userinit.exe and rundll32.exe problems

Windows XP on Sony Vaio PC

This was my personal computer that I used with no problems. I bought a new one and gave this one to my teenager and he downloaded everything he could find until it's so screwed up that I want to throw it out the window. (him too)


When I turn on the computer, I get a box that says "userinit.exe - Application Error" so I have to click OK to terminate it.

Next, I have to cntrl, alt, del then run explorer.exe

Then I get a box that says "rundll32.exe - Application Error" so I have to click on OK to terminate it.

Even when I make it to the desktop, there are so many things that don't work such as I can't change the wallpaper, screen resolution, clock, or open "add or remove programs". Each time I try to access one of those programs, I get the Rundll32 box again.

Where do I start to get things going again without a complete reinstall. I don't want to do that unless I have to because I have a lot of software on it that I no longer have access to the disks.


Thank you,

Jim

 

Hello lawyerjim,

My handle is 2oldGeek and I will help you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic; I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


The best way to attack this seemingly overwhelming problem is to take it One Byte at a time….

First, I hope you have Safe mode. I believe that would be the best way to start because the malware will not start up in Safe Mode.
If for some reason you cannot enter the Safe Mode, we may have to come up with an alternate plan.

This may take you several tries so it may be a good idea, if you can, to print out these instructions before starting..


Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode with Networking".

Now we will download 3 programs to start the cleaning process.

Please download ATF Cleaner by Atribune & save it to your desktop.

Next download SDFix and save it to your Desktop.

Next please download Malwarebytes' Anti-Malware to your desktop.


Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.


Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Please post contents of that file in your next reply.



Double click SDFix.exe and it will extract the files to the drive that contains the Windows Directory, typically C:\SDFix
Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Please post contents of that file in your next reply.

Reboot to Normal Mode:

Hopefully, now you will be able to do some work in the normal mode….

Make a HijackThis Log

Let’s get the latest version of Hijack this and rename it.
Rename it? Yes, Malware recognizes the name HijackThis and Hides from it..

Download and rename TrendMicro HijackThis.exe (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
• Close HijackThis and rename it.
• Go to C:\Program Files\Trend Micro\HijackThis.exe
• Right click on HijackThis.exe and select Rename.
• Type in scanner.exe and press Enter.
• Right-click on scanner.exe and select Send To > Desktop (create shortcut)
• From the desktop open Hijackthis. (aka scanner)
• Click on the Do a system scan and save a log file button
• Hijackthis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
• Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed Hijackthis to scanner.exe, we will still refer to it as Hijackthis or HJT.


Please post the HijackThis log, log-date.txt and Report.txt in your next reply.



2oG

 

Let me start by saying thank you for your help.

I ran ATF and mbam in safe mode. When I try to run SDFix, I get two error messages:
cmd.exe - application error
find.exe - application error

Here is the log file for mbam:
**************

Malwarebytes' Anti-Malware 1.22
Database version: 984
Windows 5.1.2600 Service Pack 2

6:07:22 PM 7/23/2008
mbam-log-7-23-2008 (18-07-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 200496
Time elapsed: 1 hour(s), 56 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 157
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 22
Files Infected: 145

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d8e5bfb-0cb4-4306-8b6e-f56d857332cf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d8e5bfb-0cb4-4306-8b6e-f56d857332cf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{060bb0ab-4b09-4c51-9ecb-9580a6d08d7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87862e26-bda0-4a78-b94c-86bcb9428a6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87862e26-bda0-4a78-b94c-86bcb9428a6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0729f461-8054-47dc-8d39-a31b61cc0119} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{40ca90f3-4098-4877-ae87-23eb612b18c7} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4c3b62af-ca25-4fba-8405-32e44f83bb6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5a635a91-c303-45c9-8db9-f759d98a3b9d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7e335d04-2e6e-4d0e-a921-c3d9192e7121} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{99ccfb8c-6380-4a14-8fdd-ef3e7e95335d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b20d7add-989c-4bc0-a797-f6fe7998efd7} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bfc20a15-b0ac-44cc-a25a-a7039014ba9f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f019aec4-4c95-46de-a107-e302473e3b9a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d00aa2a-69ef-487a-8a40-b3e27f07c91e} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{86c5840b-80c4-4c30-a655-37344a542009} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b0cb585f-3271-4e42-88d9-ae5c9330d554} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eddbb5ee-bb64-4bfc-9dbe-e7c85941335b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{148e1447-c728-48fd-beec-a7d06c5fff58} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ee46f55-1ce1-4db9-811a-68938ec7f3dd} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a87dfd99-cf81-4241-85ce-881e0026b686} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c96b9fae-a032-4100-bb47-32ef05e28be4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{14113b47-d59c-4f0f-9d10-ff1730265584} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9c42a57-421c-4572-8b12-249c59183d1c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a57470de-14c7-4fcd-9d4c-e5711f24f0ed} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2557dd3f-23a0-477c-bcd8-90fd0aecc4b8} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2893116c-a176-42b1-8794-da8c9fc45564} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{99fdca0c-7380-4e9c-8d99-5dc4750334ef} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1d9f4b1-b9ff-463f-bf15-ab9cb26160f7} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{71f731b3-008b-4052-9ea4-4145acce40c3} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8292078f-f6e9-412b-8eb1-360c05c5ece5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2447e305-5e90-42a8-bd1e-0bc333b807e1} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{50d2fdcc-2707-49cb-8223-7fe0424909aa} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{878ce013-7ba9-4650-a78c-b2234c0c1648} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a5b6fa30-d317-41ca-9cb1-c898d3c7f34e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cc19a5f2-b4ad-41d5-a5c9-0680904c1483} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{03d7ff6e-9781-40b5-bb7f-94291a361604} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3ceb04ab-08af-45f4-81b4-70d13c1f7b85} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a7213d71-47e1-4832-92d7-d61dfe9f231f} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf82f350-e1c4-4916-ac12-ba73db60afb7} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c62a9e79-2b52-439b-af57-2e60bb06e86c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{15fd8424-d12a-4c51-8c6c-d5d57b80f781} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{67b3becf-7b6f-42b2-99f0-f7656f89cffa} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{715ffd42-4e05-4eab-9513-c8daa5395ae2} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{759d6f7c-8d30-45b6-abea-fa51c190eed5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9a4a64a4-a2fb-48fa-9bba-1ac50267695d} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{62906e60-bce2-4e1b-9ed0-8b9042ee15e4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9bfa98d-9935-4ea4-a05a-72c7f0778f02} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{abec1835-3181-4abd-8dde-875aec4df6d2} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0af9a087-0cbf-46b2-9dc9-52d0d16b5ab6} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a56fe01c-77c4-4f5e-8198-e4b72207890a} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{af55160d-cde1-4a8b-8001-66da06bee740} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{89085678-632d-4deb-bda0-cd912c63203e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{30b15818-e110-4527-9c05-46ace5a3460d} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{618aad04-921f-44c2-be38-c0818af69861} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5d2ed96-62f9-4c2c-956d-e425b1f67337} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d3a412e8-1e4b-47d2-9b12-f88291f5afbb} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3788e535-897b-463d-b6d6-fee5b86ec144} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3788e535-897b-463d-b6d6-fee5b86ec144} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d3f940ea-4e87-423b-9091-934e1e4fceae} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{d3f940ea-4e87-423b-9091-934e1e4fceae} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spcron (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Svconr (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Zango (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wallpaper.wallpapermanager (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wallpaper.wallpapermanager.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\zango (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{87862e26-bda0-4a78-b94c-86bcb9428a6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm1faae334 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SfKg6w (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\zango 10.3.65.0 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\components (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\plugins (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Svconr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Spcron (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wfpqslvq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amgkdrry.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrrdkgma.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\auiihlaa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aalhiiua.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bkbelwsk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kswlebkb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bmuitxvr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rvxtiumb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bqamoayx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xyaomaqb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cusqxhrg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\grhxqsuc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cysmocui.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iucomsyc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\edgeewry.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrweegde.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ejvakrhv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vhrkavje.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fgytrvhp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phvrtygf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fhxkgnnq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qnngkxhf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftcoojeh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hejooctf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ilrwmwso.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oswmwrli.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jqjpealv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vlaepjqj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mdthxksj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jskxhtdm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\neenumpv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vpmuneen.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\niugbjnb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bnjbguin.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntacqgwt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twgqcatn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oolpgnry.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrngploo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opgwlkij.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jiklwgpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovrjmrfv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vfrmjrvo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pvxoaxus.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\suxaoxvp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qacsalmc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmlascaq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrbnvpln.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nlpvnbrq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rdpitxtw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtxtipdr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rmugobnx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xnbogumr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sarbasdp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pdsabras.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spwoocwc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cwcoowps.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulefidnw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wndifelu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uujbjnlj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jlnjbjuu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vnscqmpr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rpmqcsnv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vxcjeukw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wkuejcxv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wjbwfqlx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xlqfwbjw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yvuybjfg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gfjbyuvy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\uaoaiym_navps.dat (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\uaoaiym_nav.dat (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\uaoaiym.dat (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\uaoaiym.exe (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Program Files\Spcron\Spc.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\CoreSrv.dll (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\3ESQPN6V\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\E8K0ZNY0\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089109.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089111.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089112.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089113.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089117.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089121.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089122.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089123.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089125.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089129.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089131.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089132.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089135.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089137.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089140.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089142.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089143.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089144.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089145.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089147.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089148.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089150.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089152.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\alxbft.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rxqyuyeq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdodxiov.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Program Files\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\arrow.ico (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\CntntCntr.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\copyright.txt (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\HostIE.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\HostOE.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\HostOL.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\link.ico (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\OEAddOn.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Srv.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Toolbar.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Wallpaper.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Weather.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\WeSkin.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSA.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSAAX.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSADF.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSAHook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoUninstaller.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\chrome.manifest (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\install.rdf (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\components\npclntax.xpt (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\plugins\npclntax_ZangoSA.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAau.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA_kyf.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpgxfcld.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\BM1faae334.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM1faae334.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

 

And here is the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:07 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 74.208.105.45 l2testauthd.lineage2.com
O1 - Hosts: 74.208.105.45 l2authd.lineage2.com
O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C1E7C0C-731A-4D32-81DF-F8E543CC515E} - (no file)
O2 - BHO: (no name) - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)
O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9E59} - (no file)
O2 - BHO: (no name) - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file)
O2 - BHO: (no name) - {1C3DBE98-0102-0DF8-571B-5200B6C28B9B} - (no file)
O2 - BHO: (no name) - {2d8e5bfb-0cb4-4306-8b6e-f56d857332cf} - (no file)
O2 - BHO: (no name) - {3101968F-6388-4AE3-B4F7-B032EBE84908} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5A44119A-2FA0-40EF-9B95-45B751F0D203} - C:\WINDOWS\system32\efcDTNge.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {773275d5-4fc7-4b12-8f7f-62902bbdec32} - (no file)
O2 - BHO: (no name) - {79513ED2-95DE-4C93-AD50-786C46F33F83} - C:\WINDOWS\system32\vtUmNgDW.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8069CE89-0BE4-414F-A66A-07707E4EB50D} - (no file)
O2 - BHO: (no name) - {87862E26-BDA0-4A78-B94C-86BCB9428A6F} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O2 - BHO: (no name) - {9afdf9ff-5fd3-4c1d-a131-8d521959562b} - (no file)
O2 - BHO: (no name) - {A9AF6784-1235-408D-8927-657A64D804C9} - C:\WINDOWS\system32\xxyyyASI.dll (file missing)
O2 - BHO: (no name) - {B77BD50E-9383-454E-B6AE-8CF6673A6E7A} - C:\WINDOWS\system32\ssqPijjh.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {C5F573EC-F335-483B-99B8-8706BA1F8DA7} - (no file)
O2 - BHO: (no name) - {c688407d-b4b8-44eb-8149-542854193db8} - (no file)
O2 - BHO: (no name) - {cf35f031-b21a-4cf2-bb3e-4dcfa4c4625e} - (no file)
O2 - BHO: (no name) - {F3C77DCA-FA4C-4941-8F9F-31D9228AFCD6} - (no file)
O2 - BHO: (no name) - {F424072E-082C-4171-82E6-4F76711119D5} - (no file)
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [1c99d0a8] rundll32.exe "C:\WINDOWS\system32\euadficf.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM1faae334] Rundll32.exe "C:\WINDOWS\system32\tpgxfcld.dll",s
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Jim\Application Data\Microsoft\Windows\rayiou.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZCfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://gunfighter.wildwestonline.com
O15 - Trusted Zone: http://www.wildwestonline.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161833594468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} -
O20 - AppInit_DLLs: jyaywaxg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hGvTlJCR - hGvTlJCR.dll (file missing)
O20 - Winlogon Notify: jkkKddcd - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - D:\Maya\docs\wrapper.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11025 bytes

 

Lawyerjim,

Whooooo doggie………… You got a junior Malware Collector on your hands. ; ) lol

That picked up a lot but there is work to be done.

Were you able to run SUPERAntiSpyware? If SDFix will not work in the Safe mode, please just run it in Normal Mode, if you can.

I’ll be here all night so if you can, I can… : D

2oG

 

I can not get SDfix to run in normal mode either. I get boxes that pop up that say:

cmd.exe - Application Error

find.exe - Application Error

I am running SuperAntiSpyware right now and will let you know what it says

 

SuperAntiSpyware removed 400 files,

Now what?

 

Please send me the SAS LOG file so I can see....

 

Here is the SuperAntiSpyware log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/23/2008 at 11:08 PM

Application Version : 4.1.1046

Core Rules Database Version : 3513
Trace Rules Database Version: 1504

Scan type : Complete Scan
Total Scan Time : 04:05:29

Memory items scanned : 350
Memory threats detected : 1
Registry items scanned : 6619
Registry threats detected : 38
File items scanned : 163860
File threats detected : 356

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\JYAYWAXG.DLL
C:\WINDOWS\SYSTEM32\JYAYWAXG.DLL

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}
C:\WINDOWS\SYSTEM32\IDVNOIHL.DLL
C:\WINDOWS\SYSTEM32\LIATVF.DLL
C:\WINDOWS\SYSTEM32\RXMDFWAI.DLL
C:\WINDOWS\SYSTEM32\UBASFS.DLL
C:\WINDOWS\SYSTEM32\UMFOVQKO.DLL
C:\WINDOWS\SYSTEM32\WNWUNRBH.DLL

Adware.HotBar/ShopperReports (Low Risk)
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}

Trojan.Unclassified/TestCPV
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}

Adware.Tracking Cookie
C:\Documents and Settings\Jim\Cookies\jim@winanonymous[2].txt
C:\Documents and Settings\Jim\Cookies\jim@statcounter[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adultfriendfinder[1].txt
C:\Documents and Settings\Jim\Cookies\jim@pcprivacycleaner[1].txt
C:\Documents and Settings\Jim\Cookies\jim@secure.advancedcleaner[1].txt
C:\Documents and Settings\Jim\Cookies\jim@hitbox[2].txt
C:\Documents and Settings\Jim\Cookies\jim@adbrite[1].txt
C:\Documents and Settings\Jim\Cookies\jim@hornymatches[1].txt
C:\Documents and Settings\Jim\Cookies\jim@hotbar[2].txt
C:\Documents and Settings\Jim\Cookies\jim@zedo[2].txt
C:\Documents and Settings\Jim\Cookies\jim@rotator.adjuggler[2].txt
C:\Documents and Settings\Jim\Cookies\jim@tribalfusion[1].txt
C:\Documents and Settings\Jim\Cookies\jim@banners.battleon[1].txt
C:\Documents and Settings\Jim\Cookies\jim@specificclick[2].txt
C:\Documents and Settings\Jim\Cookies\jim@adportmedia[1].txt
C:\Documents and Settings\Jim\Cookies\jim@banners.mechquest[1].txt
C:\Documents and Settings\Jim\Cookies\jim@apmebf[1].txt
C:\Documents and Settings\Jim\Cookies\jim@bluestreak[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.clicksor[2].txt
C:\Documents and Settings\Jim\Cookies\jim@77tracking[2].txt
C:\Documents and Settings\Jim\Cookies\jim@buycom.122.2o7[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adopt.specificclick[2].txt
C:\Documents and Settings\Jim\Cookies\jim@kontera[2].txt
C:\Documents and Settings\Jim\Cookies\jim@server.iad.liveperson[2].txt
C:\Documents and Settings\Jim\Cookies\jim@antispywaresuite[1].txt
C:\Documents and Settings\Jim\Cookies\jim@myroitracking[2].txt
C:\Documents and Settings\Jim\Cookies\jim@precisionclick[2].txt
C:\Documents and Settings\Jim\Cookies\jim@doubleclick[1].txt
C:\Documents and Settings\Jim\Cookies\jim@cgm.adbureau[1].txt
C:\Documents and Settings\Jim\Cookies\jim@atlas.entrepreneur[1].txt
C:\Documents and Settings\Jim\Cookies\jim@list[1].txt
C:\Documents and Settings\Jim\Cookies\jim@login.tracking101[2].txt
C:\Documents and Settings\Jim\Cookies\jim@2adultflashgames[1].txt
C:\Documents and Settings\Jim\Cookies\jim@media.vlzserver[1].txt
C:\Documents and Settings\Jim\Cookies\jim@servedby.adxpower[1].txt
C:\Documents and Settings\Jim\Cookies\jim@clickbank[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adnetserver[1].txt
C:\Documents and Settings\Jim\Cookies\jim@systemerrorfixer[1].txt
C:\Documents and Settings\Jim\Cookies\jim@trafficmp[1].txt
C:\Documents and Settings\Jim\Cookies\jim@servedby.adxpower[2].txt
C:\Documents and Settings\Jim\Cookies\jim@serve.clickbooth[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ad.zanox[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.mail[2].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.addynamix[2].txt
C:\Documents and Settings\Jim\Cookies\jim@advertising[1].txt
C:\Documents and Settings\Jim\Cookies\jim@iacas.adbureau[2].txt
C:\Documents and Settings\Jim\Cookies\jim@da-tracking[3].txt
C:\Documents and Settings\Jim\Cookies\jim@adserver.easyad[1].txt
C:\Documents and Settings\Jim\Cookies\jim@stat.dealtime[2].txt
C:\Documents and Settings\Jim\Cookies\jim@hypertracker[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Jim\Cookies\jim@anad.tacoda[2].txt
C:\Documents and Settings\Jim\Cookies\jim@media.adrevolver[2].txt
C:\Documents and Settings\Jim\Cookies\jim@anat.tacoda[1].txt
C:\Documents and Settings\Jim\Cookies\jim@trustedantivirus[1].txt
C:\Documents and Settings\Jim\Cookies\jim@server.cpmstar[1].txt
C:\Documents and Settings\Jim\Cookies\jim@media.licenseacquisition[2].txt
C:\Documents and Settings\Jim\Cookies\jim@traffic.buyservices[1].txt
C:\Documents and Settings\Jim\Cookies\jim@media6degrees[1].txt
C:\Documents and Settings\Jim\Cookies\jim@perf.overture[1].txt
C:\Documents and Settings\Jim\Cookies\jim@fastclick[2].txt
C:\Documents and Settings\Jim\Cookies\jim@www.findstuff[1].txt
C:\Documents and Settings\Jim\Cookies\jim@sale.antispywaremaster[2].txt
C:\Documents and Settings\Jim\Cookies\jim@realmedia[2].txt
C:\Documents and Settings\Jim\Cookies\jim@atdmt[2].txt
C:\Documents and Settings\Jim\Cookies\jim@consumergain[2].txt
C:\Documents and Settings\Jim\Cookies\jim@adsrevenue[1].txt
C:\Documents and Settings\Jim\Cookies\jim@dealtime[1].txt
C:\Documents and Settings\Jim\Cookies\jim@advancedcleaner[1].txt
C:\Documents and Settings\Jim\Cookies\jim@media.adrevolver[1].txt
C:\Documents and Settings\Jim\Cookies\jim@sale.antispywaresuite[1].txt
C:\Documents and Settings\Jim\Cookies\jim@casalemedia[2].txt
C:\Documents and Settings\Jim\Cookies\jim@banners2.battleon[2].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.revsci[1].txt
C:\Documents and Settings\Jim\Cookies\jim@www.googleadservices[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.glispa[2].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.vlaze[1].txt
C:\Documents and Settings\Jim\Cookies\jim@mediaplex[1].txt
C:\Documents and Settings\Jim\Cookies\jim@vhost.oddcast[2].txt
C:\Documents and Settings\Jim\Cookies\jim@gametracker[1].txt
C:\Documents and Settings\Jim\Cookies\jim@questionmarket[1].txt
C:\Documents and Settings\Jim\Cookies\jim@shop.winanonymous[1].txt
C:\Documents and Settings\Jim\Cookies\jim@secure.systemerrorfixer[2].txt
C:\Documents and Settings\Jim\Cookies\jim@toplist[1].txt
C:\Documents and Settings\Jim\Cookies\jim@www.2adultflashgames[1].txt
C:\Documents and Settings\Jim\Cookies\jim@2adultflashgames[3].txt
C:\Documents and Settings\Jim\Cookies\jim@ad.yieldmanager[1].txt
C:\Documents and Settings\Jim\Cookies\jim@int.sitestat[1].txt
C:\Documents and Settings\Jim\Cookies\jim@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Jim\Cookies\jim@pacificpoker[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads4.blastro[1].txt
C:\Documents and Settings\Jim\Cookies\jim@revsci[1].txt
C:\Documents and Settings\Jim\Cookies\jim@aff.primaryads[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.react2media[1].txt
C:\Documents and Settings\Jim\Cookies\jim@tacoda[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.blizzard[1].txt
C:\Documents and Settings\Jim\Cookies\jim@tremor.adbureau[2].txt
C:\Documents and Settings\Jim\Cookies\jim@82.98.235[1].txt
C:\Documents and Settings\Jim\Cookies\jim@antispywaremaster[2].txt
C:\Documents and Settings\Jim\Cookies\jim@www8.addfreestats[1].txt
C:\Documents and Settings\Jim\Cookies\jim@banners.dragonfable[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads3.blastro[1].txt
C:\Documents and Settings\Jim\Cookies\jim@content.licenseacquisition[1].txt
C:\Documents and Settings\Jim\Cookies\jim@network.realmedia[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adrevolver[2].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.pointroll[2].txt
C:\Documents and Settings\Jim\Cookies\jim@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Jim\Cookies\jim@redirect.clickshield[1].txt
C:\Documents and Settings\Jim\Cookies\jim@6144.2850694.clickshield[1].txt
C:\Documents and Settings\Jim\Cookies\jim@247realmedia[1].txt
C:\Documents and Settings\Jim\Cookies\jim@insightexpressai[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adultadworld[2].txt
C:\Documents and Settings\Jim\Cookies\jim@imrworldwide[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adlegend[1].txt
C:\Documents and Settings\Jim\Cookies\jim@sexgamesfree[2].txt
C:\Documents and Settings\Jim\Cookies\jim@sale.trustedantivirus[1].txt
C:\Documents and Settings\Jim\Cookies\jim@da-tracking[2].txt

Adware.Zango Toolbar/Hb
HKCR\HbCoreSrv.DynamicProp
HKCR\HbCoreSrv.DynamicProp\CLSID
HKCR\HbCoreSrv.DynamicProp\CurVer
HKCR\HbCoreSrv.DynamicProp.1
HKCR\HbCoreSrv.DynamicProp.1\CLSID
C:\Documents and Settings\Jim\Application Data\Zango\IESkins
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\HostOI\dynamic
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\HostOI
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\HostOL\dynamic
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\HostOL
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\111532.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\1383918.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\1399517.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\1434935.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\2625397.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3277710.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3420554.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3422001.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3756141.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3855615.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3855674.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\600583.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\819382.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\ustat\3702.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\ustat\3703.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\ustat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\avatar.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\btntrans.idx
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\btntrans1.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\buttondir.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\components.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\cursors.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\default.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_511745-514279.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_categorize.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_comparison.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-Mails.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-people.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_favorites.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_Games.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_Hide.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_hotbarcom.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_Hotmail.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_hsskin.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_jemster.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_jemsterie.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_jemsteruk.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_jobsearch.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_Mails.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_MobileSidewalk.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_new.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_premium.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_reun.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_ringtones.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_searchfor.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_searchgo.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_weather.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_yellowpages.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_weather.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\editblbuttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\email-t1-bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\icons2.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\ie_games_icon.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\ie_video.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\keywords.idx
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\keywords1.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\layout.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\linkpathlegal.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\progress.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\sales_buttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\sdfmodifier.xml
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\s_icons_buttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\t2_bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\theweb.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\top7.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Top7_theweb.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\tsd_bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\zango_btn.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\zango_ie_menu.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\avatar.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\btntrans.idx
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\btntrans1.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\buttondir.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\components.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\cursors.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\default.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_511745-514279.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_categorize.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_comparison.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-Mails.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-people.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_favorites.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_Games.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_Hide.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_hotbarcom.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_Hotmail.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_hsskin.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_jemster.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_jemsterie.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_jemsteruk.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_jobsearch.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_Mails.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_MobileSidewalk.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_new.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_premium.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_reun.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_ringtones.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_searchfor.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_searchgo.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_weather.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_yellowpages.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_1000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_2000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_3000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bar.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bbar1.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_logos.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_other.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_weather.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\editblbuttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-548964.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-9595.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\email-t1-bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\icons2.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\ie_games_icon.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\ie_video.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\keywords.idx
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\keywords1.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\layout.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\linkpathlegal.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\progress.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\sales_buttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\sdfmodifier.xml
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\s_icons_buttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\top7.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango
C:\Documents and Settings\Jim\Application Data\Zango\v3.0
C:\Documents and Settings\Jim\Application Data\Zango

Adware.Zango/ShoppingReport
HKCR\CntntCntr.CntntDic
HKCR\CntntCntr.CntntDic\CLSID
HKCR\CntntCntr.CntntDic\CurVer
HKCR\CntntCntr.CntntDic.1
HKCR\CntntCntr.CntntDic.1\CLSID
HKCR\CntntCntr.CntntDisp
HKCR\CntntCntr.CntntDisp\CLSID
HKCR\CntntCntr.CntntDisp\CurVer
HKCR\CntntCntr.CntntDisp.1
HKCR\CntntCntr.CntntDisp.1\CLSID
HKCR\WeatherDPA.WeatherController
HKCR\WeatherDPA.WeatherController\CLSID
HKCR\WeatherDPA.WeatherController\CurVer
HKCR\WeatherDPA.WeatherController.1
HKCR\WeatherDPA.WeatherController.1\CLSID
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\LocalServer32
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\ProgID
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\Programmable
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\TypeLib
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\VersionIndependentProgID
HKCR\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3}
HKCR\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3}\Implemented Categories
HKCR\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3}\Implemented Categories\{DF9D74B4-61F4-4815-ADC7-F9ABD5F065FD}
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\LocalServer32
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\ProgID
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\Programmable
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\TypeLib
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\VersionIndependentProgID
C:\Documents and Settings\Jim\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML
C:\Documents and Settings\Jim\Application Data\WeatherDPA\Weather\WeatherDPA
C:\Documents and Settings\Jim\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\Jim\Application Data\WeatherDPA\Weather
C:\Documents and Settings\Jim\Application Data\WeatherDPA

Adware.180solutions/Seekmo/Zango
C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS\NPCLNTAX_ZANGOSA.DLL
D:\SETUP(2).EXE
D:\SETUP.EXE
D:\ZANGO\BIN\10.3.65.0\CNTNTCNTR.DLL
D:\ZANGO\BIN\10.3.65.0\FIREFOX\EXTENSIONS\PLUGINS\NPCLNTAX_ZANGOSA.DLL
D:\ZANGO\BIN\10.3.65.0\HOSTIE.DLL
D:\ZANGO\BIN\10.3.65.0\HOSTOE.DLL
D:\ZANGO\BIN\10.3.65.0\HOSTOL.DLL
D:\ZANGO\BIN\10.3.65.0\OEADDON.EXE
D:\ZANGO\BIN\10.3.65.0\SRV.EXE
D:\ZANGO\BIN\10.3.65.0\TOOLBAR.DLL
D:\ZANGO\BIN\10.3.65.0\WEATHER.EXE
D:\ZANGO\BIN\10.3.65.0\WESKIN.DLL
D:\ZANGO\BIN\10.3.65.0\ZANGOSA.EXE
D:\ZANGO\BIN\10.3.65.0\ZANGOSAAX.DLL
D:\ZANGO\BIN\10.3.65.0\ZANGOSADF.EXE
D:\ZANGO\BIN\10.3.65.0\ZANGOSAHOOK.DLL
D:\ZANGO\BIN\10.3.65.0\ZANGOUNINSTALLER.EXE

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\CGCBDKJN.DLL

Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\DNCXPV.DLL
C:\WINDOWS\SYSTEM32\GNDGDP.DLL
C:\WINDOWS\SYSTEM32\GQYLOS.DLL
C:\WINDOWS\SYSTEM32\QGYADI.DLL
C:\WINDOWS\SYSTEM32\QPWEVN.DLL
C:\WINDOWS\SYSTEM32\QYPXUL.DLL
C:\WINDOWS\SYSTEM32\TAUSAW.DLL
C:\WINDOWS\SYSTEM32\UIURUV.DLL
C:\WINDOWS\SYSTEM32\VGIPYT.DLL
C:\WINDOWS\SYSTEM32\WDUYHE.DLL
C:\WINDOWS\SYSTEM32\XADNFK.DLL

Unclassified.Unknown Origin
C:\WINDOWS\SYSTEM32\FWLWGSKF.DLL
C:\WINDOWS\SYSTEM32\JZABBE.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

 

Hey lawyerjim,

I’ve been going over your Logs and there are still a few things that need to be done.
I got confused about the SuperAntiSpyware thing. I was looking for a SDFix log and just got mixed up, my bad.. ; p

So far you have deleted a huge amount of Adware and some Trojans.
If you will help me by removing some of the trash left in the HJT log it would really help me to analyze the situation a little easier..

Please do the following:

Fix entries using HiJackThis

Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)

O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)

O2 - BHO: (no name) - {0C1E7C0C-731A-4D32-81DF-F8E543CC515E} - (no file)

O2 - BHO: (no name) - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)

O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9E59} - (no file)

O2 - BHO: (no name) - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file)

O2 - BHO: (no name) - {1C3DBE98-0102-0DF8-571B-5200B6C28B9B} - (no file)

O2 - BHO: (no name) - {2d8e5bfb-0cb4-4306-8b6e-f56d857332cf} - (no file)

O2 - BHO: (no name) - {3101968F-6388-4AE3-B4F7-B032EBE84908} - (no file)

O2 - BHO: (no name) - {5A44119A-2FA0-40EF-9B95-45B751F0D203} - C:\WINDOWS\system32\efcDTNge.dll (file missing)

O2 - BHO: (no name) - {773275d5-4fc7-4b12-8f7f-62902bbdec32} - (no file)

O2 - BHO: (no name) - {79513ED2-95DE-4C93-AD50-786C46F33F83} - C:\WINDOWS\system32\vtUmNgDW.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8069CE89-0BE4-414F-A66A-07707E4EB50D} - (no file)

O2 - BHO: (no name) - {87862E26-BDA0-4A78-B94C-86BCB9428A6F} - (no file)

O2 - BHO: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)

O2 - BHO: (no name) - {9afdf9ff-5fd3-4c1d-a131-8d521959562b} - (no file)

O2 - BHO: (no name) - {A9AF6784-1235-408D-8927-657A64D804C9} - C:\WINDOWS\system32\xxyyyASI.dll (file missing)

O2 - BHO: (no name) - {B77BD50E-9383-454E-B6AE-8CF6673A6E7A} - C:\WINDOWS\system32\ssqPijjh.dll (file missing)

O2 - BHO: (no name) - {C5F573EC-F335-483B-99B8-8706BA1F8DA7} - (no file)

O2 - BHO: (no name) - {c688407d-b4b8-44eb-8149-542854193db8} - (no file)

O2 - BHO: (no name) - {cf35f031-b21a-4cf2-bb3e-4dcfa4c4625e} - (no file)

O2 - BHO: (no name) - {F3C77DCA-FA4C-4941-8F9F-31D9228AFCD6} - (no file)

O2 - BHO: (no name) - {F424072E-082C-4171-82E6-4F76711119D5} - (no file)

O20 - Winlogon Notify: hGvTlJCR - hGvTlJCR.dll (file missing)

IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis.


Please Post back with a fresh HijackThis Log and we’ll take it from there.


Lawyerjim, I will be working Thru, Fri and Sat. I usually put in 40 to 45 hours in 3 days so, after tonight, I may not be able to do much until Sunday evening.. But, I’ll be back…. ; )

Thanks,
2oG

 

I completely understand your time constraints and appreciate your help.

Here is the new Hijack This log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:55 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 74.208.105.45 l2testauthd.lineage2.com
O1 - Hosts: 74.208.105.45 l2authd.lineage2.com
O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [1c99d0a8] rundll32.exe "C:\WINDOWS\system32\euadficf.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM1faae334] Rundll32.exe "C:\WINDOWS\system32\tpgxfcld.dll",s
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Jim\Application Data\Microsoft\Windows\rayiou.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZCfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://gunfighter.wildwestonline.com
O15 - Trusted Zone: http://www.wildwestonline.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161833594468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} -
O20 - AppInit_DLLs: jyaywaxg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkkKddcd - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - D:\Maya\docs\wrapper.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8961 bytes

 

Hey lawyerjim, good work….

It’s starting to shape up….. Little by little. ; p

The 2 files you mentioned that you were getting errors from:

cmd.exe and find.exe are processes associated with Microsoft Windows Operating System from Microsoft Corporation and not readily available for download on the internet..

I still haven’t got an answer but I’m working on it..

Do you have an XP disk or a recovery disk with XP system files on it????
If you have an XP disk we can get those files off it to replace the damaged ones.
That is, damaged or placed there by one of the Trojans……

The Vundo Trojan is the one that worries me because it can dig in so deep..

Let’s dig it out……..

Please turn off your Avast Antivirus while doing the next instructions.. It can interfere..

I don’t see a Firewall except maybe windows, but we’ll deal with that later..


Download ComboFix from Here to your Desktop.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.




Again, a fresh HijackThis Log and the Combofix log in the next post, please.


We’ll get there……….
2oG

 

Here is the ComboFix Log:

ComboFix 08-07-23.5 - Jim 2008-07-24 11:00:50.1 - NTFSx86
Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jim\Application Data\.#
C:\Documents and Settings\Jim\My Documents\SSEMBL~1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\agmpjpkj.ini
C:\WINDOWS\system32\avrgbopc.dll
C:\WINDOWS\system32\bgiirgsr.ini
C:\WINDOWS\system32\bmiuehpo.ini
C:\WINDOWS\system32\bpusustv.dll
C:\WINDOWS\system32\byajreyg.dll
C:\WINDOWS\system32\crgfjybh.ini
C:\WINDOWS\system32\daurwlau.dll
C:\WINDOWS\system32\defhvfvo.dll
C:\WINDOWS\system32\didulgcw.ini
C:\WINDOWS\system32\egNTDcfe.ini
C:\WINDOWS\system32\egNTDcfe.ini2
C:\WINDOWS\system32\esfgoghs.dll
C:\WINDOWS\system32\etliowil.dll
C:\WINDOWS\system32\faleiddm.dll
C:\WINDOWS\system32\fcifdaue.ini
C:\WINDOWS\system32\gfjuhwhr.ini
C:\WINDOWS\system32\gixgjkum.dll
C:\WINDOWS\system32\hhjsoked.ini
C:\WINDOWS\system32\hjjiPqss.ini
C:\WINDOWS\system32\hjjiPqss.ini2
C:\WINDOWS\system32\hpfobtlr.ini
C:\WINDOWS\system32\hpqyicew.dll
C:\WINDOWS\system32\hrroewas.dll
C:\WINDOWS\system32\hyuaykbp.dll
C:\WINDOWS\system32\ifsgludt.ini
C:\WINDOWS\system32\ISAyyyxx.ini
C:\WINDOWS\system32\ISAyyyxx.ini2
C:\WINDOWS\system32\jwfxjksq.ini
C:\WINDOWS\system32\jyaywaxg.dll
C:\WINDOWS\system32\kbdgcbio.ini
C:\WINDOWS\system32\ktjigspo.ini
C:\WINDOWS\system32\ktuxxtix.ini
C:\WINDOWS\system32\laoagnkf.ini
C:\WINDOWS\system32\ljepammm.dll
C:\WINDOWS\system32\lnqcicdj.dll
C:\WINDOWS\system32\louxxref.ini
C:\WINDOWS\system32\lubjbabw.dll
C:\WINDOWS\system32\mpkljuhk.dll
C:\WINDOWS\system32\mypbduje.dll
C:\WINDOWS\system32\nefivtfp.dll
C:\WINDOWS\system32\nibckxnj.dll
C:\WINDOWS\system32\ohbhulso.dll
C:\WINDOWS\system32\oirwehul.dll
C:\WINDOWS\system32\pblgueny.ini
C:\WINDOWS\system32\pdqnddqv.dll
C:\WINDOWS\system32\pnoaqnrh.dll
C:\WINDOWS\system32\pqupyrqj.ini
C:\WINDOWS\system32\psqtasit.dll
C:\WINDOWS\system32\qalpnxgh.dll
C:\WINDOWS\system32\qfofyyfp.dll
C:\WINDOWS\system32\qmilur.dll
C:\WINDOWS\system32\qslgufac.ini
C:\WINDOWS\system32\rjxxcmel.dll
C:\WINDOWS\system32\rsfogosq.ini
C:\WINDOWS\system32\sgwydc.dll
C:\WINDOWS\system32\slqvfntt.dll
C:\WINDOWS\system32\snniwlfp.ini
C:\WINDOWS\system32\sswsstqd.ini
C:\WINDOWS\system32\tmqcyggu.ini
C:\WINDOWS\system32\uijeug.dll
C:\WINDOWS\system32\ujeadinp.ini
C:\WINDOWS\system32\uvmktqda.ini
C:\WINDOWS\system32\vajyntpp.dll
C:\WINDOWS\system32\vkorxdbj.ini
C:\WINDOWS\system32\vloqfx.dll
C:\WINDOWS\system32\vmcvuadw.ini
C:\WINDOWS\system32\vodtwpun.ini
C:\WINDOWS\system32\vteixfqx.ini
C:\WINDOWS\system32\WDgNmUtv.ini
C:\WINDOWS\system32\WDgNmUtv.ini2
C:\WINDOWS\system32\wtnapobw.dll
C:\WINDOWS\system32\wwgkufhf.dll
C:\WINDOWS\system32\xeurhafe.ini
C:\WINDOWS\system32\xkmroqif.ini
C:\WINDOWS\system32\xlhpurng.dll
C:\WINDOWS\system32\xsgnylwl.dll
C:\WINDOWS\system32\yinradbq.dll
C:\WINDOWS\system32\ymfjgjuv.dll
C:\WINDOWS\system32\ymvllgjn.ini
C:\WINDOWS\system32\ytigrpax.ini
C:\WINDOWS\system32\yynrranc.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-23 18:15 . 2008-07-23 18:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 18:08 . 2008-07-20 14:37 <DIR> d-------- C:\SDFix
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Malwarebytes
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 16:07 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-23 16:07 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-23 15:48 . 2004-08-04 02:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-07-23 15:48 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-07-23 15:48 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-07-23 15:48 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-07-23 15:48 . 2004-08-04 00:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-07-23 15:48 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-07-23 15:48 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-07-23 15:48 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-07-23 15:47 . 2004-08-04 00:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-07-23 15:47 . 2004-08-04 02:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-07-23 15:46 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-07-23 15:46 . 2002-08-29 00:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-07-23 15:46 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-07-23 15:46 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-07-23 15:46 . 2002-08-29 05:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-07-23 15:46 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-07-23 15:46 . 2002-08-29 05:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-07-23 15:46 . 2004-08-04 01:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-07-23 15:44 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-23 15:43 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-07-23 15:41 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-07-23 15:40 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-07-23 15:39 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-07-23 15:38 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-07-23 15:37 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-07-23 15:36 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
2008-07-23 15:36 . 2001-08-17 22:36 123,776 --a--c--- C:\WINDOWS\system32\dllcache\nv3.dll
2008-07-23 15:36 . 2001-08-17 12:20 54,528 --a--c--- C:\WINDOWS\system32\dllcache\opl3sax.sys
2008-07-23 15:36 . 2001-08-17 12:49 51,552 --a--c--- C:\WINDOWS\system32\dllcache\ntgrip.sys
2008-07-23 15:36 . 2001-08-17 22:36 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll
2008-07-23 15:36 . 2004-08-04 01:00 28,672 --a--c--- C:\WINDOWS\system32\dllcache\nscirda.sys
2008-07-23 15:36 . 2001-08-17 13:47 9,344 --a--c--- C:\WINDOWS\system32\dllcache\ntapm.sys
2008-07-23 15:36 . 2001-08-17 13:53 7,552 --a--c--- C:\WINDOWS\system32\dllcache\nsmmc.sys
2008-07-23 15:33 . 2004-08-04 01:09 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2008-07-23 15:33 . 2004-08-04 01:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-07-23 15:33 . 2001-08-17 13:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2008-07-23 15:33 . 2001-08-17 14:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-07-23 15:32 . 2001-08-17 14:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2008-07-23 15:32 . 2001-08-17 13:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2008-07-23 15:32 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-07-23 15:32 . 2001-08-17 13:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2008-07-23 15:30 . 2001-08-17 22:36 242,176 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-07-23 15:29 . 2004-08-04 02:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-07-23 15:29 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-07-23 15:29 . 2004-08-04 01:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-07-23 15:29 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-07-23 15:29 . 2001-08-17 13:50 38,784 --a--c--- C:\WINDOWS\system32\dllcache\io8.sys
2008-07-23 15:29 . 2001-08-17 13:52 16,000 --a--c--- C:\WINDOWS\system32\dllcache\ini910u.sys
2008-07-23 15:29 . 2001-08-17 13:47 13,056 --a--c--- C:\WINDOWS\system32\dllcache\inport.sys
2008-07-23 15:29 . 2004-08-04 00:59 5,504 --a--c--- C:\WINDOWS\system32\dllcache\intelide.sys
2008-07-23 15:27 . 2001-08-17 13:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
2008-07-23 15:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-07-23 15:25 . 2001-08-17 12:15 455,680 --a--c--- C:\WINDOWS\system32\dllcache\fus2base.sys
2008-07-23 15:24 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-07-23 15:23 . 2002-08-29 05:00 514,587 --a--c--- C:\WINDOWS\system32\dllcache\edb500.dll
2008-07-23 15:22 . 2001-08-17 12:12 117,760 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-07-23 15:22 . 2001-08-17 12:12 50,719 --a--c--- C:\WINDOWS\system32\dllcache\e1000nt5.sys
2008-07-23 15:22 . 2001-08-17 12:12 19,594 --a--c--- C:\WINDOWS\system32\dllcache\e100isa4.sys
2008-07-23 15:20 . 2001-08-17 22:36 419,357 --a--c--- C:\WINDOWS\system32\dllcache\dgconfig.dll
2008-07-23 15:19 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-07-23 15:18 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_864.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_862.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_858.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_720.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_870.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_708.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_28596.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_21025.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20924.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20880.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20871.nls
2008-07-23 15:09 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-07-23 15:08 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2008-07-23 15:07 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys
2008-07-23 15:07 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys
2008-07-23 15:07 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys
2008-07-23 15:07 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys
2008-07-23 15:07 . 2001-08-17 22:37 24,576 --a--c--- C:\WINDOWS\system32\dllcache\agcgauge.ax
2008-07-23 15:07 . 2002-08-29 05:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt040d.dll
2008-07-23 15:07 . 2002-08-29 05:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0401.dll
2008-07-23 15:07 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys
2008-07-23 15:07 . 2001-08-17 22:36 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll
2008-07-23 14:50 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-07-23 11:17 . 2008-07-23 11:17 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-23 00:09 . 2002-04-24 17:35 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-23 00:09 . 2002-04-25 14:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Corporation
2008-07-23 00:09 . 2002-04-25 15:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-07-23 00:09 . 2008-07-23 00:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-20 21:16 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-20 21:16 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-20 21:16 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-20 21:16 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-20 21:16 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-20 21:16 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-20 21:16 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-20 21:14 . 2008-07-20 21:14 <DIR> d-------- C:\WINDOWS\Logs
2008-07-07 09:57 . 2008-07-07 09:57 1,273,375 --a------ C:\WINDOWS\WotLK-FF-enGB-downloader.exe
2008-07-07 09:57 . 2008-07-07 09:57 271,452 --a------ C:\WINDOWS\lulz.exe
2008-07-03 10:46 . 2008-07-03 10:46 <DIR> d-------- C:\Documents and Settings\Jim\.jnlp-applet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 18:05 --------- d-----w C:\Program Files\Shareaza
2008-07-23 18:05 --------- d-----w C:\Documents and Settings\Jim\Application Data\Shareaza
2008-07-23 17:51 --------- d-----w C:\Program Files\Windows Live
2008-07-23 04:25 --------- d-----w C:\Documents and Settings\Jim\Application Data\Canon
2008-06-05 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-06-03 02:49 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-05-25 18:57 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-25 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-25 06:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-15 03:40 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2006-02-09 02:35 119 -c--a-w C:\Documents and Settings\Jim\fixreg.reg
2005-05-14 00:12 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 18:13 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2005-10-11 18:25 1961984]
"Steam"="d:\program files\steam\steam.exe" [2008-07-18 08:16 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 01:58 65536]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-10-10 09:19 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 17:22 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 11:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-25 11:57 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jyaywaxg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= ffdshow.ax
"vidc.yv12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\BYOND\\bin\\byond.exe"=
"D:\\Xfire\\xfire.exe"=
"D:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"D:\\mwodownloader.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"9420:TCP"= 9420:TCP:RSP
"9756:TCP"= 9756:TCP:BitCometLite 9756 TCP
"9756:UDP"= 9756:UDP:BitCometLite 9756 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 16:15:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-24 18:14:43 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Mail.com - C:\Program Files\mail.com\mcalert.exe
HKLM-Run-SiS KHooker - C:\WINDOWS\System32\khooker.exe
HKLM-Run-CleanupProgram - C:\Sonysys\cleanup.exe
HKLM-Run-BJCFD - C:\Program Files\BroadJump\Client Foundation\CFD.exe
HKLM-Run-PVR Agent - C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
HKLM-Run-1c99d0a8 - C:\WINDOWS\system32\euadficf.dll
HKLM-Run-BM1faae334 - C:\WINDOWS\system32\tpgxfcld.dll
HKLM-Run-SiS Tray - (no file)
HKLM-Run-windows auto update - (no file)
Notify-jkkKddcd - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Search Bar =
O8 -: &Search - ?p=ZCfox000
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
C:\WINDOWS\Downloaded Program Files\mabiweb.inf
C:\WINDOWS\Downloaded Program Files\mabiwebframe.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 11:14:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\C:\Documents and Settings\Jim\Desktop\BotsHack-
[www.jadook.com]\SoRa.sys"


[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SoRa01]
"ImagePath"="\??\C:\Documents and Settings\Jim\Desktop\BotsHack-
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-07-24 11:32:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 18:31:49

Pre-Run: 3,351,552,000 bytes free
Post-Run: 4,659,814,400 bytes free

346 --- E O F --- 2008-05-16 05:52:59

 

Here is the newest hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:19 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZCfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://gunfighter.wildwestonline.com
O15 - Trusted Zone: http://www.wildwestonline.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161833594468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} -
O20 - AppInit_DLLs: jyaywaxg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - D:\Maya\docs\wrapper.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8108 bytes

 

Hi lawyerjim,

I am leaving for a few days but I’ll be back..

Your Logs are looking better but will still need a little touching up..

Please?


If you use it in the next few days, be sure the firewall and AV are turned on..

If you have time in the next few days, you might re-run MalwareBytes’ and ComboFix.
Do this the same way as instructed before and post the Logs.
This will give me some cleaner logs to look through and won’t be as hard on an old man.. ; )

Also, please tell me about any problems that you are now having??

Regards, see you in a few
2OG

 

I used sfc.exe (scannow) and an XP disc and replaced the missing files that have popped up so far.

Explorer.exe now loads on startup like its supposed to and I can access everything I've tried such as control panel that I wasn't able to access before.

I am having no problems right now but I know there are things still lurking in the shadows.

I will send new logs tomorrow.

Thanks again

 

Hey, Hey

SFC is what I wanted you to run, but didn't so.. : (

You did good and I do want to look for signs that may come back to haunt you...

Thanks, CUL
2OG

 

Hi lawyerjim,

I said, I’ll be back…. And here I are. : ) lol
You know, Jim, this computer intrigues me as it has been a long time since I have seen a computer with this much malware installed on it and I would surly like to see it cleaned so that you don’t loose anything… I believe you are on the road of recovery so please hang in there…

Please delete the following lines (if they still exist) using Hijackthis:

O8 - Extra context menu item: &Search - ?p=ZCfox000

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} –

O20 - AppInit_DLLs: jyaywaxg.dll

Then please send me the latest Logs from:
Malwarebytes’ , SUPERAntiSpyware , and ComboFix Logs and If possible now that you may be able to run SDFix, that also. + the HJT Log

What a deal right?

I have the next 4 days off and will be able to go over these logs. We’ll clear up all loose ends and I will give you some of my recommendations and suggestions to block this malware and maintain a clean computer……

I’m gonna get a little shut-eye and hope to receive the logs soon….

Regards,
2OG

P.S. Let me know how she's running now and if you're having any problems....

 

The computer is working great with no problems so far.

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.23
Database version: 999
Windows 5.1.2600 Service Pack 2

2:22:39 PM 7/27/2008
mbam-log-7-27-2008 (14-22-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 146984
Time elapsed: 3 hour(s), 31 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091505.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091475.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091489.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091497.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091501.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091515.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091525.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091531.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091533.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091542.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091543.dll (Adware.Shopper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091545.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091546.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091547.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Here is the Combofix log:


ComboFix 08-07-23.5 - Jim 2008-07-27 18:30:53.2 - NTFSx86
Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-27 10:10 . 2008-07-27 10:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-23 18:15 . 2008-07-23 18:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 18:08 . 2008-07-27 10:36 <DIR> d-------- C:\SDFix
2008-07-23 16:07 . 2008-07-27 10:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Malwarebytes
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 16:07 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-23 16:07 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-23 15:48 . 2004-08-04 02:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-07-23 15:48 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-07-23 15:48 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-07-23 15:48 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-07-23 15:48 . 2004-08-04 00:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-07-23 15:48 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-07-23 15:48 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-07-23 15:48 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-07-23 15:47 . 2004-08-04 00:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-07-23 15:47 . 2004-08-04 02:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-07-23 15:46 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-07-23 15:46 . 2002-08-29 00:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-07-23 15:46 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-07-23 15:46 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-07-23 15:46 . 2002-08-29 05:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-07-23 15:46 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-07-23 15:46 . 2002-08-29 05:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-07-23 15:46 . 2004-08-04 01:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-07-23 15:44 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-23 15:43 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-07-23 15:41 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-07-23 15:40 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-07-23 15:39 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-07-23 15:38 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-07-23 15:37 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-07-23 15:36 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
2008-07-23 15:36 . 2001-08-17 22:36 123,776 --a--c--- C:\WINDOWS\system32\dllcache\nv3.dll
2008-07-23 15:36 . 2001-08-17 12:20 54,528 --a--c--- C:\WINDOWS\system32\dllcache\opl3sax.sys
2008-07-23 15:36 . 2001-08-17 12:49 51,552 --a--c--- C:\WINDOWS\system32\dllcache\ntgrip.sys
2008-07-23 15:36 . 2001-08-17 22:36 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll
2008-07-23 15:36 . 2004-08-04 01:00 28,672 --a--c--- C:\WINDOWS\system32\dllcache\nscirda.sys
2008-07-23 15:36 . 2001-08-17 13:47 9,344 --a--c--- C:\WINDOWS\system32\dllcache\ntapm.sys
2008-07-23 15:36 . 2001-08-17 13:53 7,552 --a--c--- C:\WINDOWS\system32\dllcache\nsmmc.sys
2008-07-23 15:33 . 2004-08-04 01:09 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2008-07-23 15:33 . 2004-08-04 01:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-07-23 15:33 . 2001-08-17 13:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2008-07-23 15:33 . 2001-08-17 14:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-07-23 15:32 . 2001-08-17 14:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2008-07-23 15:32 . 2001-08-17 13:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2008-07-23 15:32 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-07-23 15:32 . 2001-08-17 13:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2008-07-23 15:30 . 2001-08-17 22:36 242,176 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-07-23 15:29 . 2004-08-04 02:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-07-23 15:29 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-07-23 15:29 . 2004-08-04 01:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-07-23 15:29 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-07-23 15:29 . 2001-08-17 13:50 38,784 --a--c--- C:\WINDOWS\system32\dllcache\io8.sys
2008-07-23 15:29 . 2001-08-17 13:52 16,000 --a--c--- C:\WINDOWS\system32\dllcache\ini910u.sys
2008-07-23 15:29 . 2001-08-17 13:47 13,056 --a--c--- C:\WINDOWS\system32\dllcache\inport.sys
2008-07-23 15:29 . 2004-08-04 00:59 5,504 --a--c--- C:\WINDOWS\system32\dllcache\intelide.sys
2008-07-23 15:27 . 2001-08-17 13:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
2008-07-23 15:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-07-23 15:25 . 2001-08-17 12:15 455,680 --a--c--- C:\WINDOWS\system32\dllcache\fus2base.sys
2008-07-23 15:24 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-07-23 15:23 . 2002-08-29 05:00 514,587 --a--c--- C:\WINDOWS\system32\dllcache\edb500.dll
2008-07-23 15:22 . 2001-08-17 12:12 117,760 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-07-23 15:22 . 2001-08-17 12:12 50,719 --a--c--- C:\WINDOWS\system32\dllcache\e1000nt5.sys
2008-07-23 15:22 . 2001-08-17 12:12 19,594 --a--c--- C:\WINDOWS\system32\dllcache\e100isa4.sys
2008-07-23 15:20 . 2001-08-17 22:36 419,357 --a--c--- C:\WINDOWS\system32\dllcache\dgconfig.dll
2008-07-23 15:19 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-07-23 15:18 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_864.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_862.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_858.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_720.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_870.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_708.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_28596.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_21025.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20924.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20880.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20871.nls
2008-07-23 15:09 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-07-23 15:08 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2008-07-23 15:07 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys
2008-07-23 15:07 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys
2008-07-23 15:07 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys
2008-07-23 15:07 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys
2008-07-23 15:07 . 2001-08-17 22:37 24,576 --a--c--- C:\WINDOWS\system32\dllcache\agcgauge.ax
2008-07-23 15:07 . 2002-08-29 05:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt040d.dll
2008-07-23 15:07 . 2002-08-29 05:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0401.dll
2008-07-23 15:07 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys
2008-07-23 15:07 . 2001-08-17 22:36 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll
2008-07-23 14:50 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-07-23 11:17 . 2008-07-23 11:17 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-23 00:09 . 2002-04-24 17:35 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-23 00:09 . 2002-04-25 14:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Corporation
2008-07-23 00:09 . 2002-04-25 15:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-07-23 00:09 . 2008-07-23 00:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-20 21:16 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-20 21:16 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-20 21:16 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-20 21:16 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-20 21:16 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-20 21:16 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-20 21:16 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-20 21:14 . 2008-07-20 21:14 <DIR> d-------- C:\WINDOWS\Logs
2008-07-07 09:57 . 2008-07-07 09:57 1,273,375 --a------ C:\WINDOWS\WotLK-FF-enGB-downloader.exe
2008-07-07 09:57 . 2008-07-07 09:57 271,452 --a------ C:\WINDOWS\lulz.exe
2008-07-03 10:46 . 2008-07-03 10:46 <DIR> d-------- C:\Documents and Settings\Jim\.jnlp-applet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 20:18 --------- d-----w C:\Program Files\UltimateBet
2008-07-24 20:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 20:09 --------- d-----w C:\Program Files\Sony
2008-07-24 01:53 188,338 ----a-w C:\WINDOWS\java\Packages\EK1B1ZLB.ZIP
2008-07-23 18:05 --------- d-----w C:\Program Files\Shareaza
2008-07-23 18:05 --------- d-----w C:\Documents and Settings\Jim\Application Data\Shareaza
2008-07-23 17:51 --------- d-----w C:\Program Files\Windows Live
2008-07-23 04:25 --------- d-----w C:\Documents and Settings\Jim\Application Data\Canon
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 17:44 3,072 ----a-w C:\WINDOWS\system32\yutrjqxh.dll
2008-06-05 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-06-04 17:36 3,072 ----a-w C:\WINDOWS\system32\brerwmjq.dll
2008-06-03 02:49 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-15 03:40 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2006-02-09 02:35 119 -c--a-w C:\Documents and Settings\Jim\fixreg.reg
2002-12-27 17:58 151,552 -c--a-w C:\WINDOWS\inf\i386\STBXPWIA.dll
2002-10-08 08:29 114,688 -c--a-w C:\WINDOWS\inf\i386\XP100.dll
2002-10-08 08:27 36,352 -c--a-w C:\WINDOWS\inf\i386\StbXpEXT.dll
2005-05-14 00:12 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 18:13 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-24_11.31.00.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-07-20 21:35:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-27 17:11:24 1,032,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-27 17:11:24 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-20 21:35:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-27 17:11:10 1,032,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-27 17:11:10 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-02 01:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-04-08 03:37:29 10,455 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-07-26 17:08:11 11,091 -c--a-w C:\WINDOWS\mozver.dat
- 2006-08-16 11:58:05 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-05-15 23:24:43 1,152,888 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-07-19 14:43:08 1,163,960 ----a-w C:\WINDOWS\system32\aswBoot.exe
- 2008-05-15 23:12:36 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-07-19 14:30:53 94,392 ----a-w C:\WINDOWS\system32\AvastSS.scr
- 2006-08-16 11:58:05 100,352 -c--a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 -c--a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
- 2008-03-01 13:06:20 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2004-08-04 06:14:14 138,496 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-06-20 10:44:08 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
- 2004-08-04 06:10:37 274,304 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
+ 2008-06-13 13:10:50 272,128 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
- 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:36:11 147,968 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-04-20 05:07:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-02-29 08:55:46 625,664 -cs-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-04-22 07:40:18 625,664 -cs-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 07:56:42 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:59:50 294,912 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
- 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-03-02 01:36:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-24 05:16:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2004-08-04 07:56:44 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2008-06-20 17:36:11 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2008-03-01 13:06:29 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2007-10-30 16:53:32 360,832 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:44:42 360,960 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:32:39 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-03-01 13:06:29 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-01 13:06:30 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2008-05-15 23:13:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-07-19 14:32:15 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
- 2008-05-15 23:16:06 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-07-19 14:37:42 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
- 2008-05-15 23:18:33 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-07-19 14:37:21 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
- 2008-05-15 23:15:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-07-19 14:33:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
- 2008-05-15 23:20:32 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-07-19 14:35:18 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
- 2008-05-15 23:14:11 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2008-07-19 14:32:36 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-11-21 00:52:38 2,884,992 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2007-11-21 00:52:40 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-03-25 03:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 16:15:48 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-03-02 01:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-24 05:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-10-17 00:10:58 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
- 2008-07-24 18:11:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_53c.dat
+ 2008-07-28 01:20:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_53c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2005-10-11 18:25 1961984]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 01:58 65536]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-10-10 09:19 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 17:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 07:38 78008]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 11:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-25 11:57 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= ffdshow.ax
"vidc.yv12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-07-18 08:16 1271032 d:\Program Files\Steam\steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\BYOND\\bin\\byond.exe"=
"D:\\Xfire\\xfire.exe"=
"D:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"D:\\mwodownloader.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"9420:TCP"= 9420:TCP:RSP
"9756:TCP"= 9756:TCP:BitCometLite 9756 TCP
"9756:UDP"= 9756:UDP:BitCometLite 9756 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 16:15:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-27 22:15:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Search Bar =
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
C:\WINDOWS\Downloaded Program Files\mabiweb.inf
C:\WINDOWS\Downloaded Program Files\mabiwebframe.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 18:35:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
"ImagePath"="\??\C:\Documents and Settings\Jim\Desktop\BotsHack-
[www.jadook.com]\SoRa.sys"


[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\SoRa01]
"ImagePath"="\??\C:\Documents and Settings\Jim\Desktop\BotsHack-
.
Completion time: 2008-07-27 18:40:19
ComboFix-quarantined-files.txt 2008-07-28 01:39:12
ComboFix2.txt 2008-07-24 18:32:07

Pre-Run: 4,295,901,184 bytes free
Post-Run: 4,287,873,024 bytes free

455 --- E O F --- 2008-07-27 16:57:44