hi

**ramesh help** · 12-01-2008

1hi i need you to go throught my log.. i think i got attack by virus or something

2) Below is what i got from spyware guard

Logfile of HijackThis v1.99.1
Scan saved at 9:33:07 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\HijackThis\foolyou.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddaba.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {458ACBC0-8508-4374-84DB-EE0EC286F969} - C:\WINDOWS\system32\ddaba.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D4576C73-52BD-4401-B966-5A128C4433D4} - C:\WINDOWS\system32\gebcabx.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: QuickSet Internet Zone - {3417D8E1-5942-11d6-A0E0-0002B364F69B} - C:\Program Files\QSIZ\qsiz.EXE (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188901880687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1188902392515
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.innotive.com/download/cibrowser11.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://unitedpage.spaces.live.com/Ph...d/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE1F9E2-D9A2-414D-A17A-C6CC7A5A6257}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: gebcabx - C:\WINDOWS\SYSTEM32\gebcabx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**VopThis** · 12-01-2008

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

F3 - REG:win.ini: load=C:\WINDOWS\system32\ddaba.exe

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download ComboFix from one of the following links below:

Here or Here to your Desktop.

If you already have Combofix, please delete the existing copy and download it again as it's being updated regularly:

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

ComboFix SHOULD NOT be used unless requested by a forum helper.

**ramesh help** · 13-01-2008

1) you should have told me to delete my old vundofix and download a new one. i tought that it would be the same version, but when i scanned there was no error at all. so i decided to download based on the link you gave me. the combofix instruction was clear but not the vundofix. (its just my opinion)

2) this is the vundofix log. this are the errors i got inside the vundofix while i was scanning.

adabb.ini
abadd.ini2
ddaba.dll
gebcabx.dll
mvasngxu.dll
mvasngxu.dllbox
winrkq32.dll
yfkqlwnb.dll

i also got an error while scanning using the vundofix (look at the image attached)

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:29:57 AM 1/13/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:40:27 AM 1/13/2008

Listing files found while scanning....

C:\WINDOWS\system32\abadd.ini
C:\WINDOWS\system32\abadd.ini2
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\gebcabx.dll
C:\WINDOWS\system32\mvasngxu.dll
C:\windows\system32\mvasngxu.dllbox
C:\WINDOWS\system32\winrkq32.dll
C:\WINDOWS\system32\yfkqlwnb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\abadd.ini
C:\WINDOWS\system32\abadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\abadd.ini2
C:\WINDOWS\system32\abadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddaba.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcabx.dll
C:\WINDOWS\system32\gebcabx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mvasngxu.dll
C:\WINDOWS\system32\mvasngxu.dll Could not be deleted.

Attempting to delete C:\windows\system32\mvasngxu.dllbox
C:\windows\system32\mvasngxu.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\winrkq32.dll
C:\WINDOWS\system32\winrkq32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yfkqlwnb.dll
C:\WINDOWS\system32\yfkqlwnb.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebcabx.dll
C:\WINDOWS\system32\gebcabx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mvasngxu.dll
C:\WINDOWS\system32\mvasngxu.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

3) the first link you gave me to download the combofix,has problem. so i used the 2nd link you gave me to download the combofix. (just for your info). this is the combofix log

ComboFix 08-01-13.1 - Owner 2008-01-13 14:02:30.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos103.tmp
C:\pos104.tmp
C:\pos105.tmp
C:\pos106.tmp
C:\pos107.tmp
C:\pos108.tmp
C:\pos109.tmp
C:\pos10A.tmp
C:\pos10B.tmp
C:\pos10C.tmp
C:\pos10D.tmp
C:\pos10E.tmp
C:\pos10F.tmp
C:\pos110.tmp
C:\pos111.tmp
C:\pos112.tmp
C:\pos113.tmp
C:\pos114.tmp
C:\pos115.tmp
C:\pos116.tmp
C:\pos117.tmp
C:\pos118.tmp
C:\pos119.tmp
C:\pos11A.tmp
C:\pos11B.tmp
C:\pos11C.tmp
C:\pos11D.tmp
C:\pos11E.tmp
C:\pos11F.tmp
C:\pos120.tmp
C:\pos121.tmp
C:\pos122.tmp
C:\pos123.tmp
C:\pos124.tmp
C:\pos125.tmp
C:\pos126.tmp
C:\pos127.tmp
C:\pos128.tmp
C:\pos129.tmp
C:\pos12A.tmp
C:\pos12B.tmp
C:\pos12C.tmp
C:\pos12D.tmp
C:\pos12E.tmp
C:\pos12F.tmp
C:\pos130.tmp
C:\pos131.tmp
C:\pos132.tmp
C:\pos133.tmp
C:\pos134.tmp
C:\pos135.tmp
C:\pos136.tmp
C:\pos137.tmp
C:\pos138.tmp
C:\pos139.tmp
C:\pos13A.tmp
C:\pos13B.tmp
C:\pos13C.tmp
C:\pos13D.tmp
C:\pos13E.tmp
C:\pos13F.tmp
C:\pos140.tmp
C:\pos141.tmp
C:\pos142.tmp
C:\pos143.tmp
C:\pos144.tmp
C:\pos145.tmp
C:\pos146.tmp
C:\pos147.tmp
C:\pos148.tmp
C:\pos149.tmp
C:\pos14A.tmp
C:\pos14B.tmp
C:\pos14C.tmp
C:\pos14D.tmp
C:\pos14E.tmp
C:\pos14F.tmp
C:\pos150.tmp
C:\pos151.tmp
C:\pos152.tmp
C:\pos153.tmp
C:\pos154.tmp
C:\pos155.tmp
C:\pos156.tmp
C:\pos157.tmp
C:\pos158.tmp
C:\pos159.tmp
C:\pos15A.tmp
C:\pos15B.tmp
C:\pos15C.tmp
C:\pos15D.tmp
C:\pos15E.tmp
C:\pos15F.tmp
C:\pos160.tmp
C:\pos161.tmp
C:\pos162.tmp
C:\pos163.tmp
C:\pos164.tmp
C:\pos165.tmp
C:\pos166.tmp
C:\pos167.tmp
C:\pos168.tmp
C:\pos169.tmp
C:\pos16A.tmp
C:\pos16B.tmp
C:\pos16C.tmp
C:\pos16D.tmp
C:\pos16E.tmp
C:\pos16F.tmp
C:\pos170.tmp
C:\pos171.tmp
C:\pos172.tmp
C:\pos173.tmp
C:\pos174.tmp
C:\pos175.tmp
C:\pos176.tmp
C:\pos177.tmp
C:\pos178.tmp
C:\pos179.tmp
C:\pos17A.tmp
C:\pos17B.tmp
C:\pos17C.tmp
C:\pos17D.tmp
C:\pos17E.tmp
C:\pos17F.tmp
C:\pos180.tmp
C:\pos181.tmp
C:\pos182.tmp
C:\pos183.tmp
C:\pos184.tmp
C:\pos185.tmp
C:\pos186.tmp
C:\pos187.tmp
C:\pos188.tmp
C:\pos189.tmp
C:\pos18A.tmp
C:\pos18B.tmp
C:\pos18C.tmp
C:\pos18D.tmp
C:\pos18E.tmp
C:\pos18F.tmp
C:\pos190.tmp
C:\pos191.tmp
C:\pos192.tmp
C:\pos193.tmp
C:\pos194.tmp
C:\pos195.tmp
C:\pos196.tmp
C:\pos197.tmp
C:\pos198.tmp
C:\pos199.tmp
C:\pos19A.tmp
C:\pos19B.tmp
C:\pos19C.tmp
C:\pos19D.tmp
C:\pos19E.tmp
C:\pos19F.tmp
C:\pos1A0.tmp
C:\pos1A1.tmp
C:\pos1A2.tmp
C:\pos1A3.tmp
C:\pos1A4.tmp
C:\pos1A5.tmp
C:\pos1A6.tmp
C:\pos1A7.tmp
C:\pos1A8.tmp
C:\pos1A9.tmp
C:\pos1AA.tmp
C:\pos1AB.tmp
C:\pos1AC.tmp
C:\pos1AD.tmp
C:\pos1AE.tmp
C:\pos1AF.tmp
C:\pos1B0.tmp
C:\pos1B1.tmp
C:\pos1B2.tmp
C:\pos1B3.tmp
C:\pos1B4.tmp
C:\pos1B5.tmp
C:\pos1B6.tmp
C:\pos1B7.tmp
C:\pos1B8.tmp
C:\pos1B9.tmp
C:\pos1BA.tmp
C:\pos1BB.tmp
C:\pos1BC.tmp
C:\pos1BD.tmp
C:\pos1BE.tmp
C:\pos1BF.tmp
C:\pos1C0.tmp
C:\pos1C1.tmp
C:\pos1C2.tmp
C:\pos1C3.tmp
C:\pos1C4.tmp
C:\pos1C5.tmp
C:\pos1C6.tmp
C:\pos1C7.tmp
C:\pos1C8.tmp
C:\pos1C9.tmp
C:\pos1CA.tmp
C:\pos1CB.tmp
C:\pos1CC.tmp
C:\pos1CD.tmp
C:\pos1CE.tmp
C:\pos1CF.tmp
C:\pos1D0.tmp
C:\pos1D1.tmp
C:\pos1D2.tmp
C:\pos1D3.tmp
C:\pos1D4.tmp
C:\pos1D5.tmp
C:\pos1D6.tmp
C:\pos1D7.tmp
C:\pos1D8.tmp
C:\pos1D9.tmp
C:\pos1DA.tmp
C:\pos1DB.tmp
C:\pos1DC.tmp
C:\pos1DD.tmp
C:\pos1DE.tmp
C:\pos1DF.tmp
C:\pos1E0.tmp
C:\pos1E1.tmp
C:\pos1E2.tmp
C:\pos1E3.tmp
C:\pos1E4.tmp
C:\pos1E5.tmp
C:\pos1E6.tmp
C:\pos1E7.tmp
C:\pos1E8.tmp
C:\pos1E9.tmp
C:\pos1EA.tmp
C:\pos1EB.tmp
C:\pos1EC.tmp
C:\pos1ED.tmp
C:\pos1EE.tmp
C:\pos1EF.tmp
C:\pos1F0.tmp
C:\pos1F1.tmp
C:\pos1F2.tmp
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos1FC.tmp
C:\pos1FD.tmp
C:\pos1FE.tmp
C:\pos1FF.tmp
C:\pos200.tmp
C:\pos201.tmp
C:\pos202.tmp
C:\pos203.tmp
C:\pos204.tmp
C:\pos205.tmp
C:\pos206.tmp
C:\pos207.tmp
C:\pos208.tmp
C:\pos209.tmp
C:\pos20A.tmp
C:\pos20B.tmp
C:\pos20C.tmp
C:\pos20D.tmp
C:\pos20E.tmp
C:\pos20F.tmp
C:\pos210.tmp
C:\pos211.tmp
C:\pos212.tmp
C:\pos213.tmp
C:\pos214.tmp
C:\pos215.tmp
C:\pos216.tmp
C:\pos217.tmp
C:\pos218.tmp
C:\pos219.tmp
C:\pos21A.tmp
C:\pos21B.tmp
C:\pos21C.tmp
C:\pos21D.tmp
C:\pos21E.tmp
C:\pos21F.tmp
C:\pos220.tmp
C:\pos221.tmp
C:\pos222.tmp
C:\pos223.tmp
C:\pos224.tmp
C:\pos225.tmp
C:\pos226.tmp
C:\pos227.tmp
C:\pos228.tmp
C:\pos229.tmp
C:\pos22A.tmp
C:\pos22B.tmp
C:\pos22C.tmp
C:\pos22D.tmp
C:\pos22E.tmp
C:\pos22F.tmp
C:\pos230.tmp
C:\pos231.tmp
C:\pos232.tmp
C:\pos233.tmp
C:\pos234.tmp
C:\pos235.tmp
C:\pos236.tmp
C:\pos237.tmp
C:\pos238.tmp
C:\pos239.tmp
C:\pos23A.tmp
C:\pos23B.tmp
C:\pos23C.tmp
C:\pos23D.tmp
C:\pos23E.tmp
C:\pos23F.tmp
C:\pos240.tmp
C:\pos241.tmp
C:\pos242.tmp
C:\pos243.tmp
C:\pos244.tmp
C:\pos245.tmp
C:\pos246.tmp
C:\pos247.tmp
C:\pos248.tmp
C:\pos249.tmp
C:\pos24A.tmp
C:\pos24B.tmp
C:\pos24C.tmp
C:\pos24D.tmp
C:\pos24E.tmp
C:\pos24F.tmp
C:\pos250.tmp
C:\pos251.tmp
C:\pos252.tmp
C:\pos253.tmp
C:\pos254.tmp
C:\pos255.tmp
C:\pos256.tmp
C:\pos257.tmp
C:\pos258.tmp
C:\pos259.tmp
C:\pos25A.tmp
C:\pos25B.tmp
C:\pos25C.tmp
C:\pos25D.tmp
C:\pos25E.tmp
C:\pos25F.tmp
C:\pos260.tmp
C:\pos261.tmp
C:\pos262.tmp
C:\pos263.tmp
C:\pos264.tmp
C:\pos265.tmp
C:\pos266.tmp
C:\pos267.tmp
C:\pos268.tmp
C:\pos269.tmp
C:\pos26A.tmp
C:\pos26B.tmp
C:\pos26C.tmp
C:\pos26D.tmp
C:\pos26E.tmp
C:\pos26F.tmp
C:\pos270.tmp
C:\pos271.tmp
C:\pos272.tmp
C:\pos273.tmp
C:\pos274.tmp
C:\pos275.tmp
C:\pos276.tmp
C:\pos277.tmp
C:\pos278.tmp
C:\pos279.tmp
C:\pos27A.tmp
C:\pos27B.tmp
C:\pos27C.tmp
C:\pos27D.tmp
C:\pos27E.tmp
C:\pos27F.tmp
C:\pos280.tmp
C:\pos281.tmp
C:\pos282.tmp
C:\pos283.tmp
C:\pos284.tmp
C:\pos285.tmp
C:\pos286.tmp
C:\pos287.tmp
C:\pos288.tmp
C:\pos289.tmp
C:\pos28A.tmp
C:\pos28B.tmp
C:\pos28C.tmp
C:\pos28D.tmp
C:\pos28E.tmp
C:\pos486.tmp
C:\pos489.tmp
C:\pos48A.tmp
C:\pos48B.tmp
C:\pos48C.tmp
C:\pos48D.tmp
C:\pos48F.tmp
C:\pos490.tmp
C:\pos491.tmp
C:\pos492.tmp
C:\pos493.tmp
C:\pos494.tmp
C:\pos495.tmp
C:\pos496.tmp
C:\pos497.tmp
C:\pos498.tmp
C:\pos499.tmp
C:\pos49A.tmp
C:\pos49B.tmp
C:\pos49C.tmp
C:\pos49D.tmp
C:\pos49E.tmp
C:\pos49F.tmp
C:\pos4A0.tmp
C:\pos4A1.tmp
C:\pos4A2.tmp
C:\pos4A3.tmp
C:\pos4A4.tmp
C:\pos4A5.tmp
C:\pos4A6.tmp
C:\pos4A7.tmp
C:\pos4A8.tmp
C:\pos4A9.tmp
C:\pos4AA.tmp
C:\pos4AB.tmp
C:\pos4AC.tmp
C:\pos4AD.tmp
C:\pos4AE.tmp
C:\pos4AF.tmp
C:\pos4B0.tmp
C:\pos4B1.tmp
C:\pos4B2.tmp
C:\pos4B3.tmp
C:\pos4B4.tmp
C:\pos4B5.tmp
C:\pos4B6.tmp
C:\pos4B7.tmp
C:\pos4B8.tmp
C:\pos4B9.tmp
C:\pos4BA.tmp
C:\pos4BB.tmp
C:\pos4BC.tmp
C:\pos4BD.tmp
C:\pos4BE.tmp
C:\pos4BF.tmp
C:\pos4C0.tmp
C:\pos4C1.tmp
C:\pos4C2.tmp
C:\pos4C3.tmp
C:\pos4C4.tmp
C:\pos4C5.tmp
C:\pos4C6.tmp
C:\pos4C7.tmp
C:\pos4C8.tmp
C:\pos4C9.tmp
C:\pos4CA.tmp
C:\pos4CB.tmp
C:\pos4CC.tmp
C:\pos4CD.tmp
C:\pos4CE.tmp
C:\pos4CF.tmp
C:\pos4D0.tmp
C:\pos4D1.tmp
C:\pos4D2.tmp
C:\pos4D3.tmp
C:\pos4D4.tmp
C:\pos4D5.tmp
C:\pos4D6.tmp
C:\pos4D7.tmp
C:\pos4D8.tmp
C:\pos4D9.tmp
C:\pos4DA.tmp
C:\pos4DB.tmp
C:\pos4DC.tmp
C:\pos4DD.tmp
C:\pos4DE.tmp
C:\pos4DF.tmp
C:\pos4E0.tmp
C:\pos4E1.tmp
C:\pos4E2.tmp
C:\pos4E3.tmp
C:\pos4E4.tmp
C:\pos4E5.tmp
C:\pos4E6.tmp
C:\pos4E7.tmp
C:\pos4E8.tmp
C:\pos4E9.tmp
C:\pos4EA.tmp
C:\pos4EB.tmp
C:\pos4EC.tmp
C:\pos4ED.tmp
C:\pos4EE.tmp
C:\pos4EF.tmp
C:\pos4F0.tmp
C:\pos4F1.tmp
C:\pos4F2.tmp
C:\pos4F3.tmp
C:\pos4F4.tmp
C:\pos4F5.tmp
C:\pos4F6.tmp
C:\pos4F7.tmp
C:\pos4F8.tmp
C:\pos4F9.tmp
C:\pos4FA.tmp
C:\pos4FB.tmp
C:\pos4FC.tmp
C:\pos4FD.tmp
C:\pos4FE.tmp
C:\pos4FF.tmp
C:\pos500.tmp
C:\pos501.tmp
C:\pos502.tmp
C:\pos503.tmp
C:\pos504.tmp
C:\pos505.tmp
C:\pos506.tmp
C:\pos507.tmp
C:\pos508.tmp
C:\pos509.tmp
C:\pos50A.tmp
C:\pos50B.tmp
C:\pos50C.tmp
C:\pos50D.tmp
C:\pos50E.tmp
C:\pos50F.tmp
C:\pos510.tmp
C:\pos511.tmp
C:\pos512.tmp
C:\pos513.tmp
C:\pos514.tmp
C:\pos515.tmp
C:\pos516.tmp
C:\pos517.tmp
C:\pos518.tmp
C:\pos519.tmp
C:\pos51A.tmp
C:\pos51B.tmp
C:\pos51C.tmp
C:\pos51D.tmp
C:\pos51E.tmp
C:\pos51F.tmp
C:\pos520.tmp
C:\pos521.tmp
C:\pos522.tmp
C:\pos523.tmp
C:\pos524.tmp
C:\pos525.tmp
C:\pos526.tmp
C:\pos527.tmp
C:\pos528.tmp
C:\pos529.tmp
C:\pos52A.tmp
C:\pos52B.tmp
C:\pos52C.tmp
C:\pos52D.tmp
C:\pos52E.tmp
C:\pos52F.tmp
C:\pos530.tmp
C:\pos531.tmp
C:\pos532.tmp
C:\pos533.tmp
C:\pos534.tmp
C:\pos535.tmp
C:\pos536.tmp
C:\pos537.tmp
C:\pos538.tmp
C:\pos539.tmp
C:\pos53A.tmp
C:\pos53B.tmp
C:\pos53C.tmp
C:\pos53D.tmp
C:\pos53E.tmp
C:\pos53F.tmp
C:\pos540.tmp
C:\pos541.tmp
C:\pos542.tmp
C:\pos543.tmp
C:\pos544.tmp
C:\pos545.tmp
C:\pos546.tmp
C:\pos547.tmp
C:\pos548.tmp
C:\pos549.tmp
C:\pos54A.tmp
C:\pos54B.tmp
C:\pos54C.tmp
C:\pos54D.tmp
C:\pos54E.tmp
C:\pos54F.tmp
C:\pos550.tmp
C:\pos551.tmp
C:\pos552.tmp
C:\pos553.tmp
C:\pos554.tmp
C:\pos555.tmp
C:\pos556.tmp
C:\pos557.tmp
C:\pos558.tmp
C:\pos559.tmp
C:\pos55A.tmp
C:\pos55B.tmp
C:\pos55C.tmp
C:\pos55D.tmp
C:\pos55E.tmp
C:\pos55F.tmp
C:\pos560.tmp
C:\pos561.tmp
C:\pos562.tmp
C:\pos563.tmp
C:\pos564.tmp
C:\pos565.tmp
C:\pos566.tmp
C:\pos567.tmp
C:\pos568.tmp
C:\pos569.tmp
C:\pos56A.tmp
C:\pos56B.tmp
C:\pos56C.tmp
C:\pos56D.tmp
C:\pos56E.tmp
C:\pos56F.tmp
C:\pos570.tmp
C:\pos571.tmp
C:\pos572.tmp
C:\pos573.tmp
C:\pos574.tmp
C:\pos575.tmp
C:\pos576.tmp
C:\pos577.tmp
C:\pos578.tmp
C:\pos579.tmp
C:\pos57A.tmp
C:\pos57B.tmp
C:\pos57C.tmp
C:\pos57D.tmp
C:\pos57E.tmp
C:\pos57F.tmp
C:\pos580.tmp
C:\pos581.tmp
C:\pos582.tmp
C:\pos583.tmp
C:\pos584.tmp
C:\pos585.tmp
C:\pos586.tmp
C:\pos587.tmp
C:\pos588.tmp
C:\pos589.tmp
C:\pos58A.tmp
C:\pos58B.tmp
C:\pos58C.tmp
C:\pos58D.tmp
C:\pos58E.tmp
C:\pos58F.tmp
C:\pos590.tmp
C:\pos591.tmp
C:\pos592.tmp
C:\pos593.tmp
C:\pos594.tmp
C:\pos595.tmp
C:\pos596.tmp
C:\pos597.tmp
C:\pos598.tmp
C:\pos599.tmp
C:\pos59A.tmp
C:\pos59B.tmp
C:\pos59C.tmp
C:\pos59D.tmp
C:\pos59E.tmp
C:\pos59F.tmp
C:\pos5A0.tmp
C:\pos5A1.tmp
C:\pos5A2.tmp
C:\pos5A3.tmp
C:\pos5A4.tmp
C:\pos5A5.tmp
C:\pos5A6.tmp
C:\pos5A7.tmp
C:\pos5A8.tmp
C:\pos5A9.tmp
C:\pos5AA.tmp
C:\pos5AB.tmp
C:\pos5AC.tmp
C:\pos5AD.tmp
C:\pos5AE.tmp
C:\pos5AF.tmp
C:\pos5B0.tmp
C:\pos5B1.tmp
C:\pos5B2.tmp
C:\pos5B3.tmp
C:\pos5B4.tmp
C:\pos5B5.tmp
C:\pos5B6.tmp
C:\pos5B7.tmp
C:\pos5B8.tmp
C:\pos5B9.tmp
C:\pos5BA.tmp
C:\pos5BB.tmp
C:\pos5BC.tmp
C:\pos5BD.tmp
C:\pos5BE.tmp
C:\pos5BF.tmp
C:\pos5C0.tmp
C:\pos5C1.tmp
C:\pos5C2.tmp
C:\pos5C3.tmp
C:\pos5C4.tmp
C:\pos5C5.tmp
C:\pos5C6.tmp
C:\pos5C7.tmp
C:\pos5C8.tmp
C:\pos5C9.tmp
C:\pos5CA.tmp
C:\pos5CB.tmp
C:\pos5CC.tmp
C:\pos5CD.tmp
C:\pos5CE.tmp
C:\pos5CF.tmp
C:\pos5D0.tmp
C:\pos5D1.tmp
C:\pos5D2.tmp
C:\pos5D3.tmp
C:\pos5D4.tmp
C:\pos5D5.tmp
C:\pos5D6.tmp
C:\pos5D7.tmp
C:\pos5D8.tmp
C:\pos5D9.tmp
C:\pos5DA.tmp
C:\pos5DB.tmp
C:\pos5DC.tmp
C:\pos5DD.tmp
C:\pos5DE.tmp
C:\pos5DF.tmp
C:\pos5E0.tmp
C:\pos5E1.tmp
C:\pos5E2.tmp
C:\pos5E3.tmp
C:\pos5E4.tmp
C:\pos5E5.tmp
C:\pos5E6.tmp
C:\pos5E7.tmp
C:\pos5E8.tmp
C:\pos5E9.tmp
C:\pos5EA.tmp
C:\pos5EB.tmp
C:\pos5EC.tmp
C:\pos5ED.tmp
C:\pos5EE.tmp
C:\pos5EF.tmp
C:\pos5F0.tmp
C:\pos5F1.tmp
C:\pos5F2.tmp
C:\pos5F3.tmp
C:\pos5F4.tmp
C:\pos5F5.tmp
C:\pos5F6.tmp
C:\pos5F7.tmp
C:\pos5F8.tmp
C:\pos5F9.tmp
C:\pos5FA.tmp
C:\pos5FB.tmp
C:\pos5FC.tmp
C:\pos5FD.tmp
C:\pos5FE.tmp
C:\pos5FF.tmp
C:\pos600.tmp
C:\pos601.tmp
C:\pos602.tmp
C:\pos603.tmp
C:\pos604.tmp
C:\pos605.tmp
C:\pos606.tmp
C:\pos607.tmp
C:\pos608.tmp
C:\pos609.tmp
C:\pos60A.tmp
C:\pos60B.tmp
C:\pos60C.tmp
C:\pos60D.tmp
C:\pos60E.tmp
C:\pos60F.tmp
C:\pos610.tmp
C:\pos611.tmp
C:\pos612.tmp
C:\pos613.tmp
C:\pos614.tmp
C:\pos615.tmp
C:\pos616.tmp
C:\pos617.tmp
C:\pos618.tmp
C:\pos619.tmp
C:\pos61A.tmp
C:\pos61B.tmp
C:\pos61C.tmp
C:\pos61D.tmp
C:\pos61E.tmp
C:\pos61F.tmp
C:\pos620.tmp
C:\pos621.tmp
C:\pos622.tmp
C:\pos623.tmp
C:\pos624.tmp
C:\pos625.tmp
C:\pos626.tmp
C:\pos627.tmp
C:\pos628.tmp
C:\pos629.tmp
C:\pos62A.tmp
C:\pos62B.tmp
C:\pos62C.tmp
C:\pos62D.tmp
C:\pos62E.tmp
C:\pos62F.tmp
C:\pos630.tmp
C:\pos631.tmp
C:\pos632.tmp
C:\pos633.tmp
C:\pos634.tmp
C:\pos635.tmp
C:\pos636.tmp
C:\pos637.tmp
C:\pos638.tmp
C:\pos639.tmp
C:\pos63A.tmp
C:\pos63B.tmp
C:\pos63C.tmp
C:\pos63D.tmp
C:\pos63E.tmp
C:\pos63F.tmp
C:\pos640.tmp
C:\pos641.tmp
C:\pos642.tmp
C:\pos643.tmp
C:\pos644.tmp
C:\pos645.tmp
C:\pos646.tmp
C:\pos647.tmp
C:\pos648.tmp
C:\pos649.tmp
C:\pos64A.tmp
C:\pos64B.tmp
C:\pos64C.tmp
C:\pos64D.tmp
C:\pos64E.tmp
C:\pos64F.tmp
C:\pos650.tmp
C:\pos651.tmp
C:\pos652.tmp
C:\pos653.tmp
C:\pos654.tmp
C:\pos655.tmp
C:\pos656.tmp
C:\pos657.tmp
C:\pos658.tmp
C:\pos659.tmp
C:\pos65A.tmp
C:\pos65B.tmp
C:\pos65C.tmp
C:\pos65D.tmp
C:\pos65E.tmp
C:\pos65F.tmp
C:\pos660.tmp
C:\pos661.tmp
C:\pos662.tmp
C:\pos663.tmp
C:\pos664.tmp
C:\pos665.tmp
C:\pos666.tmp
C:\pos667.tmp
C:\pos668.tmp
C:\pos669.tmp
C:\pos66A.tmp
C:\pos66B.tmp
C:\pos66C.tmp
C:\pos66D.tmp
C:\pos66E.tmp
C:\pos66F.tmp
C:\pos670.tmp
C:\pos671.tmp
C:\pos672.tmp
C:\pos673.tmp
C:\pos674.tmp
C:\pos675.tmp
C:\pos676.tmp
C:\pos677.tmp
C:\pos678.tmp
C:\pos679.tmp
C:\pos67A.tmp
C:\pos67B.tmp
C:\pos67C.tmp
C:\pos874.tmp
C:\pos875.tmp
C:\pos876.tmp
C:\pos879.tmp
C:\pos87A.tmp
C:\pos87B.tmp
C:\pos87C.tmp
C:\pos87D.tmp
C:\pos87E.tmp
C:\pos880.tmp
C:\pos881.tmp
C:\pos882.tmp
C:\pos883.tmp
C:\pos884.tmp
C:\pos885.tmp
C:\pos886.tmp
C:\pos887.tmp
C:\pos888.tmp
C:\pos889.tmp
C:\pos88A.tmp
C:\pos88B.tmp
C:\pos88C.tmp
C:\pos88D.tmp
C:\pos88E.tmp
C:\pos88F.tmp
C:\pos890.tmp
C:\pos891.tmp
C:\pos892.tmp
C:\pos893.tmp
C:\pos894.tmp
C:\pos895.tmp
C:\pos896.tmp
C:\pos897.tmp
C:\pos898.tmp
C:\pos899.tmp
C:\pos89A.tmp
C:\pos89B.tmp
C:\pos89C.tmp
C:\pos89D.tmp
C:\pos89E.tmp
C:\pos89F.tmp
C:\pos8A0.tmp
C:\pos8A1.tmp
C:\pos8A2.tmp
C:\pos8A3.tmp
C:\pos8A4.tmp
C:\pos8A5.tmp
C:\pos8A6.tmp
C:\pos8A7.tmp
C:\pos8A8.tmp
C:\pos8A9.tmp
C:\pos8AA.tmp
C:\pos8AB.tmp
C:\pos8AC.tmp
C:\pos8AD.tmp
C:\pos8AE.tmp
C:\pos8AF.tmp
C:\pos8B0.tmp
C:\pos8B1.tmp
C:\pos8B2.tmp
C:\pos8B3.tmp
C:\pos8B4.tmp
C:\pos8B5.tmp
C:\pos8B6.tmp
C:\pos8B7.tmp
C:\pos8B8.tmp
C:\pos8B9.tmp
C:\pos8BA.tmp
C:\pos8BB.tmp
C:\pos8BC.tmp
C:\pos8BD.tmp
C:\pos8BE.tmp
C:\pos8BF.tmp
C:\pos8C0.tmp
C:\pos8C1.tmp
C:\pos8C2.tmp
C:\pos8C3.tmp
C:\pos8C4.tmp
C:\pos8C5.tmp
C:\pos8C6.tmp
C:\pos8C7.tmp
C:\pos8C8.tmp
C:\pos8C9.tmp
C:\pos8CA.tmp
C:\pos8CB.tmp
C:\pos8CC.tmp
C:\pos8CD.tmp
C:\pos8CE.tmp
C:\pos8CF.tmp
C:\pos8D0.tmp
C:\pos8D1.tmp
C:\pos8D2.tmp
C:\pos8D3.tmp
C:\pos8D4.tmp
C:\pos8D5.tmp
C:\pos8D6.tmp
C:\pos8D7.tmp
C:\pos8D8.tmp
C:\pos8D9.tmp
C:\pos8DA.tmp
C:\pos8DB.tmp
C:\pos8DC.tmp
C:\pos8DD.tmp
C:\pos8DE.tmp
C:\pos8DF.tmp
C:\pos8E0.tmp
C:\pos8E1.tmp
C:\pos8E2.tmp
C:\pos8E3.tmp
C:\pos8E4.tmp
C:\pos8E5.tmp
C:\pos8E6.tmp
C:\pos8E7.tmp
C:\pos8E8.tmp
C:\pos8E9.tmp
C:\pos8EA.tmp
C:\pos8EB.tmp
C:\pos8EC.tmp
C:\pos8ED.tmp
C:\pos8EE.tmp
C:\pos8EF.tmp
C:\pos8F0.tmp
C:\pos8F1.tmp
C:\pos8F2.tmp
C:\pos8F3.tmp
C:\pos8F4.tmp
C:\pos8F5.tmp
C:\pos8F6.tmp
C:\pos8F7.tmp
C:\pos8F8.tmp
C:\pos8F9.tmp
C:\pos8FA.tmp
C:\pos8FB.tmp
C:\pos8FC.tmp
C:\pos8FD.tmp
C:\pos8FE.tmp
C:\pos8FF.tmp
C:\pos900.tmp
C:\pos901.tmp
C:\pos902.tmp
C:\pos903.tmp
C:\pos904.tmp
C:\pos905.tmp
C:\pos906.tmp
C:\pos907.tmp
C:\pos908.tmp
C:\pos909.tmp
C:\pos90A.tmp
C:\pos90B.tmp
C:\pos90C.tmp
C:\pos90D.tmp
C:\pos90E.tmp
C:\pos90F.tmp
C:\pos910.tmp
C:\pos911.tmp
C:\pos912.tmp
C:\pos913.tmp
C:\pos914.tmp
C:\pos915.tmp
C:\pos916.tmp
C:\pos917.tmp
C:\pos918.tmp
C:\pos919.tmp
C:\pos91A.tmp
C:\pos91B.tmp
C:\pos91C.tmp
C:\pos91D.tmp
C:\pos91E.tmp
C:\pos91F.tmp
C:\pos920.tmp
C:\pos921.tmp
C:\pos922.tmp
C:\pos923.tmp
C:\pos924.tmp
C:\pos925.tmp
C:\pos926.tmp
C:\pos927.tmp
C:\pos928.tmp
C:\pos929.tmp
C:\pos92A.tmp
C:\pos92B.tmp
C:\pos92C.tmp
C:\pos92D.tmp
C:\pos92E.tmp
C:\pos92F.tmp
C:\pos930.tmp
C:\pos931.tmp
C:\pos932.tmp
C:\pos933.tmp
C:\pos934.tmp
C:\pos935.tmp
C:\pos936.tmp
C:\pos937.tmp
C:\pos938.tmp
C:\pos939.tmp
C:\pos93A.tmp
C:\pos93B.tmp
C:\pos93C.tmp
C:\pos93D.tmp
C:\pos93E.tmp
C:\pos93F.tmp
C:\pos940.tmp
C:\pos941.tmp
C:\pos942.tmp
C:\pos943.tmp
C:\pos944.tmp
C:\pos945.tmp
C:\pos946.tmp
C:\pos947.tmp
C:\pos948.tmp
C:\pos949.tmp
C:\pos94A.tmp
C:\pos94B.tmp
C:\pos94C.tmp
C:\pos94D.tmp
C:\pos94E.tmp
C:\pos94F.tmp
C:\pos950.tmp
C:\pos951.tmp
C:\pos952.tmp
C:\pos953.tmp
C:\pos954.tmp
C:\pos955.tmp
C:\pos956.tmp
C:\pos957.tmp
C:\pos958.tmp
C:\pos959.tmp
C:\pos95A.tmp
C:\pos95B.tmp
C:\pos95C.tmp
C:\pos95D.tmp
C:\pos95E.tmp
C:\pos95F.tmp
C:\pos960.tmp
C:\pos961.tmp
C:\pos962.tmp
C:\pos963.tmp
C:\pos964.tmp
C:\pos965.tmp
C:\pos966.tmp
C:\pos967.tmp
C:\pos968.tmp
C:\pos969.tmp
C:\pos96A.tmp
C:\pos96B.tmp
C:\pos96C.tmp
C:\pos96D.tmp
C:\pos96E.tmp
C:\pos96F.tmp
C:\pos970.tmp
C:\pos971.tmp
C:\pos972.tmp
C:\pos973.tmp
C:\pos974.tmp
C:\pos975.tmp
C:\pos976.tmp
C:\pos977.tmp
C:\pos978.tmp
C:\pos979.tmp
C:\pos97A.tmp
C:\pos97B.tmp
C:\pos97C.tmp
C:\pos97D.tmp
C:\pos97E.tmp
C:\pos97F.tmp
C:\pos980.tmp
C:\pos981.tmp
C:\pos982.tmp
C:\pos983.tmp
C:\pos984.tmp
C:\pos985.tmp
C:\pos986.tmp
C:\pos987.tmp
C:\pos988.tmp
C:\pos989.tmp
C:\pos98A.tmp
C:\pos98B.tmp
C:\pos98C.tmp
C:\pos98D.tmp
C:\pos98E.tmp
C:\pos98F.tmp
C:\pos990.tmp
C:\pos991.tmp
C:\pos992.tmp
C:\pos993.tmp
C:\pos994.tmp
C:\pos995.tmp
C:\pos996.tmp
C:\pos997.tmp
C:\pos998.tmp
C:\pos999.tmp
C:\pos99A.tmp
C:\pos99B.tmp
C:\pos99C.tmp
C:\pos99D.tmp
C:\pos99E.tmp
C:\pos99F.tmp
C:\pos9A.tmp
C:\pos9A0.tmp
C:\pos9A1.tmp
C:\pos9A2.tmp
C:\pos9A3.tmp
C:\pos9A4.tmp
C:\pos9A5.tmp
C:\pos9A6.tmp
C:\pos9A7.tmp
C:\pos9A8.tmp
C:\pos9A9.tmp
C:\pos9AA.tmp
C:\pos9AB.tmp
C:\pos9AC.tmp
C:\pos9AD.tmp
C:\pos9AE.tmp
C:\pos9AF.tmp
C:\pos9B.tmp
C:\pos9B0.tmp
C:\pos9B1.tmp
C:\pos9B2.tmp
C:\pos9B3.tmp
C:\pos9B4.tmp
C:\pos9B5.tmp
C:\pos9B6.tmp
C:\pos9B7.tmp
C:\pos9B8.tmp
C:\pos9B9.tmp
C:\pos9BA.tmp
C:\pos9BB.tmp
C:\pos9BC.tmp
C:\pos9BD.tmp
C:\pos9BE.tmp
C:\pos9BF.tmp
C:\pos9C.tmp
C:\pos9C0.tmp
C:\pos9C1.tmp
C:\pos9C2.tmp
C:\pos9C3.tmp
C:\pos9C4.tmp
C:\pos9C5.tmp
C:\pos9C6.tmp
C:\pos9C7.tmp
C:\pos9C8.tmp
C:\pos9C9.tmp
C:\pos9CA.tmp
C:\pos9CB.tmp
C:\pos9CC.tmp
C:\pos9CD.tmp
C:\pos9CE.tmp
C:\pos9CF.tmp
C:\pos9D.tmp
C:\pos9D0.tmp
C:\pos9D1.tmp
C:\pos9D2.tmp
C:\pos9D3.tmp
C:\pos9D4.tmp
C:\pos9D5.tmp
C:\pos9D6.tmp
C:\pos9D7.tmp
C:\pos9D8.tmp
C:\pos9D9.tmp
C:\pos9DA.tmp
C:\pos9DB.tmp
C:\pos9DC.tmp
C:\pos9DD.tmp
C:\pos9DE.tmp
C:\pos9DF.tmp
C:\pos9E.tmp
C:\pos9E0.tmp
C:\pos9E1.tmp
C:\pos9E2.tmp
C:\pos9E3.tmp
C:\pos9E4.tmp
C:\pos9E5.tmp
C:\pos9E6.tmp
C:\pos9E7.tmp
C:\pos9E8.tmp
C:\pos9E9.tmp
C:\pos9EA.tmp
C:\pos9EB.tmp
C:\pos9EC.tmp
C:\pos9ED.tmp
C:\pos9EE.tmp
C:\pos9EF.tmp
C:\pos9F.tmp
C:\pos9F0.tmp
C:\pos9F1.tmp
C:\pos9F2.tmp
C:\pos9F3.tmp
C:\pos9F4.tmp
C:\pos9F5.tmp
C:\pos9F6.tmp
C:\pos9F7.tmp
C:\pos9F8.tmp
C:\pos9F9.tmp
C:\pos9FA.tmp
C:\pos9FB.tmp
C:\pos9FC.tmp
C:\pos9FD.tmp
C:\pos9FE.tmp
C:\pos9FF.tmp
C:\posA0.tmp
C:\posA00.tmp
C:\posA01.tmp
C:\posA02.tmp
C:\posA03.tmp
C:\posA04.tmp
C:\posA05.tmp
C:\posA06.tmp
C:\posA07.tmp
C:\posA08.tmp
C:\posA09.tmp
C:\posA0A.tmp
C:\posA0B.tmp
C:\posA0C.tmp
C:\posA0D.tmp
C:\posA0E.tmp
C:\posA0F.tmp
C:\posA1.tmp
C:\posA10.tmp
C:\posA11.tmp
C:\posA12.tmp
C:\posA13.tmp
C:\posA14.tmp
C:\posA15.tmp
C:\posA16.tmp
C:\posA17.tmp
C:\posA18.tmp
C:\posA19.tmp
C:\posA1A.tmp
C:\posA1B.tmp
C:\posA1C.tmp
C:\posA1D.tmp
C:\posA1E.tmp
C:\posA1F.tmp
C:\posA2.tmp
C:\posA20.tmp
C:\posA21.tmp
C:\posA22.tmp
C:\posA23.tmp
C:\posA24.tmp
C:\posA25.tmp
C:\posA26.tmp
C:\posA27.tmp
C:\posA28.tmp
C:\posA29.tmp
C:\posA2A.tmp
C:\posA2B.tmp
C:\posA2C.tmp
C:\posA2D.tmp
C:\posA2E.tmp
C:\posA2F.tmp
C:\posA3.tmp
C:\posA30.tmp
C:\posA31.tmp
C:\posA32.tmp
C:\posA33.tmp
C:\posA34.tmp
C:\posA35.tmp
C:\posA36.tmp
C:\posA37.tmp
C:\posA38.tmp
C:\posA39.tmp
C:\posA3A.tmp
C:\posA3B.tmp
C:\posA3C.tmp
C:\posA3D.tmp
C:\posA3E.tmp
C:\posA3F.tmp
C:\posA4.tmp
C:\posA40.tmp
C:\posA41.tmp
C:\posA42.tmp
C:\posA43.tmp
C:\posA44.tmp
C:\posA45.tmp
C:\posA46.tmp
C:\posA47.tmp
C:\posA48.tmp
C:\posA49.tmp
C:\posA4A.tmp
C:\posA4B.tmp
C:\posA4C.tmp
C:\posA4D.tmp
C:\posA4E.tmp
C:\posA4F.tmp
C:\posA5.tmp
C:\posA50.tmp
C:\posA51.tmp
C:\posA52.tmp
C:\posA53.tmp
C:\posA54.tmp
C:\posA55.tmp
C:\posA56.tmp
C:\posA57.tmp
C:\posA58.tmp
C:\posA59.tmp
C:\posA5A.tmp
C:\posA5B.tmp
C:\posA5C.tmp
C:\posA5D.tmp
C:\posA5E.tmp
C:\posA5F.tmp
C:\posA6.tmp
C:\posA60.tmp
C:\posA61.tmp
C:\posA62.tmp
C:\posA63.tmp
C:\posA64.tmp
C:\posA65.tmp
C:\posA66.tmp
C:\posA67.tmp
C:\posA68.tmp
C:\posA69.tmp
C:\posA6A.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC0.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\WINDOWS\system32\gebcabx.dll
C:\WINDOWS\system32\mvasngxu.dllbox
C:\WINDOWS\system32\windows

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 13:17 . 2008-01-13 13:17 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-12 19:29 . 2008-01-12 19:29 3,584 --a------ C:\WINDOWS\system32\ddaba.exe
2008-01-10 20:33 . 2008-01-10 20:34 <DIR> d-------- C:\Program Files\Wireless WEP Key Password Spy
2008-01-10 20:21 . 2008-01-10 20:21 <DIR> d-------- C:\Program Files\PopCap Games
2008-01-10 20:21 . 2008-01-10 20:21 0 --a------ C:\WINDOWS\popcreg.dat
2008-01-10 20:21 . 2008-01-10 20:21 0 --a------ C:\WINDOWS\popcinfot.dat
2008-01-09 23:01 . 2008-01-09 23:01 <DIR> d-------- C:\Program Files\Torrent Harvester
2008-01-06 20:00 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-01-06 20:00 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-01-06 20:00 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-01-06 20:00 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-01-06 20:00 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-01-06 20:00 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-01-06 20:00 . 2003-11-04 15:11 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2008-01-06 20:00 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-01-06 20:00 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-01-06 20:00 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2007-12-31 19:03 . 2008-01-12 20:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-31 19:03 . 2007-12-31 19:04 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-31 18:43 . 2007-12-31 18:43 32 --a------ C:\WINDOWS\SAGE.INI
2007-12-27 21:11 . 1994-12-06 07:00 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2007-12-27 21:08 . 2007-12-27 21:08 <DIR> d-------- C:\Program Files\DK
2007-12-24 13:34 . 2007-12-24 13:34 <DIR> d-------- C:\WINDOWS\wt
2007-12-23 20:00 . 2007-12-23 20:00 <DIR> d-------- C:\WINDOWS\system32\ebay
2007-12-23 20:00 . 2007-12-23 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ashampoo
2007-12-23 19:59 . 2007-12-23 19:59 <DIR> d-------- C:\Program Files\Ashampoo
2007-12-20 18:30 . 2008-01-03 15:02 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-12-19 13:19 . 2007-12-19 13:22 <DIR> d-------- C:\Program Files\Fx Video Converter
2007-12-19 13:19 . 2001-03-13 12:50 525,352 --a------ C:\WINDOWS\system32\dbgrid32.ocx
2007-12-19 13:19 . 2001-08-17 12:18 508,928 --a------ C:\WINDOWS\system32\msde.dll
2007-12-19 13:19 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-12-19 13:19 . 1998-07-29 14:08 363,008 --a------ C:\WINDOWS\system32\BUYB12.dll
2007-12-19 13:19 . 2000-12-06 00:00 209,608 --a------ C:\WINDOWS\system32\TabCtl32.ocx
2007-12-19 13:19 . 2001-03-13 12:53 77,824 --a------ C:\WINDOWS\system32\msbind.dll
2007-12-19 13:19 . 1998-07-29 14:08 46,592 --a------ C:\WINDOWS\system32\buyb12ex.dll
2007-12-19 13:19 . 2003-08-04 00:34 40,960 --a------ C:\WINDOWS\system32\FXDV1to2.dll
2007-12-19 13:19 . 2003-03-06 10:43 36,864 --a------ C:\WINDOWS\system32\FxPanel.ocx
2007-12-19 13:19 . 1998-07-29 14:08 28,160 --a------ C:\WINDOWS\system32\BuyB12Ax.ocx
2007-12-18 14:12 . 2007-12-18 18:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\dvdcss
2007-12-18 10:16 . 2007-12-18 23:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Download Manager
2007-12-15 17:47 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-12-15 17:46 . 2007-12-15 17:46 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-15 14:35 . 2007-12-15 14:35 282,624 -ra------ C:\WINDOWS\Setup1.exe
2007-12-15 14:35 . 2007-12-15 14:35 73,216 --a------ C:\WINDOWS\ST6UNST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-13 06:13 --------- d-----w C:\Program Files\Coloreal
2008-01-12 11:32 --------- d-----w C:\Program Files\SpywareGuard
2008-01-12 08:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 07:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-01-12 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-10 12:33 --------- d-----w C:\Program Files\FlashGet
2007-12-27 13:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-21 12:03 77,840 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-12-19 06:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 05:58 --------- d-----w C:\Program Files\YoGen Vocal Remover 3.1.0
2007-12-19 05:26 --------- d-----w C:\Program Files\Doblon
2007-12-19 03:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-18 09:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-15 09:47 --------- d-----w C:\Program Files\Windows Live
2007-12-15 08:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-11 10:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Doblon
2007-12-08 01:23 --------- d-----w C:\Program Files\MSN Messenger
2007-12-07 04:49 --------- d-----w C:\Program Files\DivX
2007-12-07 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\YoGen
2007-12-06 11:36 --------- d-----w C:\Program Files\VBL3
2007-12-05 01:57 --------- d-----w C:\Program Files\Java
2007-12-05 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-12-04 02:57 --------- d-----w C:\Program Files\01-mp3search
2007-12-01 05:16 --------- d-----w C:\Program Files\iconBackup v1.0
2007-11-30 05:41 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-26 06:34 --------- d-----w C:\Program Files\TicketBench Plus
2007-11-26 03:05 --------- d-----w C:\Program Files\omniformat
2007-11-25 10:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\pdf995
2007-11-25 10:29 --------- d-----w C:\Program Files\pdf995
2007-11-22 00:07 32,632 ----a-w C:\Program Files\media player.asf
2007-11-21 23:47 --------- d-----w C:\Program Files\SopCast
2007-11-21 23:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\SopCast
2007-11-20 13:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Nokia
2007-11-20 13:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Datalayer
2007-11-20 13:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-11-20 13:15 --------- d-----w C:\Program Files\DIFX
2007-11-20 13:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Suite
2007-11-20 11:37 --------- d-----w C:\Program Files\NoAdware4
2007-11-18 09:47 --------- d-----w C:\Program Files\BearFlix
2007-11-18 08:38 --------- d-----w C:\Program Files\BearFlix Applications
2007-11-17 11:01 --------- d-----w C:\Program Files\MSECache
2007-11-13 12:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vista Start Menu
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 02:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-23 09:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR
2006-06-03 01:44 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-03-11 05:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-03-05 11:21 444,537 --sha-w C:\WINDOWS\system32\gjkkj.bak1
2007-04-01 07:39 461,800 --sha-w C:\WINDOWS\system32\gjkkj.bak2
2007-04-01 10:39 461,038 --sha-w C:\WINDOWS\system32\gjkkj.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D84CDF1-7022-4500-A13C-75ACED1F0855}]
C:\WINDOWS\system32\ddaba.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [ ]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.ex e" [2008-01-13 11:38 814080]
"WCOLOREAL"="C:\Program Files\Coloreal\coloreal.exe" [2008-01-13 11:38 473088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw. exe" [2007-10-26 11:58 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-01-23 10:31 126976 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Silent Service]
--a------ 2002-06-18 20:24 32768 C:\Windows\system32\HpSrvUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpScannerFirstBoot]
--a------ 2001-12-13 19:24 20480 c:\hp\drivers\scanners\scannerfb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KYE_Showicon]
--a------ 2002-10-25 15:33 69632 C:\Program Files\USB Storage RW\shwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LCIDCHNG]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mercora]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-07-31 19:28 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 21:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 17:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-06-18 07:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-02 17:29 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Quick Access]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 15:22 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"iPodService"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"UStorage Server Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"AlcxMonitor"=ALCXMNTR.EXE
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINT SETP.EXE /IMEName
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" /Spoil /RemAdvDef /Migration32
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScIn st.exe /SYNC
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG. EXE
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\ TINTSETP.EXE /SYNC

R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\dr ivers\SndTDriverV32.sys [2006-08-11 16:56]
S3 DCamUSBPremier;USB Video Camera;C:\WINDOWS\system32\Drivers\mpixvid.sys [2004-07-01 02:03]
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\mtk.sys []
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-04 13:41]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{21086163-69c9-11dc-aa21-000c760025ce}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 13:55:00 C:\WINDOWS\Tasks\LiveUpdate.job"
- C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
"2007-03-05 12:50:01 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 14:23:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-13 14:33:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 06:33:08

4) this is the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:53:02 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\HijackThis\foolyou.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5D84CDF1-7022-4500-A13C-75ACED1F0855} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: QuickSet Internet Zone - {3417D8E1-5942-11d6-A0E0-0002B364F69B} - C:\Program Files\QSIZ\qsiz.EXE (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188901880687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1188902392515
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.innotive.com/download/cibrowser11.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://unitedpage.spaces.live.com/Ph...d/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE1F9E2-D9A2-414D-A17A-C6CC7A5A6257}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**ramesh help** · 13-01-2008

** this happened before seeing your post and doing the scans.
1)when i on my computer, i got this error (look at the image attached)

2) after that i got the folowing error (look at the 2nd picture attached)

**in between the scan for the vundofix, my spywareGuard poped up with the 3rd and 4th attached error.

**VopThis** · 13-01-2008

Please disable the ‘active protection’ components of the following application(s), as it/they may hinder the removal of some entries. Otherwise, certain cleaning attempts may be wrongly recognized and blocked as hijacking attempts or other potentially inappropriate behavior. You can re-enable such tools after your computer is clean.

Disable SpywareGuard

Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Your system has an outdated version(s) of Sun Java that could create serious security exposure issues for your PC.

Update your Java.

Older JAVA versions have vulnerabilities that malware can and are using to infect systems.

Please follow these steps to remove older version Java components.

Close any programs you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Download SUPERAntiSpyware (SAS) free home version:

http://www.superantispyware.com/supe...freevspro.html

Install it and double-click the icon on your desktop to run it:

It will ask if you want to update the program definitions, click "Yes",
Let it through your firewall!
Under "Configuration and Preferences", click the Preferences BUTTON.
Click the Scanning Control TAB.
Under "Scanner Options" make sure the following are checked:
- Close browsers before scanning
- Scan for tracking cookies (default)
- Terminate memory threats before quarantining.
- Ignore System Restore/Volume Information on ME and XP
- Please (generally) leave the others unchecked.
  - Scan Alternate Data Streams (OPTIONAL Selection – deeper, trickier infection issues - longer scan).
- Click the Close button to leave the control center screen.
On the main screen, under "Scan for Harmful Software" click Scan your computer.
- On the left check "C:\Fixed Drive".
- On the right, under "Complete Scan", choose Perform Complete Scan.
- Click "Next" to start the scan. Please be patient while it scans your computer.
- After the scan is complete a summary box will appear. Click "OK".
- Make sure everything in the white box has a check next to it, then click "Next".
- It will quarantine what it found and if it asks if you want to reboot, click "Yes".
To retrieve the removal information - please do the following:
- After reboot, double-click the "SUPERAntiSpyware icon" on your desktop.
- Click "Preferences". Click the Statistics/Logs TAB.
- Under "Scanner Logs", double-click "SUPERAntiSpyware Scan Log".
- It will open in your default text editor (such as Notepad/Wordpad).
- Please highlight everything , then right-click and choose copy.
Click close and close again to exit the program.
Please paste:
- The SAS LOG information.
- A new HijackThis LOG (with any current observations).

**ramesh help** · 14-01-2008

1)this is the superantispyware log. i just realise that something happened to my antivirus and it dosent work anymore due to the infected files i think but i can run system scan check .

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/14/2008 at 05:17 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Complete Scan
Total Scan Time : 02:49:36

Memory items scanned : 351
Memory threats detected : 0
Registry items scanned : 6407
Registry threats detected : 9
File items scanned : 51148
File threats detected : 16

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{5D84CDF1-7022-4500-A13C-75ACED1F0855}
HKCR\CLSID\{5D84CDF1-7022-4500-A13C-75ACED1F0855}
HKCR\CLSID\{5D84CDF1-7022-4500-A13C-75ACED1F0855}\InprocServer32
HKCR\CLSID\{5D84CDF1-7022-4500-A13C-75ACED1F0855}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDABA.DLL
HKLM\Software\Classes\CLSID\{68465E7B-7388-4562-BF78-5554425E2152}
HKCR\CLSID\{68465E7B-7388-4562-BF78-5554425E2152}
HKCR\CLSID\{68465E7B-7388-4562-BF78-5554425E2152}\InprocServer32
HKCR\CLSID\{68465E7B-7388-4562-BF78-5554425E2152}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{5D84CDF1-7022-4500-A13C-75ACED1F0855}

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@ad.zanox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clicksor[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.adreactor[1].txt
C:\Documents and Settings\Owner\Cookies\owner@weborama[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[2].txt

Trojan.TLoad
C:\HIJACKTHIS\BACKUPS\BACKUP-20060720-210540-209.INF
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20060802-191519-771.INF

Trojan.Unclassified/NTDUMP
C:\NEW FOLDER\2ND DESKTOP\FILES\NTFS\BIN\NTDUMP.EXE

Trojan.Unclassifed/AffiliateBundle
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GEBCABX.DL L.VIR
C:\VUNDOFIX BACKUPS\GEBCABX.DLL.BAD

Trojan.Downloader-UniBBB
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YAYXYXY.DL L.VIR

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\DDABA.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\TSTWA.INI

2) this is the hjthis log

Logfile of HijackThis v1.99.1
Scan saved at 5:58:01 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HijackThis\foolyou.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: QuickSet Internet Zone - {3417D8E1-5942-11d6-A0E0-0002B364F69B} - C:\Program Files\QSIZ\qsiz.EXE (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188901880687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1188902392515
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.innotive.com/download/cibrowser11.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://unitedpage.spaces.live.com/Ph...d/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE1F9E2-D9A2-414D-A17A-C6CC7A5A6257}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**VopThis** · 14-01-2008

Looks like VUNDO infection is gone (popups).

Let us know if you continue to have other ongoing issues.

**ramesh help** · 15-01-2008

i used the option scan alternate data streams in the superantispyware this is the log.

the SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/15/2008 at 11:56 AM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Complete Scan
Total Scan Time : 01:32:43

Memory items scanned : 289
Memory threats detected : 0
Registry items scanned : 6406
Registry threats detected : 0
File items scanned : 51336
File threats detected : 0

this is the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:06:21 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\HijackThis\foolyou.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: QuickSet Internet Zone - {3417D8E1-5942-11d6-A0E0-0002B364F69B} - C:\Program Files\QSIZ\qsiz.EXE (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188901880687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1188902392515
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.innotive.com/download/cibrowser11.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://unitedpage.spaces.live.com/Ph...d/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE1F9E2-D9A2-414D-A17A-C6CC7A5A6257}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

now can i reinstall my antivirus. do i also install the latest java??
can i also reactivate my spywareguard??

can you also tell me which antivirus is the TOP and the BEST now?? is it kaspersky, avast or AVG or Nortan or Panda TruPrevent Personal or anything else..

**VopThis** · 15-01-2008

now can i reinstall my antivirus.

You are already running AVG antivirus.

do i also install the latest java??
can i also reactivate my spywareguard??

YES and YES.

can you also tell me which antivirus is the TOP and the BEST now?? is it kaspersky, avast or AVG or Nortan or Panda TruPrevent Personal or anything else..

It is mostly a matter of personal taste as they all provide adequate protection (not really much significant effectiveness differences between them) - I do not recommend the use of any Security Suite, ever.

Regardless of the tool selected, most people should periodically run additional FREE online tools for secondary opinions as needed (Eset, Panda, Kaspersky, BitDefender). This will actually tend to show you whether your primary antivirus tool is working out or not. However, no one tool will ever be completely 100% effective. Furthermore, because I rarely ever get a virus, it is quite pointless for me to really worry about which antivirus tool is REALLY BEST.

I PERSONALLY dislike some of your antivirus tool choices because they have generally been a problem to COMPLETELY uninstall (if you ever need to make such a choice), have tended to get bloated, and generally require longer (full) scanning times (Kaspersky, Norton). The free Avast has ongoing resubscribe requirements that can tend to aggravate. Panda might be a good choice (good behavior based scanning features). AVG (free) is very common popular choice and provides adequate protection against most common threats.

My personal favorite is NOD32 ( www.eset.com ) - you hardly know it is there, it has a small RAM memory requirement, is considered one of the better behavior based detection enhanced scanners (formal less timely virus definitions updates can only do so much), and does a complete scan much faster than most other tools.

**ramesh help** · 16-01-2008

1) Do I still use AVG?? What are your recommendation about the antivirus and also the additional FREE online tools for secondary?? Which antivirus do you recommend me to use as I know that Norton does not give better antivirus protection.

2) Based on what you said, I should use NOD32 that is the online scan right?

3) you said "I do not recommend the use of any Security Suite". What do u mean by Security Suite??