SmitFraudFix v2.120 Scan done at 21:34:50,96, 2006-11-13 Run from J:\PROGRAMY\net\bezpieczeästwo w sieci\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] “{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896}”=“bonspells” [HKEY_CLASSES_ROOT\CLSID{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896}\InProcServer32] @=“C:\WINDOWS\system32\okkmtv.dll” [HKEY_LOCAL_MACHINE\Software\Classes\CLSID{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896}\InProcServer32] @=“C:\WINDOWS\system32\okkmtv.dll” »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\okkmtv.dll - Hoax.Win32.Renos.gen.i C:\WINDOWS\system32\okkmtv.dll - Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files D:\PROGRAMY\QualityCodec\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of HijackThis v1.99.1 Scan saved at 00:02:25, on 2006-11-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe D:\PROGRAMY\Avast4\aswUpdSv.exe D:\PROGRAMY\Zone Labs\ZoneAlarm\zlclient.exe D:\PROGRAMY\Avast4\ashServ.exe C:\WINDOWS\system32\RUNDLL32.EXE D:\PROGRAMY\RivaTuner v2.0 RC 15.8\RivaTuner.exe D:\PROGRAMY\Avast4\ashDisp.exe D:\PROGRAMY\IVT Corporation\BlueSoleil\BTNtService.exe D:\PROGRAMY\Acronis\TrueImage\TrueImageMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe D:\PROGRAMY\Diskeeper Corporation\Diskeeper\DkService.exe D:\PROGRAMY\DAEMON Tools\daemon.exe D:\PROGRAMY\tlen\tlen.exe D:\PROGRAMY\NetMeter\NetMeter.exe D:\PROGRAMY\LMPC3\lockpc.exe C:\WINDOWS\system32\nvsvc32.exe D:\PROGRAMY\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\wscntfy.exe D:\PROGRAMY\Avast4\ashMaiSv.exe D:\PROGRAMY\Avast4\ashWebSv.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe D:\PROGRAMY\opera web browser\Opera.exe D:\PROGRAMY\The Bat!\thebat.exe J:\PROGRAMY\net\bezpieczeństwo w sieci\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonelabs.com/downloadrequ … 1033852230 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMY\adobe reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\PROGRAMY\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM…\Run: [Zone Labs Client] “D:\PROGRAMY\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [RivaTunerStartupDaemon] “D:\PROGRAMY\RivaTuner v2.0 RC 15.8\RivaTuner.exe” /S O4 - HKLM…\Run: [RivaTuner] “D:\PROGRAMY\RivaTuner v2.0 RC 15.8\RivaTuner.exe” /T O4 - HKLM…\Run: [avast!] D:\PROGRAMY\Avast4\ashDisp.exe O4 - HKLM…\Run: [DiskeeperSystray] “D:\PROGRAMY\Diskeeper Corporation\Diskeeper\DkIcon.exe” O4 - HKLM…\Run: [Vistadrv] C:\WINDOWS\VIPv3\VIPhd\vsdrv.exe O4 - HKLM…\Run: [TrueImageMonitor.exe] D:\PROGRAMY\Acronis\TrueImage\TrueImageMonitor.exe O4 - HKLM…\Run: [Acronis Scheduler2 Service] “C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe” O4 - HKLM…\Run: [DAEMON Tools] “D:\PROGRAMY\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [Komunikator] D:\PROGRAMY\tlen\tlen.exe O4 - HKCU…\Run: [NetMeter.exe] D:\PROGRAMY\NetMeter\NetMeter.exe O4 - HKCU…\Run: [Lock My PC] D:\PROGRAMY\LMPC3\lockpc.exe /s O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - D:\PROGRAMY\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - D:\PROGRAMY\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\PROGRAMY\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\PROGRAMY\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\PROGRAMY\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - D:\PROGRAMY\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\PROGRAMY\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\PROGRAMY\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\PROGRAMY\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Diskeeper - Diskeeper Corporation - D:\PROGRAMY\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\PROGRAMY\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe “Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Komunikator” = “D:\PROGRAMY\tlen\tlen.exe” [“o2.pl Sp. z o.o.”] “NetMeter.exe” = “D:\PROGRAMY\NetMeter\NetMeter.exe” [null data] “Lock My PC” = “D:\PROGRAMY\LMPC3\lockpc.exe /s” [“FSPro Labs”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Zone Labs Client” = ““D:\PROGRAMY\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “RivaTunerStartupDaemon” = ““D:\PROGRAMY\RivaTuner v2.0 RC 15.8\RivaTuner.exe” /S” [empty string] “RivaTuner” = ““D:\PROGRAMY\RivaTuner v2.0 RC 15.8\RivaTuner.exe” /T” [empty string] “avast!” = “D:\PROGRAMY\Avast4\ashDisp.exe” [null data] “DiskeeperSystray” = ““D:\PROGRAMY\Diskeeper Corporation\Diskeeper\DkIcon.exe”” [“Diskeeper Corporation”] “Vistadrv” = “C:\WINDOWS\VIPv3\VIPhd\vsdrv.exe” [null data] “TrueImageMonitor.exe” = “D:\PROGRAMY\Acronis\TrueImage\TrueImageMonitor.exe” [“Acronis”] “Acronis Scheduler2 Service” = ““C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe”” [“Acronis”] “DAEMON Tools” = ““D:\PROGRAMY\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\PROGRAMY\adobe reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) - {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “D:\PROGRAMY\Java\jre1.5.0_07\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” - {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “D:\PROGRAMY\ALCOHO~1\ALCOHO~1\axshlex.dll” [“Alcohol Soft Development Team”] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind” - {HKLM…CLSID} = “Microsoft Office Binder Unbind” \InProcServer32(Default) = “D:\PROGRAMY\MICROS~2\Office\1045\UNBIND.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\PROGRAMY\WinRAR\rarext.dll” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” - {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “D:\PROGRAMY\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll” [“RealNetworks, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” - {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” - {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” - {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” - {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\PROGRAMY\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” - {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\PROGRAMY\adobe reader\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\PROGRAMY\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\PROGRAMY\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\PROGRAMY\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\PROGRAMY\Avast4\ashShell.dll” [“ALWIL Software”] FineReader8(Default) = “{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}” - {HKLM…CLSID} = “FineReader8ExplorerContextMenuHandler” \InProcServer32(Default) = “D:\PROGRAMY\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll” [“ABBYY Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\PROGRAMY\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}” - {HKCU…CLSID} = “Java Plug-in” \InProcServer32(Default) = “D:\PROGRAMY\Java\jre1.5.0_07\bin\ssv.dll” [“Sun Microsystems, Inc.”] - {HKLM…CLSID} = “Java Plug-in 1.5.0_07” \InProcServer32(Default) = “D:\PROGRAMY\Java\jre1.5.0_07\bin\npjpi150_07.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Acronis Scheduler2 Service, AcrSch2Svc, ““C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe”” [“Acronis”] avast! Antivirus, avast! Antivirus, ““D:\PROGRAMY\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““D:\PROGRAMY\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““D:\PROGRAMY\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““D:\PROGRAMY\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] BlueSoleil Hid Service, BlueSoleil Hid Service, “D:\PROGRAMY\IVT Corporation\BlueSoleil\BTNtService.exe” [null data] Diskeeper, Diskeeper, ““D:\PROGRAMY\Diskeeper Corporation\Diskeeper\DkService.exe”” [“Diskeeper Corporation”] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] StarWind iSCSI Service, StarWindService, “D:\PROGRAMY\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class{4D36E96B-E325-11CE-BFC1-08002BE10318}\ “UpperFilters” = “lmpc2” [“FSPro Labs”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ LIDIL Language Monitor\Driver = “hpzll3xu.dll” [“Hewlett-Packard Company”] ---------- : Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 118 seconds. ---------- (total run time: 157 seconds)