Malware infection - need help please

[Quizzical]

• Problem began 4 days ago.
  
• Became concerned after unusual "security alert" that wouldn't clear
  
• AVG scan identified Clicker.AAWS and Downloader.Zlob and quarantined
  
• Not sorted though - Symptoms after that included IE (which I don't normally use) opening by itself every few minutes
  
• I noticed a couple of spurious processes running (a.exe) which I manually deleted
  
• Also none of my anti-malware apps would run, including AVG which was now disabled as well
  
• Tried HJT, Spybot, Adaware already on my PC - none worked
  
• Next ran HouseCall which identified an infected .sys file it labelled as TR/PCK.Tdss.C.92
  
• Still couldn't run any apps
  
• Next installed Avira and this was able to run a full scan, identifying and quarantining the file that HouseCall had quarantined plus 3 others KillIt.exe, KillWind.exe and 1890hp.exe which it labelled as Hupigon.huap
  
• Still unable to run any other malware apps, but Avira apparently running OK
  
• Installed MBAM, it updated, then launched and then crashed after 4 secs
  
• Tried running some other things, Rootrepeal, GMER, got Blue Screened
  

I've now no idea what to do for the best and would really appreciate some help.

Sorry if anything I've tried has made the problem more difficult to solve

[screen317]

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[Quizzical]

Hello and thanks for your reply.

ComboFix appeared to remove/fix some files during the process but I can't see details of that in the log. You're probably not surprised by that but just thought I'd mention it.

Log follows:

ComboFix 09-09-25.01 - Compaq_Owner 27/09/2009 8:53.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.673 [GMT 1:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Compaq_Owner\Application Data\Desktopicon

c:\documents and settings\Compaq_Owner\Application Data\Desktopicon\eBayShortcuts.exe

c:\documents and settings\Compaq_Owner\My Documents\ZbThumbnail.info

c:\windows\jestertb.dll

c:\windows\system32\ps2.bat

E:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_uac4pdt

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_uac4pdt

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))

.

2009-09-26 11:01 . 2009-09-27 07:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-26 10:03 . 2009-09-26 10:03 -------- d-----w- c:\program files\ERUNT

2009-09-25 21:27 . 2009-09-23 16:02 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-24 21:07 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-24 21:07 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-24 21:07 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-09-24 21:07 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\program files\Avira

2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-09-24 16:06 . 2009-09-24 16:06 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus

2009-09-23 18:38 . 2009-09-23 18:40 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb

2009-09-23 17:29 . 2009-09-23 17:29 -------- d-----w- c:\program files\OEBW

2009-09-23 16:02 . 2009-09-25 21:27 -------- d-----w- c:\documents and settings\Compaq_Owner\.housecall6.6

2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-22 17:03 . 2009-09-27 07:16 0 ----a-r- c:\windows\win32k.sys

2009-09-22 17:03 . 2009-09-22 17:03 68608 ----a-w- c:\windows\system32\drivers\cyehxtksmqecxrxe.sys

2009-09-22 17:03 . 2009-09-22 17:03 -------- d-----w- C:\spoolerlogs

2009-09-22 16:53 . 2009-09-22 16:53 68608 ----a-w- c:\windows\system32\drivers\rpvnyycbvorxvmtn.sys

2009-09-06 17:01 . 2009-09-06 17:01 -------- d-----w- c:\program files\CopyFilenames

2009-08-29 08:18 . 2009-08-29 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-27 08:01 . 2009-09-06 12:09 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2009-09-27 07:25 . 2005-09-10 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-26 10:39 . 2009-06-12 05:57 -------- d-----w- c:\program files\Unlocker

2009-09-25 22:41 . 2008-05-03 12:10 -------- d-----w- c:\program files\Lavasoft

2009-09-25 22:40 . 2005-09-10 17:06 -------- d-----w- c:\program files\Spybot

2009-09-25 22:38 . 2009-08-21 12:08 -------- d-----w- c:\program files\PicaLoader

2009-09-25 22:36 . 2008-05-31 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-23 22:44 . 2009-02-17 19:53 -------- d-----w- c:\program files\Azureus

2009-09-22 23:22 . 2008-06-12 17:37 -------- d-----w- c:\program files\PowerPacket

2009-09-20 20:00 . 2005-09-03 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect

2009-09-06 19:10 . 2005-10-28 16:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Skype

2009-09-06 15:01 . 2008-10-19 15:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\skypePM

2009-09-06 12:09 . 2008-02-04 16:56 -------- d-----w- c:\program files\Common Files\Logishrd

2009-08-26 21:07 . 2005-08-31 14:08 -------- d-----w- c:\program files\TotalRecorder

2009-08-17 09:01 . 2005-08-30 17:50 63904 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\MSBuild

2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\Reference Assemblies

2009-08-15 13:23 . 2009-08-15 13:23 -------- d-----w- c:\program files\MSXML 6.0

2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\program files\NOS

2009-08-10 16:49 . 2005-08-31 13:54 -------- d-----w- c:\program files\whisper

2009-07-29 09:23 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:53 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2005-09-14 09:58 . 2005-09-09 11:08 20480 ----a-w- c:\program files\Common Files\UninstallDrv.exe

2005-10-28 07:31 . 2005-08-31 11:40 56 --sha-r- c:\windows\system32\5A04C4CEF8.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=DrvTrNTm.dll

"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\DTV\\DVB-T USB 2.0\\DVB-Tplayer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\TotalRecorder\\TotalRecorder.exe"=

"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"49251:TCP"= 49251:TCP:v

"49251:UDP"= 49251:UDP:v

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [24/07/2008 22:39 17264]

R1 HFSYS;HFSYS;c:\windows\system32\drivers\hfsys.sys [12/01/2004 01:34 19732]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/09/2009 22:07 108289]

R3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;c:\windows\system32\drivers\PCTELSAP.SYS [02/01/2005 01:00 306560]

R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [17/08/2008 14:48 126984]

R3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [06/04/2006 13:57 18432]

S3 Arcadyan;Arcadyan NDIS Protocol Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\Arcadyan.SYS [20/08/2004 03:14 17422]

S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\PLCMPR5.SYS --> c:\windows\system32\PLCMPR5.SYS [?]

S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 11:11 17280]

S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [06/04/2006 13:56 15488]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [06/11/2008 20:55 24652]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TCP: {08422DD0-F4AF-4740-8A75-0201C59D6AC5} = 212.159.6.9,212.159.6.10

Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL

Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL

DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} - hxxp://downloads.exam2score.com/ePenClientSpec.ocx

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\zkvadj3e.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-27 09:02

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2844)

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\progra~1\WINDOW~1\wmpband.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\progra~1\Dantz\RETROS~1\retrorun.exe

c:\windows\system32\ati2evxx.exe

c:\progra~1\Dantz\RETROS~1\wdsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2009-09-27 9:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-27 08:07

Pre-Run: 100,086,472,704 bytes free

Post-Run: 99,959,095,296 bytes free

214 --- E O F --- 2009-08-15 13:32

Whatever ComboFix did, I was then able to download, install and successfully run HJT - Log follows:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:16:42, on 27/09/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\ps2.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} (ePenClientSpec.ucEPenClientspec) - http://downloads.exam2score.com/ePenClientSpec.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS2\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS3\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--

End of file - 6772 bytes

[screen317]

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[Quizzical]

Ok, thanks again. Ran the two things you suggested and the logs follow below. Anything untoward?

Since then I've run Avira and it has detected two nasties (which weren't there on last night's scan) and also 25 "hidden files" which were also there last night and which it says it can't shift (despite my attempt to clean out IE temp files). There are 8 further warnings. Do I need to do anything about these? I've posted the Avira report also, after your Security Check file checkup.txt.

Everything appears to be running smoothly, though one or two processes I don't recognise (fssm32.exe is one of them) are now running - perhaps these are connected with what you asked me to do?

I would normally make regular use of SpyBot and Adaware alongside AVG and I'm still a bit spooked as to how the stuff that caused the trouble these last few days got onto my machine - what did I do wrong?

Is there something better you can recommend?

Many thanks for all your time and help - you guys are stars !!

Here's the F-Secure report...

Scanning Report

Monday, September 28, 2009 18:31:29 - 19:29:13

Computer name: STARSKY

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\ E:\

--------------------------------------------------------------------------------

No malware found

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 56894

System: 4743

Not scanned: 13

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\DUMPREP.EXE

C:\WINDOWS\SYSTEM32\MRT.EXE

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE

C:\PROGRAM FILES\SPYBOT\SPYBOTSD.EXE

C:\PROGRAM FILES\COMMON FILES\AOL\LOADER\AOLLOAD.EXE

C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\MY DOCUMENTS\STEVE\SPYWARE\HIJACKTHIS.EXE

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

[screen317]

Ok, thanks again. Ran the two things you suggested and the logs follow below. Anything untoward?

Those "hidden" temp files are rather untoward, though they might have been part of the online scan. Grab a fresh copy of ComboFix, run it, and post its log.

Actually before you do that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java Web Start

Java™ 6 Update 3

Java 2 Runtime Environment, SE v1.4.2_03

Java 2 Runtime Environment, SE v1.4.0_01

Java 2 Runtime Environment, SE v1.4.1_02

Adobe Reader 7.1.0

Restart your computer.

Get the latest version of Java and Adobe Reader.

Then run ComboFix and post its log.

Since then I've run Avira and it has detected two nasties (which weren't there on last night's scan) and also 25 "hidden files" which were also there last night and which it says it can't shift (despite my attempt to clean out IE temp files). There are 8 further warnings. Do I need to do anything about these? I've posted the Avira report also, after your Security Check file checkup.txt.

We'll see after you post the ComboFix log.

Everything appears to be running smoothly, though one or two processes I don't recognise (fssm32.exe is one of them) are now running - perhaps these are connected with what you asked me to do?

That's from the F-Secure online scan.

I would normally make regular use of SpyBot and Adaware alongside AVG and I'm still a bit spooked as to how the stuff that caused the trouble these last few days got onto my machine - what did I do wrong?

Could be a number of things; the most common being visiting porn, keygen, and crack sites. Could be from social networking sites, P2P programs, etc. It's a tainted cyberworld we live in. Also, anti-malware programs are not infallible; the criminals come up with more deceptive tactics and often the major corporations are left behind.

-screen317

[Quizzical]

Hello and thanks again for your continued support. I've uninstalled all the things you listed, re-started, installed new Java and Adobe, then ran ComboFix. It appeared to run successfully, did not this time reboot into safe mode before scanning; logfile below.

All seemed to be running smoothly, so I tried moving back towards "normal" working, but some weird things are still happening.

1. I ran Avira and it reported exactly the same set of hidden files as last time, at the same location. But when I navigate to the folder where the files are located and get Avira to scan the folder (using the right-click menu) it reports no files present. Haven't bothered to post the Avira report since it's the same details as yesterday, but will do so if you'd like to see it.

2. Avira flagged that it needed to be updated but the updater wouldn't run (it launched and then hung, several times). I manually updated from the website.

3. Tried Spybot but cannot run it, or uninstall it or reinstall it. It doesn't appear in Control Panel

[screen317]

Hi,

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Folder::

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

After that, please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). See if you can delete Spybot's folder now.

-screen317

[Quizzical]

OK, I copied the script and used it to launch ComboFix. Rebooted into Safe Mode but was unable to delete the Spybot folder. When Windows came to delete the SpybotSD.exe file access was denied. (FYI, there are two copies of Spybot files. When I first had problems I reinstalled Spybot into a differently named folder, but neither SpybotSD.exe file will run, or delete.) I do have two utilities (Unlocker and MoveOnBoot) that I have used before but have not yet tried on this Spybot problem in case it messes up anything you're trying do to help me.

I have also run Avira again and again it has identified the same 25 hidden files as before, in the same location as before. It also says it has found two further infections, looks like in the system restore, so I'm posting the log for that scan as well in case it tells you stuff.

Question - I have avoided, for the past week, using anything on the internet for which a password is required; do you think I'm safe to start doing that again yet?

Many thanks once more for your continued patience.

Combo Fix and HJT and Avira logs follow....

ComboFix 09-09-30.06 - Compaq_Owner 01/10/2009 17:57.3.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.595 [GMT 1:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\81AVO1YR\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[10]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[11]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[12]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[13]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[14]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[15]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[2]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[3]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[4]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[5]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[6]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[7]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[8]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[9]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\eTicket.pdf

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\FFNH1X0A\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\index.dat

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\W12Z4TAV\desktop.ini

.

((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))

.

2009-09-30 20:56 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-30 20:56 . 2009-09-30 22:03 -------- d-----w- c:\program files\Malwarebytes

2009-09-30 20:56 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-30 17:26 . 2009-09-30 17:26 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-28 17:31 . 2009-09-28 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-09-27 08:16 . 2009-09-27 08:16 -------- d-----w- c:\program files\Trend Micro

2009-09-26 11:01 . 2009-09-30 20:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-26 10:03 . 2009-09-26 10:03 -------- d-----w- c:\program files\ERUNT

2009-09-25 21:27 . 2009-09-23 16:02 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-24 21:07 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-24 21:07 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-24 21:07 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-09-24 21:07 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\program files\Avira

2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-09-24 16:06 . 2009-09-24 16:06 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus

2009-09-23 18:38 . 2009-09-23 18:40 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb

2009-09-23 17:29 . 2009-09-23 17:29 -------- d-----w- c:\program files\OEBW

2009-09-23 16:02 . 2009-09-25 21:27 -------- d-----w- c:\documents and settings\Compaq_Owner\.housecall6.6

2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-22 17:03 . 2009-09-22 17:03 -------- d-----w- C:\spoolerlogs

2009-09-06 17:01 . 2009-09-06 17:01 -------- d-----w- c:\program files\CopyFilenames

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-01 16:35 . 2009-09-06 12:09 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2009-09-30 20:35 . 2005-09-10 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-30 17:26 . 2005-01-01 23:54 -------- d-----w- c:\program files\Java

2009-09-30 17:23 . 2005-06-24 18:16 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-30 17:07 . 2005-01-02 00:10 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-27 20:00 . 2005-09-03 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect

2009-09-26 10:39 . 2009-06-12 05:57 -------- d-----w- c:\program files\Unlocker

2009-09-25 22:41 . 2008-05-03 12:10 -------- d-----w- c:\program files\Lavasoft

2009-09-25 22:40 . 2005-09-10 17:06 -------- d-----w- c:\program files\Spybot

2009-09-25 22:38 . 2009-08-21 12:08 -------- d-----w- c:\program files\PicaLoader

2009-09-25 22:36 . 2008-05-31 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-23 22:44 . 2009-02-17 19:53 -------- d-----w- c:\program files\Azureus

2009-09-22 23:22 . 2008-06-12 17:37 -------- d-----w- c:\program files\PowerPacket

2009-09-06 19:10 . 2005-10-28 16:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Skype

2009-09-06 15:01 . 2008-10-19 15:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\skypePM

2009-09-06 12:09 . 2008-02-04 16:56 -------- d-----w- c:\program files\Common Files\Logishrd

2009-08-29 08:18 . 2009-08-29 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

2009-08-26 21:07 . 2005-08-31 14:08 -------- d-----w- c:\program files\TotalRecorder

2009-08-17 09:01 . 2005-08-30 17:50 63904 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\MSBuild

2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\Reference Assemblies

2009-08-15 13:23 . 2009-08-15 13:23 -------- d-----w- c:\program files\MSXML 6.0

2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\program files\NOS

2009-08-10 16:49 . 2005-08-31 13:54 -------- d-----w- c:\program files\whisper

2009-07-29 09:23 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:53 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2005-09-14 09:58 . 2005-09-09 11:08 20480 ----a-w- c:\program files\Common Files\UninstallDrv.exe

2005-10-28 07:31 . 2005-08-31 11:40 56 --sha-r- c:\windows\system32\5A04C4CEF8.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-09-27_08.03.24 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-30 17:26 . 2009-09-30 17:26 149280 c:\windows\system32\javaws.exe

+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\javaw.exe

+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\java.exe

+ 2009-09-30 17:26 . 2009-09-30 17:26 537600 c:\windows\Installer\22fac.msi

+ 2009-09-30 16:58 . 2009-09-30 16:58 196608 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000002\UsrClass.dat

+ 2009-09-30 16:58 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\30-09-2009\ERDNT.EXE

+ 2009-09-29 05:13 . 2009-09-29 05:13 196608 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000002\UsrClass.dat

+ 2009-09-29 05:13 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\29-09-2009\ERDNT.EXE

+ 2009-09-28 14:46 . 2009-09-28 14:46 196608 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000002\UsrClass.dat

+ 2009-09-28 14:46 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\28-09-2009\ERDNT.EXE

+ 2009-10-01 12:33 . 2009-10-01 12:33 212992 c:\windows\ERDNT\AutoBackup\01-10-2009\Users\00000002\UsrClass.dat

+ 2009-10-01 12:33 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\01-10-2009\ERDNT.EXE

+ 2009-07-10 09:39 . 2009-07-10 09:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll

+ 2009-09-30 17:23 . 2009-09-30 17:23 3938816 c:\windows\Installer\22fa4.msi

+ 2009-09-30 16:58 . 2009-09-30 16:58 7892992 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000001\ntuser.dat

+ 2009-09-29 05:13 . 2009-09-29 05:13 7892992 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000001\ntuser.dat

+ 2009-09-28 14:46 . 2009-09-28 14:46 7892992 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000001\ntuser.dat

+ 2009-10-01 12:33 . 2009-10-01 12:33 7892992 c:\windows\ERDNT\AutoBackup\01-10-2009\Users\00000001\ntuser.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-30 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes\mbam.exe" [2009-09-10 1312080]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=DrvTrNTm.dll

"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\DTV\\DVB-T USB 2.0\\DVB-Tplayer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\TotalRecorder\\TotalRecorder.exe"=

"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"49251:TCP"= 49251:TCP:v

"49251:UDP"= 49251:UDP:v

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [24/07/2008 22:39 17264]

R1 HFSYS;HFSYS;c:\windows\system32\drivers\hfsys.sys [12/01/2004 01:34 19732]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/09/2009 22:07 108289]

R3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;c:\windows\system32\drivers\PCTELSAP.SYS [02/01/2005 01:00 306560]

R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [17/08/2008 14:48 126984]

R3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [06/04/2006 13:57 18432]

S3 Arcadyan;Arcadyan NDIS Protocol Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\Arcadyan.SYS [20/08/2004 03:14 17422]

S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\PLCMPR5.SYS --> c:\windows\system32\PLCMPR5.SYS [?]

S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 11:11 17280]

S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [06/04/2006 13:56 15488]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [06/11/2008 20:55 24652]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TCP: {08422DD0-F4AF-4740-8A75-0201C59D6AC5} = 212.159.6.9,212.159.6.10

Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL

Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL

DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} - hxxp://downloads.exam2score.com/ePenClientSpec.ocx

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\zkvadj3e.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-01 18:04

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

.

Completion time: 2009-10-01 18:06

ComboFix-quarantined-files.txt 2009-10-01 17:06

ComboFix2.txt 2009-09-27 08:07

Pre-Run: 99,193,856,000 bytes free

Post-Run: 99,157,475,328 bytes free

229 --- E O F --- 2009-08-15 13:32

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:18:01, on 01/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\CDBurnerXP\NMSAccess.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\ps2.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} (ePenClientSpec.ucEPenClientspec) - http://downloads.exam2score.com/ePenClientSpec.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS2\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS3\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--

End of file - 7550 bytes

Avira AntiVir Personal

Report file date: Thursday, October 01, 2009 18:27

Scanning for 1765187 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : STARSKY

Version information:

BUILD.DAT : 9.0.0.410 18074 Bytes 25/09/2009 11:56:00

AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14

AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 13:50:58

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 13:50:58

ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 29/09/2009 08:16:20

ANTIVIR3.VDF : 7.1.6.59 128000 Bytes 30/09/2009 16:12:04

Engineversion : 8.2.1.27

AEVDF.DLL : 8.1.1.2 106867 Bytes 15/09/2009 15:58:02

AESCRIPT.DLL : 8.1.2.33 479611 Bytes 21/09/2009 16:27:58

AESCN.DLL : 8.1.2.5 127346 Bytes 03/09/2009 15:24:42

AERDL.DLL : 8.1.2.4 430452 Bytes 14/07/2009 17:08:26

AEPACK.DLL : 8.2.0.0 422261 Bytes 15/09/2009 15:58:00

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 17/06/2009 14:32:46

AEHEUR.DLL : 8.1.0.155 1921400 Bytes 18/08/2009 14:02:16

AEHELP.DLL : 8.1.7.0 237940 Bytes 03/09/2009 15:24:42

AEGEN.DLL : 8.1.1.66 364917 Bytes 25/09/2009 16:23:24

AEEMU.DLL : 8.1.0.9 393588 Bytes 15/10/2008 10:49:36

AECORE.DLL : 8.1.8.1 184693 Bytes 15/09/2009 15:57:58

AEBB.DLL : 8.1.0.3 53618 Bytes 15/10/2008 10:49:34

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 25/09/2009 21:07:44

AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, E:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Thursday, October 01, 2009 18:27

Starting search for hidden objects.

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\14292_small[1].jpg

[iNFO] The file is not visible.

[NOTE] A backup was created as '4af6edf3.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\desktop.ini

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b37ee24.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_rosette[1].gif

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b2dee23.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_tail_r2_c7[1].gif

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b2dee28.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\tt-rain-butterfly-neutral-c3518[1].jpg

[iNFO] The file is not visible.

[NOTE] A backup was created as '4af1ee3c.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\typeahead_log[1].htm

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b34ee42.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk3c.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b2fee2b.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk45.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '4a95f014.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk47.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '48a0f084.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4a.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '48bea8a4.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4e.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '48bc8044.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk50.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '48ba7864.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[10]

[iNFO] The file is not visible.

[NOTE] A backup was created as '4af5ee24.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[11]

[iNFO] The file is not visible.

[NOTE] A backup was created as '496c082d.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[12]

[iNFO] The file is not visible.

[NOTE] A backup was created as '4969e3cd.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[13]

[iNFO] The file is not visible.

[NOTE] A backup was created as '496bdbed.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[1]

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b1fee25.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[2]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48bd6bae.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[3]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48bb434e.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[4]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b93b6e.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[5]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b7130e.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[6]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b4cb2e.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[7]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b2a2ce.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[8]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b09aee.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[9]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48ae728e.qua' ( QUARANTINE )

'63411' objects were checked, '25' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'notepad.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'notepad.exe' - '1' Module(s) have been scanned

Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned

Scan process 'SetPoint.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'ps2.EXE' - '1' Module(s) have been scanned

Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned

Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned

Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'wdsvc.exe' - '1' Module(s) have been scanned

Scan process 'retrorun.exe' - '1' Module(s) have been scanned

Scan process 'NMSAccess.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

40 processes with 40 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Master boot sector HD5

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '59' files ).

Starting the file scan:

Begin scan in 'C:\' <DRIVE1>

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Compaq_Owner\My Documents\Steve\spyware\HijackThis.exe

[WARNING] The file could not be opened!

C:\Program Files\Common Files\AOL\Loader\aolload.exe

[WARNING] The file could not be opened!

C:\Program Files\Spybot\SpybotSD.exe

[WARNING] The file could not be opened!

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197001.sys

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197002.sys

[DETECTION] Is the TR/Trash.Gen Trojan

C:\WINDOWS\system32\dumprep.exe

[WARNING] The file could not be opened!

C:\WINDOWS\system32\MRT.exe

[WARNING] The file could not be opened!

Begin scan in 'D:\' <DRIVE2>

Begin scan in 'E:\' <PRESARIO_RP>

Beginning disinfection:

C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197001.sys

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4af5f983.qua'!

C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197002.sys

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '496233a4.qua'!

End of the scan: Thursday, October 01, 2009 19:47

Used time: 1:19:12 Hour(s)

The scan has been done completely.

8568 Scanned directories

428491 Files were scanned

2 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

27 Files were moved to quarantine

0 Files were renamed

8 Files cannot be scanned

428481 Files not concerned

13265 Archives were scanned

8 Warnings

29 Notes

63411 Objects were scanned with rootkit scan

25 Hidden objects were found

[screen317]

Hmm... Hold off on doing anything password-sensitive yet.

There's something I want to try; there may be another infection hiding here.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  DrvTrNTm.dll

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

After that, download this Registry Search by Bobbi Flekman, save it, and extract regsearch.exe to the Desktop. You will use it in a moment.

Doubleclick regsearch.exe to start it. In the top window, enter DrvTrNTm as the search string on the first line. Make sure all the option boxes are checked, and click "Ok". Notepad will be opened with text in it (the file will be saved to the Desktop as well as RegSearch.txt). Post this text in your next reply.

-screen317

[Quizzical]

Hi - sorry for the delay replying, been away for the weekend.

Ran both the things you asked, and logs follow....

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 19:26 on 04/10/2009 by Compaq_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "DrvTrNTm.dll"

C:\WINDOWS\system32\DrvTrNTm.dll --a--- 61448 bytes [14:50 15/10/2006] [23:18 18/11/2008] A96B945112263E3376FCAF33B94986CB

-=End Of File=-

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman

[Quizzical]

Follow-up post from last night....

Chris, I'm off work at home today and done two scans this morning. MBAM has picked up 3 further infections in system restore. And then Avira has picked up another, different, infection. Plus Avira is still finding those 25 hidden files. Just on the off-chance I had another go at deleting the Spybot files but no go.

So I guess there's still - as you suggested - something nasty lingering.

Here are the logs from the two scans. I was puzzled at first by the incomplete MBAM log, until I realised that I clicked "Save Report" BEFORE I clicked "Repair", so where it says no action has been taken in fact those files were quarantined.

Malwarebytes' Anti-Malware 1.41

Database version: 2908

Windows 5.1.2600 Service Pack 2

05/10/2009 11:10:17

mbam-log-2009-10-05 (11-10-06).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 199503

Time elapsed: 59 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0196916.sys (Worm.Agent) -> No action taken.

C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197047.sys (Worm.Agent) -> No action taken.

C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197208.sys (Worm.Agent) -> No action taken.

Avira AntiVir Personal

Report file date: Monday, October 05, 2009 11:13

Scanning for 1772828 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : STARSKY

Version information:

BUILD.DAT : 9.0.0.410 18074 Bytes 25/09/2009 11:56:00

AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14

AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 13:50:58

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 13:50:58

ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 29/09/2009 08:16:20

ANTIVIR3.VDF : 7.1.6.68 216576 Bytes 02/10/2009 18:26:31

Engineversion : 8.2.1.33

AEVDF.DLL : 8.1.1.2 106867 Bytes 15/09/2009 15:58:02

AESCRIPT.DLL : 8.1.2.35 483707 Bytes 04/10/2009 18:27:00

AESCN.DLL : 8.1.2.5 127346 Bytes 03/09/2009 15:24:42

AERDL.DLL : 8.1.3.2 479604 Bytes 04/10/2009 18:26:57

AEPACK.DLL : 8.2.0.0 422261 Bytes 15/09/2009 15:58:00

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 17/06/2009 14:32:46

AEHEUR.DLL : 8.1.0.166 2003319 Bytes 04/10/2009 18:26:53

AEHELP.DLL : 8.1.7.0 237940 Bytes 03/09/2009 15:24:42

AEGEN.DLL : 8.1.1.67 364916 Bytes 04/10/2009 18:26:36

AEEMU.DLL : 8.1.1.0 393587 Bytes 04/10/2009 18:26:34

AECORE.DLL : 8.1.8.1 184693 Bytes 15/09/2009 15:57:58

AEBB.DLL : 8.1.0.3 53618 Bytes 15/10/2008 10:49:34

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 25/09/2009 21:07:44

AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, E:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Monday, October 05, 2009 11:13

Starting search for hidden objects.

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\14292_small[1].jpg

[iNFO] The file is not visible.

[NOTE] A backup was created as '4afbc802.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\desktop.ini

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b3cc833.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_rosette[1].gif

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b32c832.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_tail_r2_c7[1].gif

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b32c836.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\tt-rain-butterfly-neutral-c3518[1].jpg

[iNFO] The file is not visible.

[NOTE] A backup was created as '4af6c84b.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\typeahead_log[1].htm

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b39c850.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk3c.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b34c839.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk45.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '484c0772.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk47.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '484e3f12.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4a.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '4849d732.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4e.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '484b8ed2.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk50.tmp

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b5a6f2.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[10]

[iNFO] The file is not visible.

[NOTE] A backup was created as '4afac832.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[11]

[iNFO] The file is not visible.

[NOTE] A backup was created as '497f76bb.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[12]

[iNFO] The file is not visible.

[NOTE] A backup was created as '497d2e5b.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[13]

[iNFO] The file is not visible.

[NOTE] A backup was created as '4970c67b.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[1]

[iNFO] The file is not visible.

[NOTE] A backup was created as '4b24c833.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[2]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48aa963c.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[3]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b44ddc.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[4]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b665fc.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[5]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b01d9c.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[6]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b235bc.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[7]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48bded5c.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[8]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48bf857c.qua' ( QUARANTINE )

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[9]

[iNFO] The file is not visible.

[NOTE] A backup was created as '48b9bd1c.qua' ( QUARANTINE )

'64245' objects were checked, '25' hidden objects were found.

The scan of running processes will be started

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'msimn.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned

Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned

Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'wdsvc.exe' - '1' Module(s) have been scanned

Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned

Scan process 'SetPoint.exe' - '1' Module(s) have been scanned

Scan process 'aim6.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'ps2.EXE' - '1' Module(s) have been scanned

Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned

Scan process 'retrorun.exe' - '1' Module(s) have been scanned

Scan process 'NMSAccess.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

42 processes with 42 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Master boot sector HD5

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '59' files ).

Starting the file scan:

Begin scan in 'C:\' <DRIVE1>

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Compaq_Owner\My Documents\Steve\spyware\HijackThis.exe

[WARNING] The file could not be opened!

C:\Program Files\Common Files\AOL\Loader\aolload.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file could not be opened!

C:\Program Files\Spybot\SpybotSD.exe

[WARNING] The file could not be opened!

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

[WARNING] The file could not be opened!

C:\WINDOWS\system32\dumprep.exe

[WARNING] The file could not be opened!

C:\WINDOWS\system32\MRT.exe

[WARNING] The file could not be opened!

Begin scan in 'D:\' <DRIVE2>

Begin scan in 'E:\' <PRESARIO_RP>

Beginning disinfection:

C:\Program Files\Common Files\AOL\Loader\aolload.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[NOTE] The file was moved to '4b35d539.qua'!

End of the scan: Monday, October 05, 2009 12:13

Used time: 55:13 Minute(s)

The scan has been done completely.

8612 Scanned directories

429488 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

26 Files were moved to quarantine

0 Files were renamed

8 Files cannot be scanned

429479 Files not concerned

13268 Archives were scanned

8 Warnings

28 Notes

64245 Objects were scanned with rootkit scan

25 Hidden objects were found

[screen317]

Hmm.

It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

After installing, restart your computer and see if it gives you any alerts from something trying to phone home.

-screen317

[Quizzical]

OK. I've done the following

1. Installed Kerio and rebooted. Can't see anything untoward in the alerts it throws up as everything gets going. There are 3 separate items for AIM6 including two separate connections out, which puzzles me but I'm well beyond what very limited techie knowledge I possess so it might well be fine. If I recognise a process trying to connect does that mean it's probably OK? Could post a screenshot but am unsure if it's wise to post in a public forum something with IP & port details. Could PM you if that's likely to help.

2. Uninstalled Firefox (been showing symptoms of corruption, eg bookmarking not working, home page not always loading) and installed clean updated copy. That now seems to be running smoothly.

3. Created system restore point (because MBAM had identified infections there so I just wondered....)

4. Run full MBAM scan, no problems.

5. Run Avira, and OK BUT still the same 25 hidden files that nothing except Avira seems to find.

6. Run Unlocker1.8.7 utility which appears to have successfully deleted the Spybot files I couldn't shift.

7. Installed clean copy of SpybotSD, run it, no threats reported.

So I guess I'm clean??? Should I just ignore Avira's hidden files? Can you suggest anything else, either regarding that or future good safety practice?

[screen317]

1. Installed Kerio and rebooted. Can't see anything untoward in the alerts it throws up as everything gets going. There are 3 separate items for AIM6 including two separate connections out, which puzzles me but I'm well beyond what very limited techie knowledge I possess so it might well be fine.

Yes it's fine; AIM has multiple functions so it's not surprising that it would establish multiple connections.

If I recognise a process trying to connect does that mean it's probably OK?

Yes it's probably okay; as you "allow" programs with your firewall, it will get "smarter" and stop nagging you for legitimate things. Unknown processes are worth investigating. Feel free to post here; I'll delete the image after I'm done looking at it.

2. Uninstalled Firefox (been showing symptoms of corruption, eg bookmarking not working, home page not always loading) and installed clean updated copy. That now seems to be running smoothly.

Good to hear.

3. Created system restore point (because MBAM had identified infections there so I just wondered....)

That's fine.

4. Run full MBAM scan, no problems.

6. Run Unlocker1.8.7 utility which appears to have successfully deleted the Spybot files I couldn't shift.

7. Installed clean copy of SpybotSD, run it, no threats reported.

Great, great, and great.

5. Run Avira, and OK BUT still the same 25 hidden files that nothing except Avira seems to find.

Not so great. I have an idea.

Let's give this a try:

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Rootkit::

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\14292_small[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_rosette[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_tail_r2_c7[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\tt-rain-butterfly-neutral-c3518[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\typeahead_log[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk3c.tmp

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk45.tmp

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk47.tmp

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4a.tmp

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4e.tmp

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk50.tmp

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[10]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[11]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[12]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[13]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[2]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[3]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[4]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[5]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[6]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[7]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[8]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[9]

KILLALL::

Folder::

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

[Quizzical]

OK, I've run CF via the script. Didn't think to clean out the temp files before I did that, so CF has waded through and deleted a zillion files - but it looks like it didn't get the ones we were targeting.

Straight after it finished I relaunched Kerio (I had disabled it 'cos I thought I was supposed to) but a warning came up saying that Windows Firewall was blocking some functions of Kerio. Never had that before - what should I do about it?

Anyway here's the log, followed by the HJT log.

Thanks again for your continued help.

ComboFix 09-10-07.05 - Compaq_Owner 08/10/2009 23:20.4.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.560 [GMT 1:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\$css$style.css,$css$growler[1].css

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[2]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[3]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[4]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[5]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\260x80_logo[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\2716841[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\2719617[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\315x440_catch_2[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\3A2728[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\3A2D21[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\3A2D2A[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\3B2D29[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\628x270_paulrodgers[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\88697518332[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\ace-logo[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\Ad0St1Sz5Sq0V1Id801449[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\archived_foot[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\archived_head_spring[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\arrow_pink1[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\arrow_sort[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\atw[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\audible_a_icon_15T[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\bg-mid[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\bg_filter_sidebar[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\book-online-banner_en[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\browse[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\bucket_sm_btns[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\CA36CVJ5.9803112329682134

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\CFK5MGDZTVGJTJ6TBONACBZONN4L67HD[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\crossdomain[1].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\docklands[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\drm_gen[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\e702826a3pb[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\featured_open_close[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\flashwrite_1_2[2].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\fo-balmoral[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[1].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[2].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[3].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[4].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[5].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\GetMDRCDPOSTURL[1].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\GetMDRCDPOSTURL[2].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\GetMDRCDPOSTURL[3].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\gw[2].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\header_bg[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\hub_bottom[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\ianrXw-DASa2g_XaYeComSsPT7ebVkbh[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\ic_add_rss_lg[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\ico_rt_no[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_donate[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_media[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_see_all[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_toolbar[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_twitter[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mjugbptqmc7i5ceguzukfme4wkminmdgn2jjzltmvkvjq3fqnbug5bvqn2cjzh

simrqg5adenjzgm3tombsia4tsmbwgbaeorcdkm2fcwcolfgegwbtg5eu4vzwkvkuynsygq2doq[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5eu2ukugrkuemrujzku2skckyzuon2vjjeemvbxg5neoscujzg

u2jbtgayuanzrgq2tcmbtiaytimrwg42easknkfkdivkcgi2e4vknjfbfmm2hg5kuuscgkq3tow[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5fu4ubtiuzfitjtgvheyukjivlvums2i5ctesspkrhfas2vkzi

fgjbtha3uamrvha2tenzygnadcnbtgaytaqcljzidgrjskrgtgnkojriusrkxlizfur2fgjfe6v[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5gemsswii2uurkyjbeemrcxizfu4ncei4zverspincvaqjtjbg

vsjbqgqzeamjugy4dimrugbadcnbtgm2dkqcmizffmqrvjjcvqsciizcforsljy2eirztkjde6q[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5idgrkojbfegvkmgvlemm2bjjce6rcigjeucwkpjbmteq2zjjg

vqjbwga4uamzqgy3dsmbwia4dmmrvg5afam2fjzeeuq2vjq2vmrrtiffeit2ejazesqkzj5efsm[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5keewsjlbeu2wsyiq2ummsdkzjtgszvizmu6wchky3e6ncije3

umjbsg42eaojthe4tinzsia3dimjvgnafiqs2jfmestk2lbcdkrrsinlfgm2lgvdfst2yi5ldmt[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\j12367al0pn[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\j12367al0pn[2].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\JYJOB6MQH5PXSI75IHYTHXTDG7ID6OQK[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\JYJOB6MQH5PXSI75IHYTHXTDG7ID6OQK[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\Key=8398.DX5..C[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\large-190x100[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\large-190x100[2].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\lb[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\lead_in_car-hire[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\list_header_bg[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\main_view_header_bg[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\metropolitan[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\nav_home[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\nav_insiders[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\new_tickets_nav_r1_c4[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\new_tickets_r6_c19[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\new_tickets_top_r1_c1[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_090803_01_plane_icon[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_090914_dest_bot_border[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_091006_bal_bot[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_091006_bal_top[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_091006_barc_images[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\pageset[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\quant[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\r[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\s_code[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\severecaned_free[1].wmv

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\size=120x90;noperf=1;alias=93242651;cfp=1;noaddonpl=y;kvmn=93242651;target=

_blank;aduho=-60;grp=38139906;misc=38139906;adiframe=y[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=18865187;misc=18865187[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=18924078;misc=18924078;adiframe=y[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\small[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\small[2].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\swfobject[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tickets_newsletter_r14_c10[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tickets_newsletter_r4_c1[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tickets_newsletter_r9_c1[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tn_O7B2WDCUGVZ6ESMZ5FL5WUN6PMSJSYVU[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tn_ZVFZJ6C2ZUAHH6RHXUXDDHFYZQLGB7RY[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\top_nav_bg[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tp_offers_4star[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tpp[1].html

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\VUZEN-Footer[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\WHUFM5TFBMDOJIQOI6UN7M7FSILVD3UQ[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\WMP551d8d2b-9c33-41b7-acbb-1c42e0ad3396[1]..png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\xsearch_xregexp[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\XZC3HFESYSFHSR6OF6UVX2SMBUHADC6D[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[10]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[11]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[12]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[13]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[14]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[15]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[16]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[17]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[18]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[19]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[2]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[20]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[21]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[22]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[23]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[24]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[25]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[26]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[27]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[28]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[29]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[3]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[30]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[31]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[32]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[4]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[5]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[6]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[7]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[8]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[9]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\02025621F3[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\33IZN4IBJHIIKZPM6O2NLJMNSTOGCLXA_3[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\382D29[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\3A2D44[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\3A2D50[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\4F3A2D29[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\559x57_rainforesttrust[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\adsWrapperAIMAT2[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\AIM_UAC_v2[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\aito-logo[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\atw[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\balloon-castle[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\beta[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\bg-bot[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\big_module_top[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\button_bg[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\CA63GJTU.php

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\capetown-xmas[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\central[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\crossdomain[1].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\DKA6O7LZNITYGVW2V6LTHRYIHWSB2IOC[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\dragdrop[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\drm[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\ED5XTJWYMURQ7ICUM2ENFSPXSOUUO6MO[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\favicon[1].ico

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\filter_keyword[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\fo-boudicca[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\footer_gifts[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\ga[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[1].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[2].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[3].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[4].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[5].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\GetMDRCDPOSTURL[1].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\GetMDRCDPOSTURL[2].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\GetMDRCDPOSTURL[3].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\global[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\global[2].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\hammersmith[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\hmv_2009_bg5[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\hmv_2009_bg6[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\ico_rt[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_download[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_reset[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_site_states[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_tshirt[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_working[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\indicator_alert[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mjugbptqmc7jbgdowcekvauevcei5ldmvjvk5necq2wkrdvsskugjndmqjsjvg

ciobtgzadcnzqg4ydmmzyiaytgnbtga4uascmg5meivkbijkeir2wgzktkv22ifbvmvchlfevim[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mjugbptqmc7jy3dmvspkngfct2dgzjfsvbxizeeevceizheiskxljmegskdivf

simbxgfadcobug44tcnzqiaytgojrheyeatrwgzle6u2mkfhugnsslfkdorsiijkeirsoirevow[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mjugbptqmc7ljhfqu2djezektbwkizvms2ziy3umusljbeteq2jljiuiuzsjzd

cimrrg5adgnzrgjadomjrha3uawsolbjugsjsivgdmurtkzfvsrrxizjewscjgjbuswsrirjtet[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mrrgbptcmrql4zdgqklifbuqr2yinfuqrkekbjtgq2ukzbdesjvjngu2r2ej42

emjbygqyuaojwgeydcnbyia2diobvgnadem2bjnaugschlbbuwscfirifgm2dkrleemsjgvfu2t[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mrrgbptcmrql5btms2qknjfatclgnjesukllbddincqg4zeys2xkveeiwkikrj

fojbxgi4uanbvgy4ten2ageztenjvgvaegnslkbjveucmjmzveskrjnmemnbuka3tetclk5kuqr[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mrrgbptcmrql5htenjsivbukvstivmdotbxkzgvin2zjfivsncojzbdescxkzd

dijbwga4uamzqgy3dsmbwia4dmmrxgnae6mrvgjcugrkwkncvqn2mg5le2vbxlfevcwjujzheem[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mrrgbptcmrql5ndoskqkvavmrsejvjemtbwkjbfsvsfinhe6u2xgnhvou2xgmz

fujbvgmzeamrqha2dsmrtgvadcnbsg4zdaqc2g5evavkbkzdeitksizgdmusclflekq2oj5jvom[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\large-190x100[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\left_nav_top[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\logo_kitty_16x16[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\main_arrow[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\main2[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\mascot_v1_120x90_02_7-22[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\module_header_arrow[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\nav_spend[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c12[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c13[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c14[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c3[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c6[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c8[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_top_r1_c2[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_090803_01_bed_icon[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_090803_01_zone_shadow[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_090914_top_anchor[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_091006_01_ttl[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_091006_bal_bg[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_091006_nyc_images[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_091006_prague_images[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\pcx[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\piccadilly[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\product_card_en_800[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\prototype[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\px[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\r[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\size=120x90;cfp=1;rndc=125493051;noperf=1;alias=93242651;kvmn=93242651;targ

et=_blank;aduho=-60;grp=930515140;misc=930515140;adiframe=y[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\slf[2].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\small[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\small[2].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\sortby_list_bg[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\sport;sz=160x600,120x600;refresh=60;ord=225817122[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\square[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tcode3[1].html

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tcodewads_at[1].html

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tickets_newsletter_r14_c3[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tips.aim[1].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tpp3[2].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\upgrades_banner[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\vernon_everitt[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\web_detail_icons_close[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\WHUFM5TFBMDOJIQOI6UN7M7FSILVD3UQ_2[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\WMP7424dbd7-813c-4315-a1b4-1dc0065a8020[1]..jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\xsearch[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\XZC3HFESYSFHSR6OF6UVX2SMBUHADC6D[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\za-sml[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\index.dat

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\$js$core.js,$js$json.js,$js$swt_message.js,$js$browse.js,$js$magnet.js,$js$browser_az.js,$js$swfobject[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[2]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[3]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[4]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[5]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\232x117_24hourcountdown[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\33IZN4IBJHIIKZPM6O2NLJMNSTOGCLXA[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\3A2D24[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\3A2D29[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\3A2D5C[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\3D2D4F[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\4113c364732e2bf18885f0a0559ac8f0[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\42XONMXVHBUCYESY7MVLZDCDS5J2PDPV[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\5186546262[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\7WS476MQMXYMWS676STRHTJOHLVW3BNW[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\88697594162[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\abta-logo[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\adlink%2F5113%2F159339%2F0%2F5%2FAdId%3D470886%3BBnId%3D1%3Bitime%3D930518130%3Bkvmn%3D93242651%3Bnodecode%3Dyes%3Blink%3D;ord=930518130[2]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\adsWrapper[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\advice_header[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\anatp[1].html

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\anatp1[2].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\bloader[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\btn_bg[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\CA0DEH3K.24122490190619583

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\cda1[2].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\click[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\crossdomain[1].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\deals_bottom[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\DKA6O7LZNITYGVW2V6LTHRYIHWSB2IOC[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\drm_fffs[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\ED5XTJWYMURQ7ICUM2ENFSPXSOUUO6MO_1[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\effects[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\ELLIOTSOLARIS[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\fo-bramear[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\footer_ba_atol_abta[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\getmdrcd[1].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCD[2].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\getmdrcd[3].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\getmdrcd[4].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\getmdrcd[5].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[1].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[2].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[3].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[4].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[5].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\grey_blue_btn_bg[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\header[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\header_mg[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\hub_top[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\icon_facebook[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\icon_vuzetogo[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\index_head[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mjugbptqmc7inbfqwsdjrlfonkvgzitiq2qgrjvowksjnfugtclgridoucfjzk

cinjygvademjrg43dkobviaytenbygu2uaq2clbnegtcwk42vknsrgrbvanctk5mves2lingewn[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql4zeetrvkzhuen2jgu3e2ukoi5cfuvjsg5au2qkvjjhe4rsfkzh

eqjbsgyzuamzwgu4dgmzwgjadcmzvgiydiqbsijhdkvspii3usnjwjviu4r2eljkten2bjvavks[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql4zestcgkrdfgnkekjkvqwcyjq2tmvkzi42vqqsvijcuon2lgzi

u6jbwge3eanbqguztqnrrgzadcnbthaydoqbsjfgemvcgkm2uiusvlbmfqtbvgzkvsrzvlbbfkq[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql5cdgwsllfne4vklinavem2bjzle4v2yjridgnkyg5ddgtshijh

fcjbtgayuanzrgq2tcmbtiaytgnjqgm2uarbtljfvswsokvfugqksgnau4vsok5meyubtgvmdor[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql5eekvjtgvivanjxiizuwmrsjzgtiuslkzjfqujule2fgwkhkvi

ecjbxgi4uanbvgy4ten2ageztembwg5aeqrkvgm2vcubvg5bdgszsgjhe2ncsjnlfewcrgrmtiu[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql5gviqs2j5cvgvkkjyzu6rsylbgdgnsbgzneuwchjvlfcuzwjvg

eejbygu4eamrtgy4dcobvhbadsmjzgyyeatkuijne6rktkvfe4m2pizmfqtbtgzatmwsklbdu2v[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\jubilee[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\large-190x100[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\left_nav_bottom[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\m_filter_icons_2[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\main_view_subheader_bg[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\MAU5CD02[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\mayor_london[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\MPS_My_Station_icon_16x16[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\nav_activities[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\ND5CD7GWOMAYTVZOJ7UKSDJ26X4RV25N[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\new_tickets_nav_r1_c1[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\new_tickets_nav_r1_c15[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\new_tickets_r4_c3[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\new_tickets_top_r1_c3[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_090803_01_travel_dates_btn[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_090914_dest_top_border[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_090914_header01[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_091006_03_img[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_091006_bal_div[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_091006_dubai_images[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\pclip01[1].wmv

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=18865187;misc=18865187;adiframe=y[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=18924078;misc=18924078[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\slider[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\small[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\small[2].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\sortby_bg[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\space[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\space[2].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\spacer[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\strapline_generic[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tcode3[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tickets_newsletter_r10_c1[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tickets_newsletter_r14_c6[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tile_city_by_city[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tile_earth-touch[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tile_sanctuary[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tn_CZTO35PY4Z3CPXRFWUNOVPAPXMBX3H2W[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\toolbar_client_ad_right[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\top_nav_btns[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\trashcan[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\turnon[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\verisign[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\victoria[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\VUZEN-Header2[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\web_detail_icons_back[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\xsearch[1].css

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\xsearch[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\$css$new$reset-fonts-grids.css,$css$new$style.css,$css$new$bucket.css,$css$growler.css,$css$new$client_style[1].css

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\$js$core.js,$js$json.js,$js$swt_message.js,$js$growler.js,$js$browse.js,$js$browse_resize.js,$js$magnet.js,$js$browser_az[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[10]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[11]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[12]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[13]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[14]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[15]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[16]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[17]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[18]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[19]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[2]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[20]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[21]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[22]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[23]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[24]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[25]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[26]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[27]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[28]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[29]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[3]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[30]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[31]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[32]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[33]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[34]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[35]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[36]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[37]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[38]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[39]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[4]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[40]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[41]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[42]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[43]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[5]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[6]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[7]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[8]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[9]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\2-8216_120x90_Free_BT_CameraPhones_Refresh[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3A2D28[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3A2D29[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3A2D58[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3A2D5B[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3CL5273RD5GRL7RC3VOE4CELQVQRUP5V[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3CL5273RD5GRL7RC3VOE4CELQVQRUP5V[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3E3A6F[1]

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\400x140_dizzee_2[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\42XONMXVHBUCYESY7MVLZDCDS5J2PDPV[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\600x190_gifts10_2[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\7WS476MQMXYMWS676STRHTJOHLVW3BNW[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\aceUAC[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\addtobasket[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\AIM_UAC_v2[1].adp

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\AllServices[1].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\atol-logo[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\atw[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\bg-top[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\bg_filter_sidebar_top[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\big_module_bottom[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\Carousel[1].swf

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\CASCD2014[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\CAT8ADHV.03040414649684242

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\CFK5MGDZTVGJTJ6TBONACBZONN4L67HD[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\client_style[1].css

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\controls[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\desktop.ini

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\details_tile[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\district[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\filter_keyword_bg[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\flosensing[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\fo-blackwatch[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\frog_bg[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\ga[2].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\getmdrcd[1].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\getmdrcd[2].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\getmdrcd[3].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\getmdrcd[4].xml

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[1].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[2].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[3].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[4].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[5].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[6].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[7].aspx

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\hd_icon[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\header-email[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\icon_play_2[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mjugbptqmc7ie3vmr2njfcdgwcpifltkm2ojazfmm2ggzmeunklifnegusjknm

cinjygvademjrg43dkobviaytcnrvg4zeaqjxkzdu2skegnme6qkxguzu4sbskyzumnsyji2uwq[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql42u6wjvkfmeewktjnbu2vkvkbefqvcqji3vivbtgznfgtjsjjf

e6jbqguyeamzqguytgmbvgbadcmjugy3daqbvj5mtkukyijmvgs2djvkvkucilbkfasrxkrkdgn[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5bdgv2cljkvavc2gvcesvzwijfeutsdjbitkvkigu3umwcckjk

tgjbtgayuanzrgq2tcmbtia2danbugjaeem2xijnfkuculi2uiskxgzbeussoinefcnkvja2tor[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5fu6scqgmzfowkygngvoqsdi5nfesk2ja2vutsoji2uqrstjnd

fajbtgayuanzrgq2tcmbtiaytimrwg4zuas2pjbidgmsxlfmdgtkxijbuowssjfneqnk2jzheun[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5gdoncnlblvetrujfbtktcxjzmeeukegjfvkv2wgnhueqkqjqz

vcjbwge3eanbqguztqnrrgzadcnbthazdiqcmg42e2wcxkjhdiskdgvgfotsyijiuimslkvlvmm[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5gfqs2wjuzegvs2jzfees22kjgemn2hgzeukqjuifgfmrkuk5l

tmjbwga4uamzqgy3dsmbwia4dmmrwhbaeywclkzgteq2wljheuqslljjeyrrxi43esrkbgrauyv[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5hdotjsjvduossllfjuqucigzmfmtsjknjeosbtjfltiubxgvi

fqjbwga4uamzqgy3dsmbwia4dmmrxgbae4n2ngjguor2kjnmvgscqja3fqvsojfjver2ignevon[1].j

p

g

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\large-190x100[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\large-190x100[2].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\loader[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\logo_new[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\LogoFaroLatino16x16[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\nav_account[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\nav_collect[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\nav_control[1].png

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\ND5CD7GWOMAYTVZOJ7UKSDJ26X4RV25N[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c10[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c11[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c2[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c5[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c7[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c9[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\northern[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\notifier.avira[2].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_090803_01_dots[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_090914_dest_top_spacer[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_091006_bal_foot[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_091006_istanbul_images[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_091006_rome_images[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\offers_med[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OSA_squirrel_120x90_20091109[1].swf

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\overground[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\pclip01[1].wmv

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\pcx[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\pngfix[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\ranking_4_pixel[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\SGDJH7QG7WK74QY2HRVZVX6DD62L5G2C[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\SGDJH7QG7WK74QY2HRVZVX6DD62L5G2C_1[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\size=120x90;noperf=1;alias=93242651;cfp=1;noaddonpl=y;kvmn=93242651;target=

_blank;aduho=-60;grp=38139906;misc=38139906[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=930515140;misc=930515140[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\slf[2].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\slider_thumb_arrow2[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\small[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\small[2].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\spacer[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tcodewads_at[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tickets_newsletter_r12_c44[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tickets_newsletter_r15_c10[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tn_HRQRC2XWUAM54D7WS2J4ZKI3V2OSNAEY[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\top_head_en_autumn[1].jpg

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tpp[1].htm

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\VUZEN-Header[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\wloader[1].gif

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\xsearch_carousel[1].js

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5 . . . . failed to delete

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn . . . . failed to delete

.

((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))

.

2009-10-06 22:49 . 2009-10-06 22:51 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-06 22:21 . 2009-10-06 22:21 -------- d-----w- c:\program files\Unlocker

2009-10-06 20:48 . 2009-10-06 20:48 -------- d-----w- c:\program files\Kerio

2009-10-06 20:48 . 2002-04-15 11:28 102912 ------w- c:\windows\system32\drivers\FWDRV.SYS

2009-09-30 20:56 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-30 20:56 . 2009-10-05 10:10 -------- d-----w- c:\program files\Malwarebytes

2009-09-30 20:56 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-30 17:26 . 2009-09-30 17:26 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-28 17:31 . 2009-09-28 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-09-27 08:16 . 2009-09-27 08:16 -------- d-----w- c:\program files\Trend Micro

2009-09-26 10:03 . 2009-09-26 10:03 -------- d-----w- c:\program files\ERUNT

2009-09-25 21:27 . 2009-09-23 16:02 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-24 21:07 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-24 21:07 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-24 21:07 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-09-24 21:07 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\program files\Avira

2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-09-24 16:06 . 2009-10-08 19:15 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus

2009-09-23 18:38 . 2009-09-23 18:40 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb

2009-09-23 17:29 . 2009-09-23 17:29 -------- d-----w- c:\program files\OEBW

2009-09-23 16:02 . 2009-09-25 21:27 -------- d-----w- c:\documents and settings\Compaq_Owner\.housecall6.6

2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-22 17:03 . 2009-09-22 17:03 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-08 22:32 . 2009-09-06 12:09 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2009-10-08 21:15 . 2005-08-31 14:08 -------- d-----w- c:\program files\TotalRecorder

2009-10-07 18:11 . 2009-02-17 19:53 -------- d-----w- c:\program files\Azureus

2009-10-07 17:08 . 2008-11-06 19:54 -------- d-----w- c:\program files\AIM6

2009-10-06 23:26 . 2005-09-10 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-06 20:48 . 2005-01-02 00:10 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-04 20:00 . 2005-09-03 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect

2009-09-30 17:26 . 2005-01-01 23:54 -------- d-----w- c:\program files\Java

2009-09-30 17:23 . 2005-06-24 18:16 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-25 22:41 . 2008-05-03 12:10 -------- d-----w- c:\program files\Lavasoft

2009-09-25 22:38 . 2009-08-21 12:08 -------- d-----w- c:\program files\PicaLoader

2009-09-25 22:36 . 2008-05-31 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-22 23:22 . 2008-06-12 17:37 -------- d-----w- c:\program files\PowerPacket

2009-09-06 19:10 . 2005-10-28 16:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Skype

2009-09-06 17:01 . 2009-09-06 17:01 -------- d-----w- c:\program files\CopyFilenames

2009-09-06 15:01 . 2008-10-19 15:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\skypePM

2009-09-06 12:09 . 2008-02-04 16:56 -------- d-----w- c:\program files\Common Files\Logishrd

2009-08-29 08:18 . 2009-08-29 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

2009-08-17 09:01 . 2005-08-30 17:50 63904 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\MSBuild

2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\Reference Assemblies

2009-08-15 13:23 . 2009-08-15 13:23 -------- d-----w- c:\program files\MSXML 6.0

2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\program files\NOS

2009-08-10 16:49 . 2005-08-31 13:54 -------- d-----w- c:\program files\whisper

2009-07-29 09:23 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:53 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2005-09-14 09:58 . 2005-09-09 11:08 20480 ----a-w- c:\program files\Common Files\UninstallDrv.exe

2005-10-28 07:31 . 2005-08-31 11:40 56 --sha-r- c:\windows\system32\5A04C4CEF8.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-09-27_08.03.24 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-10-08 22:32 . 2009-10-08 22:32 16384 c:\windows\temp\Perflib_Perfdata_26c.dat

+ 2009-09-30 17:26 . 2009-09-30 17:26 149280 c:\windows\system32\javaws.exe

+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\javaw.exe

+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\java.exe

+ 2009-09-30 17:26 . 2009-09-30 17:26 537600 c:\windows\Installer\22fac.msi

+ 2009-09-30 16:58 . 2009-09-30 16:58 196608 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000002\UsrClass.dat

+ 2009-09-30 16:58 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\30-09-2009\ERDNT.EXE

+ 2009-09-29 05:13 . 2009-09-29 05:13 196608 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000002\UsrClass.dat

+ 2009-09-29 05:13 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\29-09-2009\ERDNT.EXE

+ 2009-09-28 14:46 . 2009-09-28 14:46 196608 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000002\UsrClass.dat

+ 2009-09-28 14:46 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\28-09-2009\ERDNT.EXE

+ 2009-10-08 16:20 . 2009-10-08 16:20 221184 c:\windows\ERDNT\AutoBackup\08-10-2009\Users\00000002\UsrClass.dat

+ 2009-10-08 16:20 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\08-10-2009\ERDNT.EXE

+ 2009-10-07 15:47 . 2009-10-07 15:47 221184 c:\windows\ERDNT\AutoBackup\07-10-2009\Users\00000002\UsrClass.dat

+ 2009-10-07 15:47 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\07-10-2009\ERDNT.EXE

+ 2009-10-06 15:30 . 2009-10-06 15:30 221184 c:\windows\ERDNT\AutoBackup\06-10-2009\Users\00000002\UsrClass.dat

+ 2009-10-06 15:30 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\06-10-2009\ERDNT.EXE

+ 2009-10-05 08:24 . 2009-10-05 08:24 212992 c:\windows\ERDNT\AutoBackup\05-10-2009\Users\00000002\UsrClass.dat

+ 2009-10-05 08:24 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\05-10-2009\ERDNT.EXE

+ 2009-10-04 18:20 . 2009-10-04 18:20 212992 c:\windows\ERDNT\AutoBackup\04-10-2009\Users\00000002\UsrClass.dat

+ 2009-10-04 18:20 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\04-10-2009\ERDNT.EXE

+ 2009-10-02 14:54 . 2009-10-02 14:54 212992 c:\windows\ERDNT\AutoBackup\02-10-2009\Users\00000002\UsrClass.dat

+ 2009-10-02 14:54 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\02-10-2009\ERDNT.EXE

+ 2009-10-01 12:33 . 2009-10-01 12:33 212992 c:\windows\ERDNT\AutoBackup\01-10-2009\Users\00000002\UsrClass.dat

+ 2009-10-01 12:33 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\01-10-2009\ERDNT.EXE

+ 2009-07-10 09:39 . 2009-07-10 09:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll

+ 2009-09-30 17:23 . 2009-09-30 17:23 3938816 c:\windows\Installer\22fa4.msi

+ 2009-09-30 16:58 . 2009-09-30 16:58 7892992 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000001\ntuser.dat

+ 2009-09-29 05:13 . 2009-09-29 05:13 7892992 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000001\ntuser.dat

+ 2009-09-28 14:46 . 2009-09-28 14:46 7892992 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000001\ntuser.dat

+ 2009-10-08 16:20 . 2009-10-08 16:20 7892992 c:\windows\ERDNT\AutoBackup\08-10-2009\Users\00000001\ntuser.dat

+ 2009-10-07 15:47 . 2009-10-07 15:47 7892992 c:\windows\ERDNT\AutoBackup\07-10-2009\Users\00000001\ntuser.dat

+ 2009-10-06 15:30 . 2009-10-06 15:30 7892992 c:\windows\ERDNT\AutoBackup\06-10-2009\Users\00000001\ntuser.dat

+ 2009-10-05 08:24 . 2009-10-05 08:24 7892992 c:\windows\ERDNT\AutoBackup\05-10-2009\Users\00000001\ntuser.dat

+ 2009-10-04 18:20 . 2009-10-04 18:20 7892992 c:\windows\ERDNT\AutoBackup\04-10-2009\Users\00000001\ntuser.dat

+ 2009-10-02 14:54 . 2009-10-02 14:54 7892992 c:\windows\ERDNT\AutoBackup\02-10-2009\Users\00000001\ntuser.dat

+ 2009-10-01 12:33 . 2009-10-01 12:33 7892992 c:\windows\ERDNT\AutoBackup\01-10-2009\Users\00000001\ntuser.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-30 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes\mbam.exe" [2009-09-10 1312080]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=DrvTrNTm.dll

"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\DTV\\DVB-T USB 2.0\\DVB-Tplayer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\TotalRecorder\\TotalRecorder.exe"=

"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"49251:TCP"= 49251:TCP:v

"49251:UDP"= 49251:UDP:v

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [24/07/2008 22:39 17264]

R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\FWDRV.SYS [06/10/2009 21:48 102912]

R1 HFSYS;HFSYS;c:\windows\system32\drivers\hfsys.sys [12/01/2004 01:34 19732]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/09/2009 22:07 108289]

R3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;c:\windows\system32\drivers\PCTELSAP.SYS [02/01/2005 01:00 306560]

R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [17/08/2008 14:48 126984]

R3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [06/04/2006 13:57 18432]

S3 Arcadyan;Arcadyan NDIS Protocol Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\Arcadyan.SYS [20/08/2004 03:14 17422]

S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\PLCMPR5.SYS --> c:\windows\system32\PLCMPR5.SYS [?]

S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 11:11 17280]

S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [06/04/2006 13:56 15488]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [06/11/2008 20:55 24652]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TCP: {08422DD0-F4AF-4740-8A75-0201C59D6AC5} = 212.159.6.9,212.159.6.10

Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL

Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL

DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} - hxxp://downloads.exam2score.com/ePenClientSpec.ocx

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\zkvadj3e.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-08 23:34

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3376)

c:\program files\Unlocker\UnlockerHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\progra~1\WINDOW~1\wmpband.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\Dantz\RETROS~1\retrorun.exe

c:\windows\system32\ati2evxx.exe

c:\progra~1\Dantz\RETROS~1\wdsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2009-10-08 23:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-08 22:40

ComboFix2.txt 2009-10-01 17:06

ComboFix3.txt 2009-09-27 08:07

Pre-Run: 60,715,339,776 bytes free

Post-Run: 60,681,048,064 bytes free

759 --- E O F --- 2009-08-15 13:32

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:45:51, on 08/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\ps2.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Kerio\Personal Firewall\PERSFW.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} (ePenClientSpec.ucEPenClientspec) - http://downloads.exam2score.com/ePenClientSpec.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS2\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS3\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--

End of file - 7886 bytes

[screen317]

Interesting..

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn . . . . failed to delete

Those files are protected, but by what... hmmm. Let's give this a try.

Next, we need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

1. Please download The Avenger2 by Swandog46.
   
2. Unzip avenger.exe to your desktop.
   
3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
   

   Begin Copying Here:
   Folders to Delete:
   c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn

   
   

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
   
5. Read the prompt that appears, and press OK.
   
6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
   
7. Press the "Execute" button.
   
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
   Note: It is possible that Avenger will reboot your system TWICE.
   
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
   

-screen317

[Quizzical]

Ok, I've done that and it seems to have shifted the awkward files.

I've also run Avira, to try and confirm, and it's now not reporting any hidden files. The number of warnings it reporrts has also gone down from 8 in recent scans to 5 - but I don't know if that's significant.

The other thing to mention is that when Avenger rebooted the machine I received a message saying "Windows - No Disk c0000013 Exception processing message Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c" The options available were Cancel, Try Again, Continue. I had to press Continue several times before the box disappeared.

Logs follow....

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Folder "c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Avira AntiVir Personal

Report file date: Sunday, October 11, 2009 21:18

Scanning for 1787120 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : STARSKY

Version information:

BUILD.DAT : 9.0.0.410 18074 Bytes 25/09/2009 11:56:00

AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14

AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 13:50:58

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 13:50:58

ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 29/09/2009 08:16:20

ANTIVIR3.VDF : 7.1.6.95 404480 Bytes 09/10/2009 22:48:44

Engineversion : 8.2.1.35

AEVDF.DLL : 8.1.1.2 106867 Bytes 15/09/2009 15:58:02

AESCRIPT.DLL : 8.1.2.35 483707 Bytes 04/10/2009 18:27:00

AESCN.DLL : 8.1.2.5 127346 Bytes 03/09/2009 15:24:42

AERDL.DLL : 8.1.3.2 479604 Bytes 04/10/2009 18:26:57

AEPACK.DLL : 8.2.0.0 422261 Bytes 15/09/2009 15:58:00

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 17/06/2009 14:32:46

AEHEUR.DLL : 8.1.0.167 2011511 Bytes 08/10/2009 19:37:47

AEHELP.DLL : 8.1.7.0 237940 Bytes 03/09/2009 15:24:42

AEGEN.DLL : 8.1.1.67 364916 Bytes 04/10/2009 18:26:36

AEEMU.DLL : 8.1.1.0 393587 Bytes 04/10/2009 18:26:34

AECORE.DLL : 8.1.8.1 184693 Bytes 15/09/2009 15:57:58

AEBB.DLL : 8.1.0.3 53618 Bytes 15/10/2008 10:49:34

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 25/09/2009 21:07:44

AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, E:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Sunday, October 11, 2009 21:18

Starting search for hidden objects.

'64262' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'ntvdm.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'msimn.exe' - '1' Module(s) have been scanned

Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'SetPoint.exe' - '1' Module(s) have been scanned

Scan process 'aim6.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'UnlockerAssistant.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'ps2.EXE' - '1' Module(s) have been scanned

Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned

Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned

Scan process 'notepad.exe' - '1' Module(s) have been scanned

Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned

Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'wdsvc.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'retrorun.exe' - '1' Module(s) have been scanned

Scan process 'PERSFW.exe' - '1' Module(s) have been scanned

Scan process 'NMSAccess.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

44 processes with 44 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Master boot sector HD5

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '59' files ).

Starting the file scan:

Begin scan in 'C:\' <DRIVE1>

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Compaq_Owner\My Documents\Steve\spyware\HijackThis.exe

[WARNING] The file could not be opened!

C:\WINDOWS\system32\dumprep.exe

[WARNING] The file could not be opened!

C:\WINDOWS\system32\MRT.exe

[WARNING] The file could not be opened!

Begin scan in 'D:\' <DRIVE2>

Begin scan in 'E:\' <PRESARIO_RP>

End of the scan: Sunday, October 11, 2009 22:14

Used time: 55:56 Minute(s)

The scan has been done completely.

8764 Scanned directories

428739 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

5 Files cannot be scanned

428734 Files not concerned

13310 Archives were scanned

5 Warnings

2 Notes

64262 Objects were scanned with rootkit scan

0 Hidden objects were found

[screen317]

The warnings just mean that the files were 'in use' and couldn't be scanned. Feel free to do a boot-time scan to avoid that issue.

Please download OTC by OldTimer and save it to your Desktop.

• Double-click OTC.exe
  
• Click the CleanUp! button.
  
• Select Yes when the Begin cleanup Process? prompt appears.
  
• If you are prompted to reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes. If it doesn't, delete it by yourself.
  

Let me know what issues remain.

-screen317

[Quizzical]

Thank, OTC got rid of CF (and not sure what else) and left some things behind which I've deleted manually.

Everything seems to be working fine, Avira scan reports nothing untoward.

Unless you're aware of anything else that should be addressed, I guess I have a clean machine again. (Do we need to understand what it was that was protecting those hidden files?)

Many thanks for your help and patience.

[screen317]

At this point it is difficult to say what exactly was protecting those files, but they're gone and now I know what to do should I come across it in the future.

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

-screen317

[Quizzical]

Hmmm. I noticed that you'd highlighted this in an earlier posting. I'm puzzled because I don't understand why this hasn't been done already as part of automatic update - which, I've just checked, is turned on.

Now, however, I can't seem to access the update site either by following your link or navigating there myself. There's a brief flash of a message saying (something like) that the site is checking what my machine has and what updates are available and then there's an error message saying that "The website has encountered a problem and cannot display the page you are trying to view". Some links are provided to investigate other options but I haven't so far found anything that helps. The error code displayed is Error number: 0x800703EE, but this is not one of the codes referenced in the list of suggested solutions.

I'll try again tomorrow, but if you have any suggestions in the meantime please let me know and I'll check back to see.

[screen317]

Hi,

Please download Dial-A-Fix from here.

Save it to your Desktop.

Open Dial-a-fix.exe

Click the green checkmark at the bottom of the window; this should select all options.

Now, click GO.

Allow it to run (the status will be displayed at the bottom), and follow any prompts you receive.

Restart your computer and see if you can get access the site now.

-screen317

[Quizzical]

Well, that was an interesting experience.

1st run of Dial-a-fix

(a) couldn't clean out all the temp files

( found a problem with wucltui.dll and then got permanently stuck trying to register wuaueng1.dll

So I rebooted, ran ATF Cleaner to try to delete all temp files, then tried again

2nd run

still (a) and ( as above

So went looking for copies of the two .dll files, downloaded them , scanned them, pasted them into the windows\system32 folder.

3rd run

still couldn't clean out all the temp files, but did get much further than before, seemed to be able to register everything until it gave an error message with file called shdocvw.dll (error code -2147319780: error accessing OLE registry). It couldn't suggest any solution and invited me to email DjLizard with a copy of the log. Shall I do that or is there no need?

I tried finding and replacing that file too, but on a 4th run of dial-a-fix, exactly the same thing happened, so now I'm stuck.

I've tried again to access the windows update site (just in case...) but still get the error message saying can't be accessed.

Here's the dial-a-fix log file in case it's of any use...

Notes about this log:

1) "->" denotes an external command being executed, and "-> (number)" indicates

the return code from the previous command

2) Not all external command return codes are accurate, or useful

3) Sometimes commands return 0 (no error) even when they fail or crash

4) If an error occurs while registering an object, please send an email to:

dial-a-fix@DjLizard.net and include a copy of this log

DAF version: v0.60.0.24

--- System info ---

OS: Microsoft Windows XP Service Pack 2

IE version: 6.0.2900.2180

MPC: 76477-OEM

CPU: Intel® Pentium® 4 CPU 3.40GHz (~3400MHz)

CPU: 2 CPU cores present

BIOS: 10/03/2005

Memory (approx): 1023MB

Uptime: 0 hour(s)

Current directory: C:\Documents and Settings\Compaq_Owner\Local Settings\temp

---

13/10/2009 17:57:18 -- Dial-a-fix : [v0.60.0.24] -- started

17:57:19 | Policy scan started

17:57:19 | Policy scan ended - no restrictive policies were found

--- Emptying temp folders ---

17:57:23 | Deleting C:\Documents and Settings\Compaq_Owner\Local Settings\temp...

17:57:23 | C:\Documents and Settings\Compaq_Owner\Local Settings\temp could not be completely emptied, please reboot and try again

17:57:23 | Deleting C:\WINDOWS\temp...

17:57:23 | C:\WINDOWS\temp could not be completely emptied, please reboot and try again

17:57:23 | Deleting C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp...

17:57:23 | C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp could not be completely emptied, please reboot and try again

--- MSI ---

17:57:29 | Registered: C:\WINDOWS\system32\msi.dll

--- Windows Update ---

--- Registration: Windows Update/Automatic Update DLLs ---

17:57:34 | Unregistered: C:\WINDOWS\system32\msxml.dll

17:57:34 | Registered: C:\WINDOWS\system32\msxml.dll

17:57:34 | Unregistered: C:\WINDOWS\system32\msxml2.dll

17:57:34 | Registered: C:\WINDOWS\system32\msxml2.dll

17:57:36 | Unregistered: C:\WINDOWS\system32\msxml3.dll

17:57:37 | Registered: C:\WINDOWS\system32\msxml3.dll

17:57:37 | Unregistered: C:\WINDOWS\system32\qmgr.dll

17:57:37 | Registered: C:\WINDOWS\system32\qmgr.dll

17:57:37 | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll

17:57:37 | Registered: C:\WINDOWS\system32\qmgrprxy.dll

17:57:37 | Unregistered: C:\WINDOWS\system32\winhttp.dll

17:57:37 | Registered: C:\WINDOWS\system32\winhttp.dll

17:57:37 | Registered: C:\WINDOWS\system32\wuapi.dll

17:57:37 | Unregistered: C:\WINDOWS\system32\wuaueng.dll

17:57:38 | Registered: C:\WINDOWS\system32\wuaueng.dll

17:57:38 | Unregistered: C:\WINDOWS\system32\wuaueng1.dll

17:57:38 | Registered: C:\WINDOWS\system32\wuaueng1.dll

17:57:38 | Unregistered: C:\WINDOWS\system32\wucltui.dll

17:57:38 | Registered: C:\WINDOWS\system32\wucltui.dll

17:57:38 | Unregistered: C:\WINDOWS\system32\wups.dll

17:57:38 | Registered: C:\WINDOWS\system32\wups.dll

17:57:38 | Unregistered: C:\WINDOWS\system32\wups2.dll

17:57:39 | Registered: C:\WINDOWS\system32\wups2.dll

17:57:39 | Unregistered: C:\WINDOWS\system32\wuweb.dll

17:57:39 | Registered: C:\WINDOWS\system32\wuweb.dll

17:57:39 | Registered: C:\WINDOWS\system32\ole32.dll

--- SSL/HTTPS/Cryptography ---

17:57:51 | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'

--- Registration: SSL/HTTPS/Cryptography ---

17:57:55 | Unregistered: C:\WINDOWS\system32\cryptdlg.dll

17:57:55 | Registered: C:\WINDOWS\system32\cryptdlg.dll

17:57:55 | Unregistered: C:\WINDOWS\system32\cryptui.dll

17:57:55 | Registered: C:\WINDOWS\system32\cryptui.dll

17:57:55 | Unregistered: C:\WINDOWS\system32\cryptext.dll

17:57:55 | Registered: C:\WINDOWS\system32\cryptext.dll

17:57:56 | Unregistered: C:\WINDOWS\system32\dssenh.dll

17:57:56 | Registered: C:\WINDOWS\system32\dssenh.dll

17:57:56 | Unregistered: C:\WINDOWS\system32\gpkcsp.dll

17:57:56 | Registered: C:\WINDOWS\system32\gpkcsp.dll

17:57:56 | Unregistered: C:\WINDOWS\system32\initpki.dll

17:58:52 | Registered: C:\WINDOWS\system32\initpki.dll

17:58:52 | Unregistered: C:\WINDOWS\system32\licdll.dll

17:58:53 | Registered: C:\WINDOWS\system32\licdll.dll

17:58:53 | Unregistered: C:\WINDOWS\system32\mssign32.dll

17:58:53 | Registered: C:\WINDOWS\system32\mssign32.dll

17:58:53 | Unregistered: C:\WINDOWS\system32\mssip32.dll

17:58:53 | Registered: C:\WINDOWS\system32\mssip32.dll

17:58:54 | Unregistered: C:\WINDOWS\system32\scardssp.dll

17:58:55 | Registered: C:\WINDOWS\system32\scardssp.dll

17:58:55 | Unregistered: C:\WINDOWS\system32\sccbase.dll

17:58:55 | Registered: C:\WINDOWS\system32\sccbase.dll

17:58:55 | Unregistered: C:\WINDOWS\system32\scecli.dll

17:58:55 | Registered: C:\WINDOWS\system32\scecli.dll

17:58:55 | Unregistered: C:\WINDOWS\system32\softpub.dll

17:58:55 | Registered: C:\WINDOWS\system32\softpub.dll

17:58:56 | Unregistered: C:\WINDOWS\system32\slbcsp.dll

17:58:56 | Registered: C:\WINDOWS\system32\slbcsp.dll

17:58:56 | Unregistered: C:\WINDOWS\system32\regwizc.dll

17:58:56 | Registered: C:\WINDOWS\system32\regwizc.dll

17:58:56 | Unregistered: C:\WINDOWS\system32\rsaenh.dll

17:58:56 | Registered: C:\WINDOWS\system32\rsaenh.dll

17:58:56 | Unregistered: C:\WINDOWS\system32\winhttp.dll

17:58:56 | Registered: C:\WINDOWS\system32\winhttp.dll

17:58:56 | Unregistered: C:\WINDOWS\system32\wintrust.dll

17:58:57 | Registered: C:\WINDOWS\system32\wintrust.dll

--- Registration: ActiveX controls/codecs ---

17:58:57 | Registered: C:\WINDOWS\system32\acelpdec.ax

17:58:57 | Registered: C:\WINDOWS\system32\actxprxy.dll

17:58:57 | Registered: C:\WINDOWS\system32\asctrls.ocx

17:58:58 | Registered: C:\WINDOWS\system32\daxctle.ocx

17:58:58 | Registered: C:\WINDOWS\system32\hhctrl.ocx

17:58:58 | Registered: C:\WINDOWS\system32\l3codecx.ax

17:58:58 | Registered: C:\WINDOWS\system32\licmgr10.dll

17:58:58 | Registered: C:\WINDOWS\system32\mpg4ds32.ax

17:59:04 | Registered: C:\WINDOWS\system32\msdxm.ocx

17:59:04 | Registered: C:\WINDOWS\system32\proctexe.ocx

17:59:04 | Registered: C:\WINDOWS\system32\tdc.ocx

17:59:04 | Registered: C:\WINDOWS\system32\wshom.ocx

--- Registration: Control Panel applets ---

17:59:05 | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl

17:59:05 | DllInstalled: C:\WINDOWS\system32\appwiz.cpl

17:59:05 | Registered: C:\WINDOWS\system32\appwiz.cpl

17:59:06 | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl

17:59:06 | Registered: C:\WINDOWS\system32\nusrmgr.cpl

--- Registration: Direct[X|Draw|Show|Media] ---

17:59:06 | Registered: C:\WINDOWS\system32\quartz.dll

17:59:06 | Registered: C:\WINDOWS\system32\danim.dll

17:59:06 | Registered: C:\WINDOWS\system32\dmscript.dll

17:59:06 | Registered: C:\WINDOWS\system32\dmstyle.dll

17:59:07 | Registered: C:\WINDOWS\system32\dxmasf.dll

17:59:07 | Registered: C:\WINDOWS\system32\dxtmsft.dll

17:59:07 | Registered: C:\WINDOWS\system32\dxtrans.dll

17:59:07 | Registered: C:\WINDOWS\system32\sbe.dll

--- Registration: Programming cores/runtimes ---

17:59:08 | Registered: C:\WINDOWS\system32\atl.dll

17:59:08 | Registered: C:\WINDOWS\system32\corpol.dll

17:59:08 | Registered: C:\WINDOWS\system32\jscript.dll

17:59:08 | Registered: C:\WINDOWS\system32\dispex.dll

17:59:08 | Registered: C:\WINDOWS\system32\scrrun.dll

17:59:08 | Registered: C:\WINDOWS\system32\scrobj.dll

17:59:08 | Registered: C:\WINDOWS\system32\vbscript.dll

17:59:08 | Registered: C:\WINDOWS\system32\wshext.dll

--- Registration: Explorer/IE/OE/shell/WMP ---

17:59:08 | Registered: C:\WINDOWS\system32\activeds.dll

17:59:08 | Registered: C:\WINDOWS\system32\audiodev.dll

17:59:09 | DllInstalled: C:\WINDOWS\system32\browseui.dll

17:59:09 | Registered: C:\WINDOWS\system32\browseui.dll

17:59:09 | Registered: C:\WINDOWS\system32\browsewm.dll

17:59:09 | Registered: C:\WINDOWS\system32\cabview.dll

17:59:09 | Registered: C:\WINDOWS\system32\cdfview.dll

17:59:09 | Registered: C:\WINDOWS\system32\clbcatex.dll

17:59:09 | Registered: C:\WINDOWS\system32\clbcatq.dll

17:59:09 | Registered: C:\WINDOWS\system32\comcat.dll

17:59:10 | Registered: C:\WINDOWS\system32\cscui.dll

17:59:10 | Registered: C:\WINDOWS\system32\credui.dll

17:59:10 | Registered: C:\WINDOWS\system32\datime.dll

17:59:10 | Registered: C:\WINDOWS\system32\devmgr.dll

17:59:10 | Registered: C:\WINDOWS\system32\dfsshlex.dll

17:59:10 | Registered: C:\WINDOWS\system32\dmdlgs.dll

17:59:10 | Registered: C:\WINDOWS\system32\dmdskmgr.dll

17:59:11 | Registered: C:\WINDOWS\system32\dmloader.dll

17:59:11 | Registered: C:\WINDOWS\system32\dmocx.dll

17:59:11 | Registered: C:\WINDOWS\system32\dmview.ocx

17:59:11 | DllInstalled: C:\WINDOWS\system32\dsuiext.dll

17:59:11 | Registered: C:\WINDOWS\system32\dsuiext.dll

17:59:11 | DllInstalled: C:\WINDOWS\system32\dsquery.dll

17:59:11 | Registered: C:\WINDOWS\system32\dsquery.dll

17:59:11 | Registered: C:\WINDOWS\system32\dskquoui.dll

17:59:11 | Registered: C:\WINDOWS\system32\els.dll

17:59:12 | Registered: C:\WINDOWS\system32\es.dll

17:59:12 | Registered: C:\WINDOWS\system32\fontext.dll

17:59:12 | Registered: C:\WINDOWS\system32\hlink.dll

17:59:12 | Registered: C:\WINDOWS\system32\hnetcfg.dll

17:59:12 | Registered: C:\WINDOWS\system32\iedkcs32.dll

17:59:12 | Registered: C:\WINDOWS\system32\iepeers.dll

17:59:12 | DllInstalled: C:\WINDOWS\system32\iesetup.dll

17:59:12 | Registered: C:\WINDOWS\system32\iesetup.dll

17:59:13 | Registered: C:\WINDOWS\system32\ils.dll

17:59:13 | Registered: C:\WINDOWS\system32\imgutil.dll

17:59:13 | Registered: C:\WINDOWS\system32\inetcfg.dll

17:59:13 | Registered: C:\WINDOWS\system32\inetcomm.dll

17:59:13 | DllInstalled: C:\WINDOWS\system32\inseng.dll

17:59:13 | Registered: C:\WINDOWS\system32\inseng.dll

17:59:13 | Registered: C:\WINDOWS\system32\laprxy.dll

17:59:13 | Registered: C:\WINDOWS\system32\lmrt.dll

17:59:14 | Registered: C:\WINDOWS\system32\mlang.dll

17:59:14 | Registered: C:\WINDOWS\system32\mmcndmgr.dll

17:59:14 | Registered: C:\WINDOWS\system32\mmcshext.dll

17:59:14 | Registered: C:\WINDOWS\system32\mscoree.dll

17:59:15 | DllInstalled: C:\WINDOWS\system32\mshtml.dll

17:59:16 | Registered: C:\WINDOWS\system32\mshtml.dll

17:59:16 | Registered: C:\WINDOWS\system32\mshtmled.dll

17:59:16 | Registered: C:\WINDOWS\system32\msieftp.dll

17:59:16 | Registered: C:\WINDOWS\system32\msoeacct.dll

17:59:16 | Registered: C:\WINDOWS\system32\msr2c.dll

17:59:16 | Registered: C:\WINDOWS\system32\msrating.dll

17:59:16 | DllInstalled: C:\WINDOWS\system32\mydocs.dll

17:59:16 | Registered: C:\WINDOWS\system32\mydocs.dll

17:59:17 | Registered: C:\WINDOWS\system32\mstime.dll

17:59:17 | Registered: C:\WINDOWS\system32\netcfgx.dll

17:59:17 | DllInstalled: C:\WINDOWS\system32\netplwiz.dll

17:59:17 | Registered: C:\WINDOWS\system32\netplwiz.dll

17:59:17 | Registered: C:\WINDOWS\system32\netman.dll

17:59:17 | Registered: C:\WINDOWS\system32\netshell.dll

17:59:17 | Registered: C:\WINDOWS\system32\ntmsevt.dll

17:59:18 | Registered: C:\WINDOWS\system32\ntmsmgr.dll

17:59:18 | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll

17:59:18 | Registered: C:\WINDOWS\system32\ntmssvc.dll

17:59:18 | DllInstalled: C:\WINDOWS\system32\occache.dll

17:59:18 | Registered: C:\WINDOWS\system32\occache.dll

17:59:18 | Registered: C:\WINDOWS\system32\ole32.dll

17:59:18 | Registered: C:\WINDOWS\system32\oleaut32.dll

17:59:18 | Registered: C:\WINDOWS\system32\oleacc.dll

17:59:19 | Registered: C:\WINDOWS\system32\olepro32.dll

17:59:19 | DllInstalled: C:\WINDOWS\system32\photowiz.dll

17:59:19 | Registered: C:\WINDOWS\system32\photowiz.dll

17:59:19 | Registered: C:\WINDOWS\system32\pngfilt.dll

17:59:19 | Registered: C:\WINDOWS\system32\remotepg.dll

17:59:19 | Registered: C:\WINDOWS\system32\rpcrt4.dll

17:59:19 | Registered: C:\WINDOWS\system32\rshx32.dll

17:59:19 | Registered: C:\WINDOWS\system32\sendmail.dll

17:59:19 | Registered: C:\WINDOWS\system32\slayerxp.dll

17:59:21 | DllInstalled: C:\WINDOWS\system32\shdocvw.dll

18:00:56 | Error during registration of C:\WINDOWS\system32\shdocvw.dll - version: 6.00.2900.3533. The error returned is: Error accessing the OLE registry.

(-2147319780)

18:00:56 | Registered: C:\WINDOWS\system32\shell32.dll

18:00:59 | DllInstalled: C:\WINDOWS\system32\shell32.dll

18:00:59 | Registered: C:\WINDOWS\system32\shmedia.dll

18:00:59 | DllInstalled: C:\WINDOWS\system32\shimgvw.dll

18:00:59 | Registered: C:\WINDOWS\system32\shimgvw.dll

18:00:59 | DllInstalled: C:\WINDOWS\system32\shsvcs.dll

18:01:00 | Registered: C:\WINDOWS\system32\shsvcs.dll

18:01:00 | Registered: C:\WINDOWS\system32\srclient.dll

18:01:00 | Unregistered: C:\WINDOWS\system32\stobject.dll

18:01:00 | Registered: C:\WINDOWS\system32\stobject.dll

18:01:00 | DllInstalled: C:\WINDOWS\system32\themeui.dll

18:01:00 | Registered: C:\WINDOWS\system32\themeui.dll

18:01:00 | Registered: C:\WINDOWS\system32\twext.dll

18:01:01 | DllInstalled: C:\WINDOWS\system32\urlmon.dll

18:01:01 | Registered: C:\WINDOWS\system32\urlmon.dll

18:01:01 | Registered: C:\WINDOWS\system32\userenv.dll

18:01:01 | DllInstalled: C:\WINDOWS\system32\webcheck.dll

18:01:01 | Registered: C:\WINDOWS\system32\webcheck.dll

18:01:02 | Registered: C:\WINDOWS\system32\webvw.dll

18:01:02 | Registered: C:\WINDOWS\system32\winhttp.dll

18:01:02 | DllInstalled: C:\WINDOWS\system32\wininet.dll

18:01:02 | Registered: C:\WINDOWS\system32\zipfldr.dll

18:01:02 | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll

18:01:02 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll

18:01:02 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll

18:01:04 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll

18:01:05 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll

18:01:05 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll

18:01:05 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll

18:01:05 | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll

18:01:06 | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll

18:01:06 | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll

18:01:06 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll

18:01:07 | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll

18:01:07 | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll

18:01:07 | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll

18:01:07 | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll

18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll

18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll

18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll

18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll

18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll

18:01:09 | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll

18:01:09 | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll

[screen317]

It couldn't suggest any solution and invited me to email DjLizard with a copy of the log. Shall I do that or is there no need?

Do e-mail him and send him the log; it may be useful for him.

Hmm.

Open up a case with Microsoft and see if they can see why you cannot access the site.