0pr%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAKFxBQBhYgoA3tYDAAAA6kIAAAsAAgADDwIAAgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAACIUq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D150fruna5%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAP2dBQAFDxMAZ1IEAAIAOkIAAP8AAAAHFgIADwKSrgEAPHMGAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAABmk1UgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15ps4s95m%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5E7S9UR\click,VaUDAHNxBQA48gkA3tYDAAAANkMAAAkAAgADEAIABgKMrgEALMcFAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAK0bq0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tka870d%2FM%3D674272[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\YXSX4583\click,VaUDAHNxBQCMrAgAEucDAAIAekIAAP8AAAADDQIABgOMrgEA1cMEAPncBQAAAAAAAAAAA
AAAAAAAAAAAAAAAAA.uqkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t21j2t3%2FM%3D674272[2]
Status: Locked to the Windows API!

MWB Log:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

5/1/2009 12:15:32 PM
mbam-log-2009-05-01 (12-15-32).txt

Scan type: Quick Scan
Objects scanned: 75065
Time elapsed: 11 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\UACietqenntyijujvx.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACnpcslouhemxxiri.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACqllrxmqjkdmcxow.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACteqrrhswwqeelpf.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACyqxwkbodulhylkd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACxlthpavmttapqme.sys (Trojan.Agent) -> Quarantined and deleted successfully.

negster22

May 1 2009, 05:11 PM

The rootkit is still there. You have to reboot for MBAM to remove the files.

You are going to have to run Combofix (renamed) as per my my previous instructions to kill this beast!

daveyc

May 1 2009, 05:25 PM

OK...
I will get to work on running ComboFix. I'm off to work so it may be awhile until the next reply.

Thank you so much for the help thus far. I'll attempt to update by tomorrow.

Is there a problem with trying to connect? Should I? (I'm guessing it won't connect anyway because of the firewall issue)

Fingers crossed and staying positive!

negster22

May 1 2009, 06:26 PM

You're welcome!

QUOTE

Everything was done via flash drive as this system won't connect.

I was under the impression you couldn't connect, but let's solve the rootkit issue first and then we'll deal with the connection issues.

Some tools you should grab for use later are the following:

Winsockfix:
http://majorgeeks.com/download4372.html

Using this download:
http://majorgeeks.com/downloadget.php?id=4...f302c260093894b

Avenger:
http://swandog46.geekstogo.com/avenger2/download.php

Do NOT use without my supervision please!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.