My computer got infected with the trojan horse crypt.AQLW last night. My desktop completely changed and my firefox disappeared. I had to use Internet explorer but I was not able to get direct access to this website, it kept getting redirected.
However, I used my iPad and was able to follow some of the steps. I ran malware, GMR, I tried using the DDS but it got frozen. I then used TDSSKiller. After that I used combofix. After using combo fix, my original desktop appeared, but however my background was still different. I'm not sure if my computer is fixed or not but here are the supporting logs:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.28.01
Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.5730.13
Administrator :: CHAN-59370E1102 [administrator]
3/27/2012 10:07:12 PM
mbam-log-2012-03-27 (22-07-12).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198653
Time elapsed: 9 minute(s), 43 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\WINDOWS\system32\netrcacm.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hpdskflt.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\razerusb.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-28 00:29:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-10 WDC_WD2500JS-22NCB1 rev.10.02E02
Running: n3pul3md[1].exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwgdyfoc.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAF81E620]
---- Kernel code sections - GMER 1.0.15 ----
? emlgk.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB2FD4360, 0x3D46A5, 0xE8000020]
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W AF760000 248 Bytes JMP AF760C0D \SystemRoot\system32\DRIVERS\mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W + F9 AF7600F9 17 Bytes [55, 8B, EC, 51, 83, 65, FC, ...]
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W + 10B AF76010B 48 Bytes [56, FF, 15, 58, B6, 77, AF, ...]
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W + 13C AF76013C 58 Bytes [EB, EA, 80, BF, CE, 00, 00, ...]
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W + 178 AF760178 210 Bytes CALL AF783283 \SystemRoot\system32\DRIVERS\mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
.text ...
.text mrxsmb.sys!?GenerateEventW@@YGXJ[W AF761210 361 Bytes [00, 00, 68, 0A, 01, 00, 00, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 124 AF76137A 43 Bytes [C9, 0F, 85, 17, 55, 00, 00, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 150 AF7613A6 47 Bytes [8B, 4E, 3C, 57, 8B, 78, 0C, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 180 AF7613D6 126 Bytes [46, 28, 03, 00, 8B, 45, 08, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 1FF AF761455 23 Bytes [0F, 84, 52, ED, 00, 00, 80, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 218 AF76146E 11 Bytes [8B, 75, F4, 80, 7D, FF, 70, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\mrxsmb.sys suspicious PE modification
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\ping.exe[1452] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[1452] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\ping.exe[1452] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00C1000A
.text C:\WINDOWS\System32\ping.exe[1452] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\ping.exe[1452] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00C3000A
.text C:\WINDOWS\System32\ping.exe[1452] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00C4000A
.text C:\WINDOWS\System32\ping.exe[1452] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00C0000A
.text C:\program files\real\realplayer\Update\realsched.exe[2448] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3528F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E352877 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3528BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E352803 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E35283D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352931 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E201762 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E352AF3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] CRYPT32.dll!CryptMsgCountersignEncoded + 27A 77A92F52 7 Bytes JMP 03F81780
.text C:\Program Files\internet explorer\iexplore.exe[2604] CRYPT32.dll!CertComparePublicKeyInfo + 1E8 77A9B751 7 Bytes JMP 03F81760
.text C:\WINDOWS\System32\ping.exe[2784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[2784] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\ping.exe[2784] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00C1000A
.text C:\WINDOWS\System32\ping.exe[2784] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\ping.exe[2784] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00C3000A
.text C:\WINDOWS\System32\ping.exe[2784] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00C4000A
.text C:\WINDOWS\System32\ping.exe[2784] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00C0000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Modules - GMER 1.0.15 ----
Module (noname) (*** hidden *** ) AF7CF000-AF7E9000 (106496 bytes)
---- Processes - GMER 1.0.15 ----
Process C:\WINDOWS\System32\ping.exe (*** hidden *** ) 1452
Process C:\WINDOWS\System32\ping.exe (*** hidden *** ) 2784
---- Files - GMER 1.0.15 ----
File C:\Documents and Settings\NetworkService\Cookies\092C3XAM.txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2UAKRLME\psu_com[1].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D1WW1J78\mevio_com[1].htm 126559 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3258210990 0 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611 0 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\cfg.ini 170 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\L 0 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\L\aoynodee 456320 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\oemid 141 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U 0 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\80000032.@ 115200 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\version 861 bytes
---- EOF - GMER 1.0.15 ----
However, I used my iPad and was able to follow some of the steps. I ran malware, GMR, I tried using the DDS but it got frozen. I then used TDSSKiller. After that I used combofix. After using combo fix, my original desktop appeared, but however my background was still different. I'm not sure if my computer is fixed or not but here are the supporting logs:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.28.01
Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.5730.13
Administrator :: CHAN-59370E1102 [administrator]
3/27/2012 10:07:12 PM
mbam-log-2012-03-27 (22-07-12).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198653
Time elapsed: 9 minute(s), 43 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\WINDOWS\system32\netrcacm.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hpdskflt.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\razerusb.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-28 00:29:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-10 WDC_WD2500JS-22NCB1 rev.10.02E02
Running: n3pul3md[1].exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwgdyfoc.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAF81E620]
---- Kernel code sections - GMER 1.0.15 ----
? emlgk.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB2FD4360, 0x3D46A5, 0xE8000020]
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W AF760000 248 Bytes JMP AF760C0D \SystemRoot\system32\DRIVERS\mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W + F9 AF7600F9 17 Bytes [55, 8B, EC, 51, 83, 65, FC, ...]
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W + 10B AF76010B 48 Bytes [56, FF, 15, 58, B6, 77, AF, ...]
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W + 13C AF76013C 58 Bytes [EB, EA, 80, BF, CE, 00, 00, ...]
.text mrxsmb.sys!?OnMutantOriginal@@YGHE[W + 178 AF760178 210 Bytes CALL AF783283 \SystemRoot\system32\DRIVERS\mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
.text ...
.text mrxsmb.sys!?GenerateEventW@@YGXJ[W AF761210 361 Bytes [00, 00, 68, 0A, 01, 00, 00, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 124 AF76137A 43 Bytes [C9, 0F, 85, 17, 55, 00, 00, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 150 AF7613A6 47 Bytes [8B, 4E, 3C, 57, 8B, 78, 0C, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 180 AF7613D6 126 Bytes [46, 28, 03, 00, 8B, 45, 08, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 1FF AF761455 23 Bytes [0F, 84, 52, ED, 00, 00, 80, ...]
.text mrxsmb.sys!?FormatWidthExA@@YGXKPAGPAJPAH[W + 218 AF76146E 11 Bytes [8B, 75, F4, 80, 7D, FF, 70, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\mrxsmb.sys suspicious PE modification
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\ping.exe[1452] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[1452] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\ping.exe[1452] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00C1000A
.text C:\WINDOWS\System32\ping.exe[1452] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\ping.exe[1452] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00C3000A
.text C:\WINDOWS\System32\ping.exe[1452] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00C4000A
.text C:\WINDOWS\System32\ping.exe[1452] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00C0000A
.text C:\program files\real\realplayer\Update\realsched.exe[2448] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3528F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E352877 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3528BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E352803 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E35283D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352931 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E201762 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E352AF3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2604] CRYPT32.dll!CryptMsgCountersignEncoded + 27A 77A92F52 7 Bytes JMP 03F81780
.text C:\Program Files\internet explorer\iexplore.exe[2604] CRYPT32.dll!CertComparePublicKeyInfo + 1E8 77A9B751 7 Bytes JMP 03F81760
.text C:\WINDOWS\System32\ping.exe[2784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[2784] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\ping.exe[2784] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00C1000A
.text C:\WINDOWS\System32\ping.exe[2784] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\ping.exe[2784] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00C3000A
.text C:\WINDOWS\System32\ping.exe[2784] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00C4000A
.text C:\WINDOWS\System32\ping.exe[2784] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00C0000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Modules - GMER 1.0.15 ----
Module (noname) (*** hidden *** ) AF7CF000-AF7E9000 (106496 bytes)
---- Processes - GMER 1.0.15 ----
Process C:\WINDOWS\System32\ping.exe (*** hidden *** ) 1452
Process C:\WINDOWS\System32\ping.exe (*** hidden *** ) 2784
---- Files - GMER 1.0.15 ----
File C:\Documents and Settings\NetworkService\Cookies\092C3XAM.txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2UAKRLME\psu_com[1].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D1WW1J78\mevio_com[1].htm 126559 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3258210990 0 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611 0 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\cfg.ini 170 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\L 0 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\L\aoynodee 456320 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\oemid 141 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U 0 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\U\80000032.@ 115200 bytes
File C:\WINDOWS\$NtUninstallKB5667$\3399015611\version 861 bytes
---- EOF - GMER 1.0.15 ----