Need Help my laptop has caught somthing nasty!

D

Datsun1

New member
hey guys ive browsed this forum last year trying to fix my laptop but theres alot going wrong with mine can't seem to fix it

i have a few programs that were magically installed by them selves like "command"

where do i find my log? i just downloaded AVG like 20 minutes ago
 
Hi

Download and install TrendMicro HijackThis
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
 
here is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:37 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wserving.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [e05562e7] rundll32.exe "C:\WINDOWS\system32\vuatwdxb.dll",b
O4 - HKLM\..\Run: [BMe366517b] Rundll32.exe "C:\WINDOWS\system32\cmnduvkf.dll",s
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [XP SecurityCenter] "C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe" /hide
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\OEM\WlanCU.exe
O4 - Global Startup: Wireless PCI_CardBus utility V1.01.exe.lnk = ?
O4 - Global Startup: Wireless USB utility V1.01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.getietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.getietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - https://riverbelle.microgaming.com/riverbelle/FlashAX2.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: cbxxvvs - cbxxvvs.dll (file missing)
O22 - SharedTaskScheduler: enswathes - {4d51e91c-e917-4b7f-89ff-abe471e16927} - C:\WINDOWS\system32\uyhjw.dll (file missing)
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe

--
End of file - 9060 bytes
 
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here
 
ComboFix 08-06-10.5 - Nelson 2008-06-12 2:55:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT -3:00]
Running from: C:\Documents and Settings\Nelson\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\All Users\Application Data\ZangoSA
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Nelson\Application Data\ShoppingReport
C:\Documents and Settings\Nelson\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Nelson\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Nelson\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Nelson\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Nelson\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Nelson\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Nelson\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\Nelson\Application Data\STEM32~1
C:\Documents and Settings\Nelson\Application Data\TSKS~1
C:\Documents and Settings\Nelson\Application Data\WeatherDPA
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\SearchWeather.xml
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\Weather_XML\Default
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\Weather_XML\Genera1
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\Weather_XML\General
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\WeatherDPA\Links
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML\Display
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML\Loading
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML\screen2
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML\screen3
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML\soaperror
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML\Version
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\WeatherDPA\WeatherPreferences
C:\Documents and Settings\Nelson\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\Nelson\Application Data\Zango
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\1063425.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\1383582.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\1400453.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\3251993.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\3340762.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\3404705.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\3472949.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\3875091.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\3893245.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\3893642.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\648665.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\731481.sdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1000068240
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\10915
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\114249
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\116250
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14723
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1491
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15032
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15473
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\16087
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\168810
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\17040
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\188810
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1959
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\21119
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\21124
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\21669
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\216889
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\21846
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\243256
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\24996
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\25509
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\25735
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\26479
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\27503
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\290893
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\292137
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\31690
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32137
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\33420
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34123
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\352
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\37602
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\39947
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\42208
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\427075
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\42861
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43118
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43120
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44228
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44458
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44896
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\46777
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\490133
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\521057
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52335
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52968
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52974
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52977
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\529776
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\54385
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\55266
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\555618
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\56412
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\56613
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\567106
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\57137
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58965
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59872
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59905
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\60425
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\60785
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\62159
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64446
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64495
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64517
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64989
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6565
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65770
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6635
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67469
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68055
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68257
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69911
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\70652
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\732186
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\738121
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\738235
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744260
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744816
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745304
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745440
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748176
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\752154
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753317
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753335
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\77468
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79079
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79132
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79246
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79257
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\81566
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\82120
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83139
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\8443
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\90358
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93110
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93811
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93958
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\94844
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95610
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95701
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\998
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\dynamic\ustat\367f.dat
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\btntrans.idx
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\btntrans1.dat
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\buttondir.txt
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\components.cdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\cursors.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\d_icons_weather.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\default.cdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_511745-514279.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_categorize.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_comparison.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-Mails.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-people.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_favorites.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_Games.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_Hide.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_hotbarcom.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_Hotmail.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_hsskin.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_jemster.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_jemsterie.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_jemsteruk.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_jobsearch.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_Mails.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_MobileSidewalk.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_new.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_premium.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_reun.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_ringtones.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_searchfor.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_searchgo.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_weather.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Default_yellowpages.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\editblbuttons.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\email-t1-bg.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\icons2.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\ie_games_icon.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\ie_video.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\keywords.idx
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\keywords1.dat
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\layout.cdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\linkpathlegal.txt
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\progress.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\s_icons_buttons.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\sales_buttons.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\sdfmodifier.xml
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\t2_bg.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\theweb.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\top7.cdf
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\Top7_theweb.mnu
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\tsd_bg.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\zango_btn.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\1\zango_ie_menu.res
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
C:\Documents and Settings\Nelson\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\ymante~1
C:\Program Files\JavaCore
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\network monitor
C:\Program Files\outlook
C:\Program Files\outlook\v.tmp
C:\Program Files\VirusHeat 4.4
C:\Program Files\VirusHeat 4.4\vpp.ini
C:\Temp\1cb
C:\Temp\sanR24
C:\WINDOWS\BMe366517b.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\icroso~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\527631
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bxdwtauv.ini
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\ddgkaibf.ini
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\demososu.ini
C:\WINDOWS\system32\dhrxjqgm.ini
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\gfggh.ini
C:\WINDOWS\system32\gfggh.ini2
C:\WINDOWS\system32\ggjjl.ini
C:\WINDOWS\system32\ggjjl.ini2
C:\WINDOWS\system32\htmjixly.ini
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\ipckhcjc.ini
C:\WINDOWS\system32\ivtdnqdm.ini
C:\WINDOWS\system32\jkuyqgcs.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pdxlluui.ini
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\pofkfhwg.ini
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tlterjql.ini
C:\WINDOWS\system32\tlterjql.ini2
C:\WINDOWS\system32\tlterjql.tmp
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\univrs32.dat
C:\WINDOWS\system32\urmprgyt.ini
C:\WINDOWS\system32\uvosgiuj.ini
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\WServing.exe
C:\WINDOWS\system32\ynxdvmqs.ini
C:\WINDOWS\system32\ywphjwxo.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_CMDSERVICE
-------\Legacy_NWSAPAGENT
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_NwSapAgent
-------\Service_perfmons
-------\Service_Routing
-------\Service_WServing


((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 02:57 . 2008-06-12 02:57 19,451 --a------ C:\Documents and Settings\Nelson\Application Data\nafegoro.exe
2008-06-12 02:57 . 2008-06-12 02:57 19,121 --a------ C:\Program Files\Common Files\qukoser.com
2008-06-12 02:57 . 2008-06-12 02:57 18,298 --a------ C:\WINDOWS\system32\ixugafytaj.db
2008-06-12 02:57 . 2008-06-12 02:57 16,208 --a------ C:\Program Files\Common Files\hebipuf.dat
2008-06-12 02:57 . 2008-06-12 02:57 16,154 --a------ C:\WINDOWS\dyqaqafago.exe
2008-06-12 02:57 . 2008-06-12 02:57 15,367 --a------ C:\Program Files\Common Files\qapeb.bat
2008-06-12 02:57 . 2008-06-12 02:57 14,441 --a------ C:\WINDOWS\yxic.vbs
2008-06-12 02:57 . 2008-06-12 02:57 14,195 --a------ C:\Documents and Settings\All Users\Application Data\uqojo.bat
2008-06-12 02:57 . 2008-06-12 02:57 14,159 --a------ C:\Program Files\Common Files\ehyqi.com
2008-06-12 02:57 . 2008-06-12 02:57 13,563 --a------ C:\WINDOWS\system32\ejirufocyq.reg
2008-06-12 02:57 . 2008-06-12 02:57 13,162 --a------ C:\WINDOWS\puziminicu.lib
2008-06-12 02:57 . 2008-06-12 02:57 12,710 --a------ C:\Program Files\Common Files\dogepirela.dat
2008-06-12 02:57 . 2008-06-12 02:57 12,709 --a------ C:\WINDOWS\system32\ezemax.bin
2008-06-12 02:57 . 2008-06-12 02:57 12,051 --a------ C:\Program Files\Common Files\azagotitox.dat
2008-06-12 02:57 . 2008-06-12 02:57 11,323 --a------ C:\Program Files\Common Files\uceg.bin
2008-06-12 02:57 . 2008-06-12 02:57 11,201 --a------ C:\Documents and Settings\Nelson\Application Data\razyjazep.dat
2008-06-12 02:57 . 2008-06-12 02:57 10,759 --a------ C:\WINDOWS\avijadyda.bin
2008-06-12 02:57 . 2008-06-12 02:57 10,492 --a------ C:\WINDOWS\system32\utiha.dl
2008-06-10 17:29 . 2008-06-10 17:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 19:32 . 2008-06-09 19:32 19,982 --a------ C:\WINDOWS\system32\alimoj.bin
2008-06-09 19:32 . 2008-06-09 19:32 19,324 --a------ C:\Documents and Settings\All Users\Application Data\koligogid.sys
2008-06-09 19:32 . 2008-06-09 19:32 13,963 --a------ C:\Documents and Settings\All Users\Application Data\urebyme.bat
2008-06-09 19:32 . 2008-06-09 19:32 11,384 --a------ C:\Program Files\Common Files\hurure.exe
2008-06-08 14:58 . 2008-06-08 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-08 01:13 . 2008-06-08 01:13 11,472 --a------ C:\WINDOWS\depafupaxy.bat
2008-06-07 16:51 . 2008-06-07 16:51 19,629 --a------ C:\WINDOWS\ocoq.pif
2008-06-07 16:51 . 2008-06-07 16:51 19,301 --a------ C:\Documents and Settings\Nelson\Application Data\yxubetedo.dll
2008-06-07 16:51 . 2008-06-07 16:51 18,853 --a------ C:\Documents and Settings\Nelson\Application Data\acemyrufu.vbs
2008-06-07 16:51 . 2008-06-07 16:51 18,842 --a------ C:\Documents and Settings\All Users\Application Data\ibiwukuj.dll
2008-06-07 16:51 . 2008-06-07 16:51 15,309 --a------ C:\WINDOWS\kowibajy.bat
2008-06-07 16:51 . 2008-06-07 16:51 13,571 --a------ C:\WINDOWS\ududo.com
2008-06-07 16:51 . 2008-06-07 16:51 13,526 --a------ C:\WINDOWS\system32\atuwitegoc.lib
2008-06-07 16:51 . 2008-06-07 16:51 12,755 --a------ C:\WINDOWS\system32\nawok.inf
2008-06-07 16:51 . 2008-06-07 16:51 12,039 --a------ C:\WINDOWS\ivah.reg
2008-06-07 16:51 . 2008-06-07 16:51 11,560 --a------ C:\WINDOWS\otexyn.db
2008-06-07 16:51 . 2008-06-07 16:51 10,864 --a------ C:\WINDOWS\qybelohajo.pif
2008-06-07 16:51 . 2008-06-07 16:51 10,166 --a------ C:\WINDOWS\ocyjeh.inf
2008-06-07 16:51 . 2008-06-07 16:51 10,036 --a------ C:\Documents and Settings\Nelson\Application Data\onisikugab.bat
2008-06-05 12:26 . 2008-06-05 12:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Apple Computer
2008-06-04 01:31 . 2008-06-04 01:31 17,872 --a------ C:\WINDOWS\juzihelebu.dl
2008-06-04 01:31 . 2008-06-04 01:31 17,092 --a------ C:\Program Files\Common Files\akuvax.exe
2008-06-04 01:31 . 2008-06-04 01:31 16,172 --a------ C:\Documents and Settings\Nelson\Application Data\aqod.exe
2008-06-04 01:31 . 2008-06-04 01:31 14,926 --a------ C:\WINDOWS\viwalat._sy
2008-06-04 01:31 . 2008-06-04 01:31 14,849 --a------ C:\WINDOWS\igelasax.scr
2008-06-04 01:31 . 2008-06-04 01:31 14,836 --a------ C:\WINDOWS\aguc.vbs
2008-06-04 01:31 . 2008-06-04 01:31 14,025 --a------ C:\Program Files\Common Files\ketarisytu.bin
2008-06-04 01:31 . 2008-06-04 01:31 13,784 --a------ C:\WINDOWS\yzypaf.lib
2008-06-04 01:31 . 2008-06-04 01:31 12,926 --a------ C:\WINDOWS\emymu.inf
2008-06-04 01:31 . 2008-06-04 01:31 12,907 --a------ C:\Program Files\Common Files\begalof.vbs
2008-06-04 01:31 . 2008-06-04 01:31 12,723 --a------ C:\Documents and Settings\Nelson\Application Data\uvarivyje.exe
2008-06-04 01:31 . 2008-06-04 01:31 12,035 --a------ C:\Documents and Settings\All Users\Application Data\yhijizuxo.bin
2008-06-04 01:31 . 2008-06-04 01:31 11,651 --a------ C:\Documents and Settings\Nelson\Application Data\irekope.dat
2008-06-04 01:31 . 2008-06-04 01:31 11,387 --a------ C:\Documents and Settings\All Users\Application Data\zyhyqonow.com
2008-06-04 01:31 . 2008-06-04 01:31 11,034 --a------ C:\Documents and Settings\Nelson\Application Data\ligeq.scr
2008-06-04 01:29 . 2008-06-04 01:33 <DIR> d-------- C:\Program Files\XPSecurityCenter
2008-05-23 23:05 . 2008-05-23 23:05 17,182 --a------ C:\WINDOWS\system32\tmp1_629381227526.bk
2008-05-23 23:05 . 2008-05-23 23:05 17,182 --a------ C:\WINDOWS\system32\tmp0_422795235185.bk
2008-05-23 23:05 . 2008-05-23 23:05 14,278 --a------ C:\WINDOWS\system32\tmp3_627854819371.bk
2008-05-23 23:05 . 2008-05-23 23:05 14,254 --a------ C:\WINDOWS\system32\tmp4_390692515739.bk
2008-05-23 23:04 . 2008-05-23 23:04 158,000 --a------ C:\WINDOWS\system32\tmp4_715322757392.bk
2008-05-23 23:04 . 2008-05-23 23:04 149,313 --a------ C:\WINDOWS\system32\tmp3_337259498750.bk
2008-05-23 23:03 . 2008-05-23 23:03 153,644 --a------ C:\WINDOWS\system32\tmp4_860614713190.bk
2008-05-23 23:03 . 2008-05-23 23:03 118,819 --a------ C:\WINDOWS\system32\tmp1_182421618388.bk
2008-05-23 23:03 . 2008-05-23 23:03 118,819 --a------ C:\WINDOWS\system32\tmp0_39741992288.bk
2008-05-23 23:02 . 2008-05-23 23:03 149,313 --a------ C:\WINDOWS\system32\tmp3_448527431844.bk
2008-05-23 23:02 . 2008-05-23 23:02 25,891 --a------ C:\WINDOWS\system32\tmp1_85762513686.bk
2008-05-23 23:02 . 2008-05-23 23:02 25,891 --a------ C:\WINDOWS\system32\tmp0_620542584225.bk
2008-05-23 11:34 . 2008-05-23 11:34 155,096 --a------ C:\WINDOWS\system32\tmp4_4398837541.bk
2008-05-23 11:33 . 2008-05-23 11:33 153,644 --a------ C:\WINDOWS\system32\tmp4_585636587632.bk
2008-05-23 11:33 . 2008-05-23 11:33 152,569 --a------ C:\WINDOWS\system32\tmp1_118278307770.bk
2008-05-23 11:33 . 2008-05-23 11:33 152,569 --a------ C:\WINDOWS\system32\tmp0_464603867575.bk
2008-05-23 11:33 . 2008-05-23 11:33 149,313 --a------ C:\WINDOWS\system32\tmp3_836619575341.bk
2008-05-23 11:33 . 2008-05-23 11:33 130,435 --a------ C:\WINDOWS\system32\tmp1_675723577304.bk
2008-05-23 11:33 . 2008-05-23 11:33 130,435 --a------ C:\WINDOWS\system32\tmp0_222390337781.bk
2008-05-23 11:33 . 2008-05-23 11:33 121,725 --a------ C:\WINDOWS\system32\tmp3_178375439274.bk
2008-05-23 00:04 . 2008-05-23 00:05 155,096 --a------ C:\WINDOWS\system32\tmp4_402418862164.bk
2008-05-23 00:04 . 2008-05-23 00:04 130,435 --a------ C:\WINDOWS\system32\tmp1_299601353370.bk
2008-05-23 00:04 . 2008-05-23 00:04 130,435 --a------ C:\WINDOWS\system32\tmp0_40727148678.bk
2008-05-23 00:04 . 2008-05-23 00:04 121,725 --a------ C:\WINDOWS\system32\tmp3_559036645400.bk
2008-05-23 00:03 . 2008-05-23 00:04 153,644 --a------ C:\WINDOWS\system32\tmp4_277536395813.bk
2008-05-23 00:03 . 2008-05-23 00:03 152,569 --a------ C:\WINDOWS\system32\tmp1_794916868319.bk
2008-05-23 00:03 . 2008-05-23 00:03 149,313 --a------ C:\WINDOWS\system32\tmp3_557492786068.bk
2008-05-23 00:02 . 2008-05-23 00:03 152,569 --a------ C:\WINDOWS\system32\tmp0_364634267813.bk
2008-05-22 11:33 . 2008-05-22 11:33 153,644 --a------ C:\WINDOWS\system32\tmp4_701057237097.bk
2008-05-22 11:33 . 2008-05-22 11:33 152,217 --a------ C:\WINDOWS\system32\tmp3_455059372167.bk
2008-05-22 11:32 . 2008-05-22 11:32 158,025 --a------ C:\WINDOWS\system32\tmp3_198705868666.bk
2008-05-22 11:32 . 2008-05-22 11:32 155,096 --a------ C:\WINDOWS\system32\tmp4_330528547415.bk
2008-05-22 11:32 . 2008-05-22 11:32 150,763 --a------ C:\WINDOWS\system32\tmp1_136840430215.bk
2008-05-22 11:32 . 2008-05-22 11:32 126,038 --a------ C:\WINDOWS\system32\tmp0_64473280213.bk
2008-05-22 11:32 . 2008-05-22 11:32 115,915 --a------ C:\WINDOWS\system32\tmp1_151363247351.bk
2008-05-22 11:32 . 2008-05-22 11:32 4,070 --a------ C:\WINDOWS\system32\tmp0_103372654603.bk
2008-05-22 00:05 . 2008-05-22 00:05 153,644 --a------ C:\WINDOWS\system32\tmp4_450552248349.bk
2008-05-22 00:04 . 2008-05-22 00:04 155,096 --a------ C:\WINDOWS\system32\tmp4_37534799659.bk
2008-05-22 00:04 . 2008-05-22 00:05 152,217 --a------ C:\WINDOWS\system32\tmp3_26865129235.bk
2008-05-22 00:04 . 2008-05-22 00:04 115,915 --a------ C:\WINDOWS\system32\tmp1_78987570844.bk
2008-05-22 00:04 . 2008-05-22 00:04 115,915 --a------ C:\WINDOWS\system32\tmp0_335726649258.bk
2008-05-22 00:03 . 2008-05-22 00:04 158,025 --a------ C:\WINDOWS\system32\tmp3_66373332646.bk
2008-05-22 00:03 . 2008-05-22 00:03 150,763 --a------ C:\WINDOWS\system32\tmp1_758098823952.bk
2008-05-22 00:03 . 2008-05-22 00:03 150,763 --a------ C:\WINDOWS\system32\tmp0_650799623984.bk
2008-05-21 11:33 . 2008-05-21 11:34 155,096 --a------ C:\WINDOWS\system32\tmp4_774094482253.bk
2008-05-21 11:33 . 2008-05-21 11:33 153,669 --a------ C:\WINDOWS\system32\tmp3_878556537333.bk
2008-05-21 11:32 . 2008-05-21 11:32 156,548 --a------ C:\WINDOWS\system32\tmp4_782856742233.bk
2008-05-21 11:32 . 2008-05-21 11:32 127,490 --a------ C:\WINDOWS\system32\tmp0_607562203951.bk
2008-05-21 11:32 . 2008-05-21 11:33 117,367 --a------ C:\WINDOWS\system32\tmp1_568977684927.bk
2008-05-21 11:31 . 2008-05-21 11:31 153,669 --a------ C:\WINDOWS\system32\tmp3_422934586249.bk
2008-05-21 11:31 . 2008-05-21 11:31 137,695 --a------ C:\WINDOWS\system32\tmp1_418856228568.bk
2008-05-21 11:31 . 2008-05-21 11:31 8,426 --a------ C:\WINDOWS\system32\tmp0_497670854858.bk
2008-05-21 00:02 . 2008-05-21 00:02 157,412 --a------ C:\WINDOWS\system32\tmp4_510079731537.bk
2008-05-21 00:02 . 2008-05-21 00:02 153,057 --a------ C:\WINDOWS\system32\tmp3_10739511477.bk
2008-05-21 00:02 . 2008-05-21 00:03 150,112 --a------ C:\WINDOWS\system32\tmp4_647424494318.bk
2008-05-21 00:02 . 2008-05-21 00:02 147,217 --a------ C:\WINDOWS\system32\tmp3_806921361815.bk
2008-05-21 00:02 . 2008-05-21 00:02 118,015 --a------ C:\WINDOWS\system32\tmp1_584267121383.bk
2008-05-21 00:02 . 2008-05-21 00:02 118,015 --a------ C:\WINDOWS\system32\tmp0_166800661919.bk
2008-05-21 00:01 . 2008-05-21 00:01 4,135 --a------ C:\WINDOWS\system32\tmp1_399093781974.bk
2008-05-21 00:01 . 2008-05-21 00:01 4,135 --a------ C:\WINDOWS\system32\tmp0_34462790455.bk
2008-05-20 15:43 . 2008-05-20 15:43 147,836 --a------ C:\WINDOWS\system32\tmp4_447067576852.bk
2008-05-20 15:43 . 2008-05-20 15:43 113,013 --a------ C:\WINDOWS\system32\tmp3_157281729542.bk
2008-05-20 15:43 . 2008-05-20 15:43 111,559 --a------ C:\WINDOWS\system32\tmp1_157437139152.bk
2008-05-20 15:43 . 2008-05-20 15:43 111,559 --a------ C:\WINDOWS\system32\tmp0_890047128728.bk
2008-05-20 15:42 . 2008-05-20 15:43 150,740 --a------ C:\WINDOWS\system32\tmp4_111595743688.bk
2008-05-20 15:42 . 2008-05-20 15:42 146,409 --a------ C:\WINDOWS\system32\tmp3_172578787717.bk
2008-05-20 15:42 . 2008-05-20 15:42 25,891 --a------ C:\WINDOWS\system32\tmp1_49237547327.bk
2008-05-20 15:42 . 2008-05-20 15:42 25,891 --a------ C:\WINDOWS\system32\tmp0_118477752991.bk
2008-05-20 04:13 . 2008-05-20 04:13 142,053 --a------ C:\WINDOWS\system32\tmp3_666623542542.bk
2008-05-20 04:13 . 2008-05-20 04:13 115,915 --a------ C:\WINDOWS\system32\tmp1_803452895611.bk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 06:23 19,204,896 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-12 06:23 --------- d-----w C:\Program Files\Incomplete
2008-06-12 06:22 --------- d-----w C:\Documents and Settings\Nelson\Application Data\LimeWire
2008-06-12 06:20 --------- d-----w C:\Program Files\LimeWire
2008-06-12 06:18 526,112 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-12 06:18 33,620 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-12 06:18 258,140 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-12 05:57 12,514 ----a-w C:\Program Files\Common Files\vylopyxyka._sy
2008-06-09 22:32 19,166 ----a-w C:\WINDOWS\afut.vbs
2008-06-09 22:32 17,632 ----a-w C:\WINDOWS\belixo.dll
2008-06-09 22:32 16,579 ----a-w C:\WINDOWS\system32\ijikuxir.exe
2008-06-09 22:32 13,536 ----a-w C:\WINDOWS\ojis.scr
2008-06-09 22:32 13,196 ----a-w C:\WINDOWS\mydi.dll
2008-06-09 22:32 12,974 ----a-w C:\WINDOWS\system32\quvegery.bat
2008-06-09 22:32 12,718 ----a-w C:\WINDOWS\peqaq.dll
2008-06-09 22:32 11,981 ----a-w C:\WINDOWS\ytyje.reg
2008-06-09 22:32 10,446 ----a-w C:\WINDOWS\system32\imyxopeku.bin
2008-06-09 22:32 10,271 ----a-w C:\WINDOWS\system32\xozisuquv.exe
2008-06-08 17:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 17:59 --------- d-----w C:\Program Files\USBToolbox
2008-06-07 19:51 15,341 ----a-w C:\Program Files\Common Files\yfaci.inf
2008-06-07 19:51 13,773 ----a-w C:\Program Files\Common Files\yfeluk.db
2008-06-07 17:15 --------- d-----w C:\Program Files\Google
2008-06-04 04:31 19,111 ----a-w C:\Program Files\Common Files\adinijo._dl
2008-06-04 04:31 17,593 ----a-w C:\Program Files\Common Files\litan.inf
2008-05-09 21:29 --------- d-----w C:\Documents and Settings\Nelson\Application Data\Apple Computer
2008-05-09 15:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
2008-05-05 09:30 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-05-05 08:23 --------- d-----w C:\Program Files\DivX
2008-05-05 04:59 --------- d-----w C:\Documents and Settings\Nelson\Application Data\AVGTOOLBAR
2008-05-05 02:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 02:00 --------- d-----w C:\Program Files\AVG
2008-04-29 01:12 22 ----a-w C:\Documents and Settings\Nelson\xrt_collect.zip
2008-04-28 15:52 1,189 ----a-w C:\Documents and Settings\Nelson\xrt_log.dat
2008-04-15 21:08 --------- d-----w C:\Program Files\Kaspersky Lab
2008-04-15 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-27 01:18 49,152 ----a-r C:\WINDOWS\system32\inetwh32.dll
2008-03-27 01:18 1,044,480 ----a-r C:\WINDOWS\system32\roboex32.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-15 22:38 687,592 ----a-w C:\WINDOWS\system32\atmtd.dll
2005-07-30 00:24 472 --sha-r C:\WINDOWS\TmVsc29uIEtoYW4\nApPwZ6RKHQCsqb.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= "C:\Program Files\NetProject\wamdl.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= C:\Program Files\NetProject\wamdl.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 18:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 15:30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe" [2007-08-09 20:48 528384]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 20:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 20:30 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 04:13 385024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 08:42 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 18:10 267048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"e05562e7"="C:\WINDOWS\system32\vuatwdxb.dll" [ ]
"BMe366517b"="C:\WINDOWS\system32\cmnduvkf.dll" [ ]
"XP SecurityCenter"="C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe" [2008-05-26 22:37 524548]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

C:\Documents and Settings\Nelson\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 18:32:57 147456]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 01:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-08 00:02:56 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Wireless Configuration Utility.lnk - C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\OEM\WlanCU.exe [2003-08-08 16:24:02 425984]
Wireless PCI_CardBus utility V1.01.exe.lnk - C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe [2008-03-12 18:40:06 913408]
Wireless USB utility V1.01.exe.lnk - C:\Program Files\Customer\Wireless USB utility V1.01\Wireless USB utility V1.01.exe [2008-03-12 18:44:17 913408]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{4d51e91c-e917-4b7f-89ff-abe471e16927}"= C:\WINDOWS\system32\uyhjw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvvs]
cbxxvvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);C:\WINDOWS\system32\DRIVERS\qcmdmxp.sys [2006-12-27 08:38]
S3 qcserxp;HTC Diagnostic Port (PID 0B03);C:\WINDOWS\system32\DRIVERS\qcserxp.sys [2006-12-27 08:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 06:17:51 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 03:20:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-12 3:25:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-12 06:25:26

Pre-Run: 17,340,928,000 bytes free
Post-Run: 20,327,645,184 bytes free

598
 
Hi


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.



Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\Documents and Settings\Nelson\Application Data\nafegoro.exe
C:\Program Files\Common Files\qukoser.com
C:\WINDOWS\system32\ixugafytaj.db
C:\Program Files\Common Files\hebipuf.dat
C:\WINDOWS\dyqaqafago.exe
C:\Program Files\Common Files\qapeb.bat
C:\WINDOWS\yxic.vbs
C:\Documents and Settings\All Users\Application Data\uqojo.bat
C:\Program Files\Common Files\ehyqi.com
C:\WINDOWS\system32\ejirufocyq.reg
C:\WINDOWS\puziminicu.lib
C:\Program Files\Common Files\dogepirela.dat
C:\WINDOWS\system32\ezemax.bin
C:\Program Files\Common Files\azagotitox.dat
C:\Program Files\Common Files\uceg.bin
C:\Documents and Settings\Nelson\Application Data\razyjazep.dat
C:\WINDOWS\avijadyda.bin
C:\WINDOWS\system32\utiha.dl
C:\WINDOWS\system32\alimoj.bin
C:\Documents and Settings\All Users\Application Data\koligogid.sys
C:\Documents and Settings\All Users\Application Data\urebyme.bat
C:\Program Files\Common Files\hurure.exe
C:\WINDOWS\depafupaxy.bat
C:\WINDOWS\ocoq.pif
C:\Documents and Settings\Nelson\Application Data\yxubetedo.dll
C:\Documents and Settings\Nelson\Application Data\acemyrufu.vbs
C:\Documents and Settings\All Users\Application Data\ibiwukuj.dll
C:\WINDOWS\kowibajy.bat
C:\WINDOWS\ududo.com
C:\WINDOWS\system32\atuwitegoc.lib
C:\WINDOWS\system32\nawok.inf
C:\WINDOWS\ivah.reg
C:\WINDOWS\otexyn.db
C:\WINDOWS\qybelohajo.pif
C:\WINDOWS\ocyjeh.inf
C:\Documents and Settings\Nelson\Application Data\onisikugab.bat
C:\WINDOWS\juzihelebu.dl
C:\Program Files\Common Files\akuvax.exe
C:\Documents and Settings\Nelson\Application Data\aqod.exe
C:\WINDOWS\viwalat._sy
C:\WINDOWS\igelasax.scr
C:\WINDOWS\aguc.vbs
C:\Program Files\Common Files\ketarisytu.bin
C:\WINDOWS\yzypaf.lib
C:\WINDOWS\emymu.inf
C:\Program Files\Common Files\begalof.vbs
C:\Documents and Settings\Nelson\Application Data\uvarivyje.exe
C:\Documents and Settings\All Users\Application Data\yhijizuxo.bin
C:\Documents and Settings\Nelson\Application Data\irekope.dat
C:\Documents and Settings\All Users\Application Data\zyhyqonow.com
C:\Documents and Settings\Nelson\Application Data\ligeq.scr
C:\WINDOWS\system32\tmp1_629381227526.bk
C:\WINDOWS\system32\tmp0_422795235185.bk
C:\WINDOWS\system32\tmp3_627854819371.bk
C:\WINDOWS\system32\tmp4_390692515739.bk
C:\WINDOWS\system32\tmp4_715322757392.bk
C:\WINDOWS\system32\tmp3_337259498750.bk
C:\WINDOWS\system32\tmp4_860614713190.bk
C:\WINDOWS\system32\tmp1_182421618388.bk
C:\WINDOWS\system32\tmp0_39741992288.bk
C:\WINDOWS\system32\tmp3_448527431844.bk
C:\WINDOWS\system32\tmp1_85762513686.bk
C:\WINDOWS\system32\tmp0_620542584225.bk
C:\WINDOWS\system32\tmp4_4398837541.bk
C:\WINDOWS\system32\tmp4_585636587632.bk
C:\WINDOWS\system32\tmp1_118278307770.bk
C:\WINDOWS\system32\tmp0_464603867575.bk
C:\WINDOWS\system32\tmp3_836619575341.bk
C:\WINDOWS\system32\tmp1_675723577304.bk
C:\WINDOWS\system32\tmp0_222390337781.bk
C:\WINDOWS\system32\tmp3_178375439274.bk
C:\WINDOWS\system32\tmp4_402418862164.bk
C:\WINDOWS\system32\tmp1_299601353370.bk
C:\WINDOWS\system32\tmp0_40727148678.bk
C:\WINDOWS\system32\tmp3_559036645400.bk
C:\WINDOWS\system32\tmp4_277536395813.bk
C:\WINDOWS\system32\tmp1_794916868319.bk
C:\WINDOWS\system32\tmp3_557492786068.bk
C:\WINDOWS\system32\tmp0_364634267813.bk
C:\WINDOWS\system32\tmp4_701057237097.bk
C:\WINDOWS\system32\tmp3_455059372167.bk
C:\WINDOWS\system32\tmp3_198705868666.bk
C:\WINDOWS\system32\tmp4_330528547415.bk
C:\WINDOWS\system32\tmp1_136840430215.bk
C:\WINDOWS\system32\tmp0_64473280213.bk
C:\WINDOWS\system32\tmp1_151363247351.bk
C:\WINDOWS\system32\tmp0_103372654603.bk
C:\WINDOWS\system32\tmp4_450552248349.bk
C:\WINDOWS\system32\tmp4_37534799659.bk
C:\WINDOWS\system32\tmp3_26865129235.bk
C:\WINDOWS\system32\tmp1_78987570844.bk
C:\WINDOWS\system32\tmp0_335726649258.bk
C:\WINDOWS\system32\tmp3_66373332646.bk
C:\WINDOWS\system32\tmp1_758098823952.bk
C:\WINDOWS\system32\tmp0_650799623984.bk
C:\WINDOWS\system32\tmp4_774094482253.bk
C:\WINDOWS\system32\tmp3_878556537333.bk
C:\WINDOWS\system32\tmp4_782856742233.bk
C:\WINDOWS\system32\tmp0_607562203951.bk
C:\WINDOWS\system32\tmp1_568977684927.bk
C:\WINDOWS\system32\tmp3_422934586249.bk
C:\WINDOWS\system32\tmp1_418856228568.bk
C:\WINDOWS\system32\tmp0_497670854858.bk
C:\WINDOWS\system32\tmp4_510079731537.bk
C:\WINDOWS\system32\tmp3_10739511477.bk
C:\WINDOWS\system32\tmp4_647424494318.bk
C:\WINDOWS\system32\tmp3_806921361815.bk
C:\WINDOWS\system32\tmp1_584267121383.bk
C:\WINDOWS\system32\tmp0_166800661919.bk
C:\WINDOWS\system32\tmp1_399093781974.bk
C:\WINDOWS\system32\tmp0_34462790455.bk
C:\WINDOWS\system32\tmp4_447067576852.bk
C:\WINDOWS\system32\tmp3_157281729542.bk
C:\WINDOWS\system32\tmp1_157437139152.bk
C:\WINDOWS\system32\tmp0_890047128728.bk
C:\WINDOWS\system32\tmp4_111595743688.bk
C:\WINDOWS\system32\tmp3_172578787717.bk
C:\WINDOWS\system32\tmp1_49237547327.bk
C:\WINDOWS\system32\tmp0_118477752991.bk
C:\WINDOWS\system32\tmp3_666623542542.bk
C:\WINDOWS\system32\tmp1_803452895611.bk
C:\Program Files\Common Files\vylopyxyka._sy
C:\WINDOWS\afut.vbs
C:\WINDOWS\belixo.dll
C:\WINDOWS\system32\ijikuxir.exe
C:\WINDOWS\ojis.scr
C:\WINDOWS\mydi.dll
C:\WINDOWS\system32\quvegery.bat
C:\WINDOWS\peqaq.dll
C:\WINDOWS\ytyje.reg
C:\WINDOWS\system32\imyxopeku.bin
C:\WINDOWS\system32\xozisuquv.exe
C:\Program Files\Common Files\yfaci.inf
C:\Program Files\Common Files\yfeluk.db
C:\Program Files\Common Files\adinijo._dl
C:\Program Files\Common Files\litan.inf

Folder::
C:\Program Files\XPSecurityCenter
C:\WINDOWS\TmVsc29uIEtoYW4
C:\Program Files\NetProject

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"=-

[-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"=-

[-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e05562e7"=-
"BMe366517b"=-
"XP SecurityCenter"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{4d51e91c-e917-4b7f-89ff-abe471e16927}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvvs]


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).
 
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top