TOM-J-LAEL
-
Posts
28 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by TOM-J-LAEL
-
Merged two post We look for post with 0 replies, so when you replied to your own topic, we assume you were being helped. Do Not bump your topic. I have a user who is still suffering from Google redirects. MWB comes up clean, Trend Micro WFB reports no infections, SAS comes up clean, TDSS Killer comes up clean, MBR Check came up clean, et cetera, et cetera. HitmanPro intially reported some ZeroAccess stuff which it allegedly removed. Combofix does not delete any files. Yes, I know I'm not supposed to run Combofix without being asked to. Hopefully you all will anoint me for my sins. I just need a resolution. I'm at IT Professional (or at least I play one on TV), and I have a disk image backup prior to trying anything. After running all of these tools, and straight from reboot, the System Idle Process starts jabbering out to random locations on the Internet. I know this from running Netstat. I thought that was strange. It's a Windows 7 Pro machine as you'll tell, as well is mine. My System Idle Process does not show any connections out to the Internet. Here's the Combofix Log ComboFix 12-06-26.02 - jeanne 06/27/2012 11:27:29.4.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2035.974 [GMT -4:00] Running from: c:\users\jeanne\Desktop\ComboFix.exe AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92} FW: Trend Micro Personal Firewall *Disabled* {50C2E989-60CF-0845-AFD3-290B7D301E79} SP: Trend Micro Client/Server Security Agent Anti-spyware *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-05-27 to 2012-06-27 ))))))))))))))))))))))))))))))) . . 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\SMS\AppData\Local\temp 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\administrator\AppData\Local\temp 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\temp 2012-06-27 15:02 . 2012-06-27 15:02 -------- d-----w- c:\users\jeanne\AppData\Roaming\SUPERAntiSpyware.com 2012-06-27 15:01 . 2012-06-27 15:02 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-06-27 15:01 . 2012-06-27 15:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-06-27 14:43 . 2012-06-27 14:43 12872 ----a-w- c:\windows\system32\bootdelete.exe 2012-06-25 12:17 . 2012-06-25 12:17 -------- d-----w- c:\users\jeanne\AppData\Local\Macromedia 2012-06-22 21:00 . 2012-06-22 21:00 -------- d-----w- c:\program files (x86)\Dell Digital Delivery 2012-06-21 12:24 . 2012-06-21 12:24 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll 2012-06-21 12:24 . 2012-06-21 12:24 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll 2012-06-19 16:35 . 2012-06-19 16:35 -------- d-----w- c:\users\DefaultAppPool 2012-06-18 00:41 . 2012-06-18 00:41 -------- d-----w- c:\windows\system32\log 2012-06-18 00:40 . 2012-06-18 00:41 -------- d-----w- c:\program files (x86)\Trend Micro 2012-06-13 07:04 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll 2012-06-13 07:04 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-06-13 07:04 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-06-13 07:01 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-06-13 07:01 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-06-13 07:01 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-06-13 07:01 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys 2012-06-13 07:01 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-03 21:27 . 2012-06-03 21:27 -------- d-----w- c:\users\jeanne\AppData\Local\Apple 2012-06-01 19:27 . 2012-06-27 14:44 -------- d-----w- c:\programdata\HitmanPro 2012-06-01 18:15 . 2012-06-01 18:15 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Mozilla 2012-06-01 17:46 . 2012-06-27 15:37 -------- d-----w- c:\users\jeanne\AppData\Local\temp 2012-05-31 16:21 . 2012-05-31 16:21 -------- d-----w- c:\users\jeanne\AppData\Roaming\Malwarebytes 2012-05-31 13:00 . 2012-05-31 13:00 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Malwarebytes 2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\programdata\Malwarebytes 2012-05-31 12:59 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-05-31 12:31 . 2012-05-31 12:31 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Roxio Burn 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\ICAClient 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Hewlett-Packard Company 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Citrix 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26} 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\LogMeIn 2012-05-30 17:45 . 2012-05-30 17:45 -------- d-----w- c:\users\jeanne\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26} 2012-05-30 17:38 . 2012-05-30 17:38 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-05-30 17:35 . 2012-05-31 16:27 -------- d-----w- c:\program files (x86)\Common Files\Outlook 2012-05-30 17:34 . 2012-05-31 11:52 -------- d-----w- c:\users\jeanne\AppData\Roaming\Ifysi 2012-05-30 17:34 . 2012-05-30 17:44 -------- d-----w- c:\users\jeanne\AppData\Roaming\Elor 2012-05-30 17:34 . 2012-05-30 17:34 -------- d-----w- c:\users\jeanne\AppData\Roaming\Akpuor . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-23 15:20 . 2012-04-04 19:19 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-06-23 15:20 . 2012-03-28 15:42 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-06-23 15:20 . 2012-04-13 20:20 9815752 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe 2012-05-22 15:52 . 2012-05-22 15:52 608 --sha-w- c:\windows\system32\winzvprt5.sys 2012-05-22 12:13 . 2012-04-22 18:23 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2012-05-22 12:13 . 2012-04-22 18:23 34688 ----a-w- c:\windows\system32\LMIport.dll 2012-05-22 12:13 . 2012-04-22 18:23 80768 ----a-w- c:\windows\system32\LMIinit.dll 2012-05-08 17:02 . 2012-05-30 03:04 8955792 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{310DB10C-D086-496B-86CD- 8E51A4A25BE9}\mpengine.dll 2012-04-04 16:39 . 2010-06-24 16:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2012-03-30 11:35 . 2012-05-09 07:00 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AutomatedTaskLauncher"="c:\program files (x86)\Comdata\Shared\Applications\CDAtl.exe" [2004-06-01 77824] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-26 4787072] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528] "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112] "Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888] "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-04-05 371864] "ToolboxFX"="c:\program files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936] "OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" [2012-01-09 1712656] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3699739257-3343509579-3915199227-500\Scripts\Logon\0\0] "Script"=LaunchNotificationUI.cmd . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632] R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-12-20 1691848] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056] R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408] R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-21 113120] R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-21 168448] R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656] R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-21 22528] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-04 1255736] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856] S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2012-02-14 93272] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816] S2 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-06-19 173056] S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2010-10-25 145920] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-05-22 375176] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-09-16 15928] S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x] S2 svcGenericHost;Trend Micro Client/Server Security Agent;c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [2012-05-14 50704] S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2011-07-12 342288] S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2011-07-12 42768] S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppdbulkio.sys [2010-12-14 22040] S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppdfaxio.sys [2010-12-14 23576] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440] S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240] S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [2012-04-27 918032] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] iissvcs REG_MULTI_SZ w3svc was apphost REG_MULTI_SZ apphostsvc . Contents of the 'Scheduled Tasks' folder . 2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 15:20] . 2012-05-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09] . 2012-06-26 c:\windows\Tasks\SystemToolsDailyTest.job - c:\program files\Dell Support Center\pcdrcui.exe [2011-12-14 04:09] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-04 167960] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-04 391704] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-04 418328] "LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 57928] "HP LaserJet Professional M1530 MFP Series Fax"="c:\program files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2010-08-24 3706424] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.foxnews.com/ mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: iconnectdata.com\w6 Trusted Zone: vospro.net\go TCP: DhcpNameServer = 192.168.0.2 FF - ProfilePath - c:\users\jeanne\AppData\Roaming\Mozilla\Firefox\Profiles\ar10f2xn.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/|http://www.drudgereport.com/|http://www.msn.com/ FF - prefs.js: network.proxy.type - 0 FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe c:\program files (x86)\Citrix\ICA Client\Receiver\Receiver.exe c:\program files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe c:\program files (x86)\Citrix\SelfServicePlugin\SelfService.exe . ************************************************************************** . Completion time: 2012-06-27 11:42:45 - machine was rebooted ComboFix-quarantined-files.txt 2012-06-27 15:42 ComboFix2.txt 2012-06-01 17:46 . Pre-Run: 419,192,397,824 bytes free Post-Run: 419,038,064,640 bytes free . Here's the Netstat Log: Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:7 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:9 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:13 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:17 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:19 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:80 SMSPC16:0 LISTENING 4 TCP 0.0.0.0:135 SMSPC16:0 LISTENING 772 TCP 0.0.0.0:445 SMSPC16:0 LISTENING 4 TCP 0.0.0.0:515 SMSPC16:0 LISTENING 1548 TCP 0.0.0.0:2002 SMSPC16:0 LISTENING 2036 TCP 0.0.0.0:3389 SMSPC16:0 LISTENING 1084 TCP 0.0.0.0:5357 SMSPC16:0 LISTENING 4 TCP 0.0.0.0:49152 SMSPC16:0 LISTENING 432 TCP 0.0.0.0:49153 SMSPC16:0 LISTENING 856 TCP 0.0.0.0:49154 SMSPC16:0 LISTENING 948 TCP 0.0.0.0:49187 SMSPC16:0 LISTENING 508 TCP 0.0.0.0:49197 SMSPC16:0 LISTENING 492 TCP 0.0.0.0:61116 SMSPC16:0 LISTENING 1240 TCP 127.0.0.1:2002 SMSPC16:49246 ESTABLISHED 2036 TCP 127.0.0.1:6999 SMSPC16:0 LISTENING 2616 TCP 127.0.0.1:6999 SMSPC16:49346 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49349 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49350 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49351 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49353 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49354 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49355 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49364 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49367 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49372 TIME_WAIT 0 TCP 127.0.0.1:21112 SMSPC16:0 LISTENING 2868 TCP 127.0.0.1:49246 SMSPC16:2002 ESTABLISHED 4392 TCP 127.0.0.1:49361 SMSPC16:6999 TIME_WAIT 0 TCP 127.0.0.1:49369 SMSPC16:6999 TIME_WAIT 0 TCP 192.168.0.127:139 SMSPC16:0 LISTENING 4 TCP 192.168.0.127:49191 smssrvr:ldap ESTABLISHED 316 TCP 192.168.0.127:49210 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49211 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49213 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49214 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49219 smssrvr:microsoft-ds ESTABLISHED 4 TCP 192.168.0.127:49229 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49244 smssrvr:6012 ESTABLISHED 1332 TCP 192.168.0.127:49274 smssrvr:6012 ESTABLISHED 1332 TCP 192.168.0.127:49288 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49292 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49317 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49320 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49327 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49334 network-098-027-088-048:http TIME_WAIT 0 TCP 192.168.0.127:49341 65.55.53.190:http TIME_WAIT 0 TCP 192.168.0.127:49342 network-098-027-088-030:http TIME_WAIT 0 TCP 192.168.0.127:49348 network-098-027-088-030:http TIME_WAIT 0 TCP 192.168.0.127:49362 216.35.15.168:http TIME_WAIT 0 TCP 192.168.0.127:49363 network-098-027-088-030:http TIME_WAIT 0 TCP 192.168.0.127:49370 iad23s06-in-f1:http TIME_WAIT 0 TCP 192.168.0.127:49371 network-098-027-088-030:http TIME_WAIT 0 TCP [::]:7 SMSPC16:0 LISTENING 2516 TCP [::]:9 SMSPC16:0 LISTENING 2516 TCP [::]:13 SMSPC16:0 LISTENING 2516 TCP [::]:17 SMSPC16:0 LISTENING 2516 TCP [::]:19 SMSPC16:0 LISTENING 2516 TCP [::]:80 SMSPC16:0 LISTENING 4 TCP [::]:135 SMSPC16:0 LISTENING 772 TCP [::]:445 SMSPC16:0 LISTENING 4 TCP [::]:515 SMSPC16:0 LISTENING 1548 TCP [::]:3389 SMSPC16:0 LISTENING 1084 TCP [::]:5357 SMSPC16:0 LISTENING 4 TCP [::]:49152 SMSPC16:0 LISTENING 432 TCP [::]:49153 SMSPC16:0 LISTENING 856 TCP [::]:49154 SMSPC16:0 LISTENING 948 TCP [::]:49187 SMSPC16:0 LISTENING 508 TCP [::]:49197 SMSPC16:0 LISTENING 492 UDP 0.0.0.0:7 *:* 2516 UDP 0.0.0.0:9 *:* 2516 UDP 0.0.0.0:13 *:* 2516 UDP 0.0.0.0:17 *:* 2516 UDP 0.0.0.0:19 *:* 2516 UDP 0.0.0.0:123 *:* 328 UDP 0.0.0.0:427 *:* 5848 UDP 0.0.0.0:500 *:* 948 UDP 0.0.0.0:3702 *:* 1812 UDP 0.0.0.0:3702 *:* 1812 UDP 0.0.0.0:4500 *:* 948 UDP 0.0.0.0:5355 *:* 1084 UDP 0.0.0.0:51335 *:* 1812 UDP 0.0.0.0:56305 *:* 1240 UDP 0.0.0.0:61117 *:* 1240 UDP 127.0.0.1:1900 *:* 1812 UDP 127.0.0.1:51265 *:* 316 UDP 127.0.0.1:51709 *:* 3144 UDP 127.0.0.1:53037 *:* 1084 UDP 127.0.0.1:58742 *:* 508 UDP 127.0.0.1:63173 *:* 1812 UDP 192.168.0.127:137 *:* 4 UDP 192.168.0.127:138 *:* 4 UDP 192.168.0.127:427 *:* 5848 UDP 192.168.0.127:1900 *:* 1812 UDP 192.168.0.127:32527 *:* 2036 UDP 192.168.0.127:32528 *:* 2036 UDP 192.168.0.127:63172 *:* 1812 UDP [::]:7 *:* 2516 UDP [::]:9 *:* 2516 UDP [::]:13 *:* 2516 UDP [::]:17 *:* 2516 UDP [::]:19 *:* 2516 UDP [::]:123 *:* 328 UDP [::]:500 *:* 948 UDP [::]:3702 *:* 1812 UDP [::]:3702 *:* 1812 UDP [::]:4500 *:* 948 UDP [::]:5355 *:* 1084 UDP [::]:51336 *:* 1812 UDP [::1]:1900 *:* 1812 UDP [::1]:63171 *:* 1812 UDP [fe80::3473:e559:9252:a169%11]:1900 *:* 1812 UDP [fe80::3473:e559:9252:a169%11]:63170 *:* 1812 bump...
-
Realtime protection freezes computer
TOM-J-LAEL replied to TOM-J-LAEL's topic in Malwarebytes for Windows Support Forum
How long do I wait for a reply? I emailed suggested email address today at 12:10pm EST. thanks, paul -
Hello, MWB reseller here. Have a corporate customer whose computer is suddenly freezing when it boots, and it also blue screened at one point. I analyzed the dump file and it blue screened due to Malwarebytes driver file. Booted into safe mode, no malware detected by MWB w/ latest definitions. Disabled MBAM service and booted into normal mode fine. Already uninstalled using mbam-clean.exe file and reinstalled, re-registered, et cetera. Same problem. They use Trend Micro WFB 6.0 as their corporate Anti-Virus, and I've long had all the mbam related files and services that I know of excluded from scanning by Trend. This also is exclusive to just this computer, and not company wide. Any ideas?
-
Hello, I was trying to visit my friend's webpage www.toastskateboards.com and I couldn't. Later I come to realize it's because MWB Ip Protection is blocking 207.45.187.58, the server in which his website is hosted. Can I ask what prompted that IP Address to be blocked so that I may present that evidence to my friend? thanks, Tom
-
Is bettanews.com a legtimate source for downloading MBAM? or is only CNET and majorgeeks ? thanks, TOM-J-LAEL
-
Here's the log: Malwarebytes' Anti-Malware 1.44 Database version: 3677 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 2/2/2010 9:10:42 AM mbam-log-2010-02-02 (09-10-42).txt Scan type: Full Scan (C:\|) Objects scanned: 190096 Time elapsed: 23 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\ComboFix\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully. C:\ComboFix\PV.cfxxe (Adware.Swizzor) -> Quarantined and deleted successfully. C:\ComboFix\pv.com (Adware.Swizzor) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{1F0E2A49-C1EF-40FB-8206-7BBD9911558F}\RP101\A0017473.sys (Malware.Trace) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{1F0E2A49-C1EF-40FB-8206-7BBD9911558F}\RP101\A0017511.com (Adware.Swizzor) -> Quarantined and deleted successfully.
-
it probably pays to know a little bit of Russian in the malware research field too, huh?
-
yah...my friend's in development and makes about $30k more a year than me...I chose the wrong path =)
-
This isn't exactly "off topic" but I wasn't sure where else to put it. Let me start about my background. I'm 27, I've been working in IT for about 6 years, I'm an MCSA and do a lot of network admin stuff for small-medium sized businesses/networks. Everything from replacing mice to implementing/managing/maintaing Exchange Servers, Active Directory, backups, etc. etc. Like most, everything I know is self taught and a lot of times it's been"trial by fire". I get great joy from battling and removing a tough piece of malware and rootkits, and I posses a great deal of awe and fascination in the sophistication of these types of problems. However, I want to step up my malware removal game away from the defensive to the offensive. I want to do something along the same lines that your researches at MWB do, FireEye, ThreatPost, etc. etc. What I don't posses is any experience what so ever in software development or programming. What I do posses is a yearning and eagerness to learn, and a great ability to think abstractly, see the "big picture", and solve problems. Where do I start?
-
Windows Genuine Advantage Notification pop-up
TOM-J-LAEL replied to Zack123's topic in General Windows PC Help
I would finish the install. In fact, it may be necessary to do so in order to receive important operating system updates from Microsoft. I would not foresee this being a problem installing WGA unless you know you have a non-legitimate copy of Windows. good luck -
i'm sorry...i actually just read the forum rules and I'm not supposed to help...
-
Looks like you might be infected with Koobface...are you able to open the task manager? Press CTRL , ALT , and DELETE on your keyboard all at the same time and then release them to open the task manager. or, right click on the taskbar (the bar across the bottom of the screen) and choose "Task manager" If you're able to open the task manager , click the "Processes" Tab, then click the top of the "Image Name" column to sort all processes by name alphabetically. Highlight these processes (if applicable) , one at a time and choose "End Process". After you choose end process, task manager is going to give you a warning about ending a process, just click ok. Here are the processes to look for and end: ld08.exe sysguard.exe winav.exe Then try to open MWB and update and run it. If that does not work, let me know.
-
Falsely flagged Windows XP SP3 install file
TOM-J-LAEL replied to TOM-J-LAEL's topic in File Detections
So weird...MWB did it again today...during a normal quick scan (latest updates) it flagged that same file as being a trojan again. However, as soon as I run mbam.exe /developer from the run box, it doesn't flag it. I then reboot, ran the scan again using the /developer switch...nothing. I have no real reason to believe that her computer is infected, I just like to do scans for ease of mind. We do banking and stuff on our computers and she's a myspace/facebook user as well. -
Help with lost internet connection
TOM-J-LAEL replied to oldmantime's topic in Resolved Malware Removal Logs
well..the logs you posted after AdvancedSetup had you run the last Combofix script look good...he might say otherwise..and he would know more about that then me. It looks like TCP/IP may have been corrupted on your computer... Try following these KB articles to reset WINSOCK and TCP/IP http://support.microsoft.com/kb/811259 http://support.microsoft.com/kb/299357 basically... open Command prompt again type: netsh winsock reset press enter and reboot the computer try to access the internet... if no go... open command prompt again type: netsh int ip resetlog.txt press enter for good measure reboot... let us know... -
Help with lost internet connection
TOM-J-LAEL replied to oldmantime's topic in Resolved Malware Removal Logs
Open the command prompt again by clicking start....choose run...type CMD and click ok.... Inside the command prompt and type: IPConfig /all and press enter... paste the results in here... -
Help with lost internet connection
TOM-J-LAEL replied to oldmantime's topic in Resolved Malware Removal Logs
Are you able to PING any servers out on the internet. A ping is basically a "hello are you there?" kind of command... First, try to ping 4.2.2.1 , which is a root dns server that replies to pings. If that works, we know that at least at a basic level the internet is working. Afterwards, try to ping Google.com , and see if you get a "reply from" or "request timed out". If you're successful at pinging 4.2.2.1 , but not Google.com , then your issue is DNS resolution, which could be caused by a still present infection, or just left over damage from the infection that was eventually removed. If you're not familiar on how to ping....do the following Click Start, then choose run. If anything is already typed in the run box, delete the text and type CMD in its place. Then click the OK button. This will bring up the command prompt. Inside the command prompt Type: PING 4.2.2.1 , then press the enter button. Make note of the results. After that, type PING Google.com , and note the results... -
Help with lost internet connection
TOM-J-LAEL replied to oldmantime's topic in Resolved Malware Removal Logs
Hey guys...just adding my two cents. Not trying to break up the support AdvancedSupport is giving here.... I just wanted to add that if you were/are indeed infected with Koobface ...then it's possible, even after the rootkit and malware files are removed, IE and/or FF may be configured to use a blank proxy. Therefore "blocking" you from accessing the internet. Check to see if your IE is using a proxy server, if so , uncheck the proxy server settings. http://support.microsoft.com/kb/135982 The instructions for IE 6.0 will work for IE7 and above.... If you use FF you'll need to do the same as well....the graphics give you and idea of where to look, but you want to remove the proxy server settings..not create them http://uniqueinternetservices.com/configur...or-firefox.html good luck out there!! DOWN WITH MALWARE!! -paul -
Whoever made these viruses is pretty good
TOM-J-LAEL replied to CornOnTheCob's topic in Resolved Malware Removal Logs
looks like your Userinit.exe file has been compromised...it really shouldn't be running in the middle of a windows session... -
Falsely flagged Windows XP SP3 install file
TOM-J-LAEL replied to TOM-J-LAEL's topic in File Detections
would you believe that after I used mbam.exe /developer in the run box, it did not detect that file as malware, and I have not added that file to the ignore list at all. very strange. maybe a fluke? I ran it under the normal mode one more time just for giggles, and it did not detect it as malware that time either. Malwarebytes' Anti-Malware 1.36 Database version: 2067 Windows 5.1.2600 Service Pack 3 5/2/2009 8:13:18 PM mbam-log-2009-05-02 (20-13-18).txt Scan type: Quick Scan Objects scanned: 73817 Time elapsed: 2 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -
Just for giggles I updated and ran MWB on my girlfriends computer. The only detection that it wound was WindowsXP-KB936929-SP3-x86-ENU.exe located on my C Drive. That is the SP3 install that I downloaded months and months ago. Other from this false positive, MWB doesn't detect anything, and my ESET NOD32 anti-virus is always up to date and clean. HEre's the log file Malwarebytes' Anti-Malware 1.36 Database version: 2067 Windows 5.1.2600 Service Pack 3 5/2/2009 10:45:09 AM mbam-log-2009-05-02 (10-45-03).txt Scan type: Quick Scan Objects scanned: 73892 Time elapsed: 2 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WindowsXP-KB936929-SP3-x86-ENU.exe (Trojan.Agent) -> No action taken.
-
Hey guys... I've been lurking here off and on lately. I'm Paul...I'm an MCSA by trade..for whatever that's worth.... I'm in the midwest. I enjoy fighting malware by night, and skateboarding by day!
-
yet another mrxdavv.sys and kwave.sys problem
TOM-J-LAEL replied to TOM-J-LAEL's topic in Resolved Malware Removal Logs
I should say that when I renamed combofix.exe , I renamed it while I downloaded it, and not after the fact. This issue is "resolved" because I dont have access to the customer's computer any longer. My assumption was since I nuked those two .SYS files using Windows Recovery Console, that the MWB scan was just a false positive. Those were the only two remaining infections being found. -
yet another mrxdavv.sys and kwave.sys problem
TOM-J-LAEL replied to TOM-J-LAEL's topic in Resolved Malware Removal Logs
I see. I will keep that in mind from here on out. Is it still plausable to rename the .exe if for instance some malware is blocking it? Will it still work as efficient? -
yet another mrxdavv.sys and kwave.sys problem
TOM-J-LAEL replied to TOM-J-LAEL's topic in Resolved Malware Removal Logs
Actually, re-running combofix on this computer will be more or less impossible for various reasons. I was just hoping to get some sort of idea of how I might battle this if I encounter it again I had been in the habit of routinely renaming combofix.exe to something different out of the fact that modern malware will block combofix.exe from running. Does it truly make much of a difference as far as the functionality of combofix if it's renamed or not ran from the desktop? If so, please explain. thanks, Paul -
yet another mrxdavv.sys and kwave.sys problem
TOM-J-LAEL replied to TOM-J-LAEL's topic in Resolved Malware Removal Logs
Here is the first combofix log ComboFix 09-04-20.02 - Kimberly 04/19/2009 20:05.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.267 [GMT -7:00] Running from: c:\remote-service\cf.exe Command switches used :: cf . /wow section not completed ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSserv.sys -------\Legacy_TDSSserv.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}] 2007-10-11 13:45 402872 ----a-w c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "U"="copy" [X] "sysguardn"="c:\windows\s" [X] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "Bomgar Support Reconnect [1240194042]"="c:\documents and settings\All Users\Application Data\Bomgar-SCC-49EBDBFA\bomgar-scc.exe" [2009-01-22 16:35 627064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-05-06 118784] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-23 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248] "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216] "HostManager"="c:\program files\Common Files\AOL\1169921878\ee\AOLSoftware.exe" [2007-10-08 41824] "dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984] "DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072] "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-1-23 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= kozoti?????? HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\1169921878\\ee\\aolsoftware.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\WINDOWS\\explorer.exe"= "c:\\WINDOWS\\SYSTEM32\\LOGONUI.EXE"= "c:\\WINDOWS\\SYSTEM32\\WINLOGON.EXE"= R2 EraserSvc10822;Symantec Eraser Service; [x] S1 swapk;DRAM Cash Driver;c:\windows\system32\swapk.sys [2009-01-22 8512] S2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-01 53248] S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] . Contents of the 'Scheduled Tasks' folder 2008-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57] . - - - - ORPHANS REMOVED - - - - WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file) HKCU-Run-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe HKCU-Run-94044748075064655077752744509708 - c:\program files\Antivirus 2009\av2009.exe HKLM-Run-msci - c:\docume~1\Kimberly\LOCALS~1\Temp\2009124172852_mcinfo.exe HKLM-Run-Cleanup - c:\docume~1\Kimberly\LOCALS~1\Temp\2009124172855_mcappins.exe . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-19 20:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? msci = c:\docume~1\Kimberly\LOCALS~1\Temp\2009124172852_mcinfo.exe /insfin???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????A?X?D???????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-04-20 20:08 ComboFix-quarantined-files.txt 2009-04-20 03:08 Pre-Run: 140,961,583,104 bytes free Post-Run: 140,986,294,272 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 123 --- E O F --- 2009-04-18 23:19 ====================================== Here is the second combofix log ComboFix 09-04-20.02 - 04/19/2009 20:37.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.151 [GMT -7:00] Running from: c:\remote-service\cf.exe Command switches used :: cf . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Kimberly\Application Data\Zango c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1043399.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055540.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055568.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055669.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055782.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055804.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1056318.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1056420.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1056834.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1057182.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1057189.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1057324.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1059618.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1059739.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1063425.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1063497.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1064992.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1066422.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1066790.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1070123.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1070563.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1187583.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\118843.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\12077.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1224397.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\124590.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1272086.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1322051.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1336969.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1385286.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1385437.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1386157.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1386476.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1386522.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1386873.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1389807.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1390845.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1393218.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1395121.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1395210.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1401474.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1652519.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1679695.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\175807.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\177685.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1790014.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1840276.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1908825.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2177739.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2208948.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\221540.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2357589.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2363825.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2443538.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\262482.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\287322.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2883915.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2884305.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2884307.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2884308.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2884484.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2885061.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2894154.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2901962.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\313273.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3240891.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3270243.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3296585.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3340762.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\340902.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\341848.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3425829.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3428586.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3434590.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\346907.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3478095.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3696057.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3699090.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\371523.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3720784.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3730773.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3757876.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3779920.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3781281.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3786174.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3852296.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3852706.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3852810.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3855009.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3855406.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3859514.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3873144.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3874886.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3893454.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\44279.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\478227.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\483647.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\498796.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\506745.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\513396.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\558625.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\600583.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\6156.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\617792.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\620184.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\625696.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\639036.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\650435.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\665123.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\671709.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\673128.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\678816.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\680914.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\686602.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\691517.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\698191.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\724427.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\737654.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\760440.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\766692.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\77601.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\779698.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\805478.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\848349.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\890068.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\913528.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\914605.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\921771.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\927431.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\939832.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\945978.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\951146.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\952211.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\953318.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\976123.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\992161.sdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\domains.txt c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1000067685 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1000067988 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\104622 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\11213 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\116250 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\12772 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\128568 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\13613 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\13620 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\13634 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14001 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14575 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15024 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15436 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\155411 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\159370 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\16204 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\16210 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\18676 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\18721 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\18906 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\19052 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\192365 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\193255 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\19616 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\202699 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\20517 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\213263 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\218712 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\21889 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\22254 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\22257 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\22265 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\223385 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\224717 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\23923 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\24341 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\24619 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\251440 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\25509 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\25929 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\263771 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\272773 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\27503 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\282887 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\28713 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\28812 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\29115 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\29338 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\302699 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\305025 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\308719 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\308850 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\321317 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32276 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32290 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32541 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34123 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34162 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34186 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\349801 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35006 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35017 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\357281 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\360144 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\36079 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\36834 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\372500 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\389560 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\41215 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43120 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43719 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\446994 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44878 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\449183 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\4501 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\453218 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\456216 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\469131 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\478548 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\482360 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\4899 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\509213 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51233 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51239 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51252 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\512635 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51666 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\519224 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51988 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52778 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\531510 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\53310 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\539163 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\550370 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\577975 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58197 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58804 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58965 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6098 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\61367 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\61779 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\61837 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\628146 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6292 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64441 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64495 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64517 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64646 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\650494 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65429 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6552 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6556 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6558 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65770 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65782 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65933 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6635 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\66851 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67733 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68016 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68019 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68021 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68040 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68055 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68257 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68386 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69288 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69325 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\70449 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\72163 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\72846 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\72889 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\737665 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\738258 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745434 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745556 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745758 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745992 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\746486 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\747254 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\747687 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\74777 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748176 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748893 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\749354 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\751219 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\751227 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753197 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753230 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753300 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753378 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753408 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753417 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753433 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753441 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753447 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753468 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753545 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753561 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\75777 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79079 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79246 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79257 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79432 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80657 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80667 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80670 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83706 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83783 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83891 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\84369 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\8443 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\85062 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\86632 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\873 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\87555 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\87584 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\90008 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\92573 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\92930 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93921 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\94125 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95701 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95716 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\97734 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\97741 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\97760 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\98615 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\99871 c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\ustat\378b.dat c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\ustat\378c.dat c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\avatar.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\btntrans.idx c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\btntrans1.dat c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\buttondir.txt c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\components.cdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\cursors.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_1000.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_2000.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_3000.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bar.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bbar1.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_logos.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_other.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_weather.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\default.cdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_511745-514279.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-ca.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-us.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_categorize.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_comparison.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-Mails.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-people.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_favorites.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_Games.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_Hide.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_hotbarcom.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_Hotmail.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_hsskin.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_jemster.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_jemsterie.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_jemsteruk.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_jobsearch.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_Mails.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_MobileSidewalk.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_new.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_premium.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_reun.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_ringtones.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_SearchBoxTrapper.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_searchfor.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_searchgo.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_weather.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_yellowpages.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\editblbuttons.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-548964.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-9595.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\email-t1-bg.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\icons2.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\ie_games_icon.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\ie_video.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\keywords.idx c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\keywords1.dat c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\layout.cdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\linkpathlegal.txt c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\progress.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\s_icons_buttons.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\sales_buttons.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\sdfmodifier.xml c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\top7.cdf c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res c:\documents and settings\Kimbrae\Application Data\WeatherDPA c:\documents and settings\Kimbrae\Application Data\WeatherDPA\Weather\WeatherStartup.xml c:\documents and settings\Kimbrae\Application Data\Zango c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\1.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\1055993.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\1066422.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\1551349.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\221540.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\3340762.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\3425829.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\3700736.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\3859514.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\456868.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\472852.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\600583.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\724427.sdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\domains.txt c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\159370 c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\251440 c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\357281 c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\577975 c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\751219 c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\751227 c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\ustat\377d.dat c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\avatar.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\btntrans.idx c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\btntrans1.dat c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\buttondir.txt c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\components.cdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\cursors.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_1000.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_2000.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_3000.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bar.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bbar1.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_logos.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_other.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_weather.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\default.cdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_511745-514279.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-ca.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-us.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_categorize.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_comparison.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-Mails.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-people.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_favorites.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_Games.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_Hide.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_hotbarcom.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_Hotmail.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_hsskin.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_jemster.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_jemsterie.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_jemsteruk.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_jobsearch.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_Mails.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_MobileSidewalk.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_new.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_premium.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_reun.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_ringtones.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_SearchBoxTrapper.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_searchfor.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_searchgo.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_weather.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_yellowpages.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\editblbuttons.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-548964.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-9595.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\email-t1-bg.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\icons2.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\ie_games_icon.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\ie_video.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\keywords.idx c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\keywords1.dat c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\layout.cdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\linkpathlegal.txt c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\progress.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\s_icons_buttons.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\sales_buttons.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\sdfmodifier.xml c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\top7.cdf c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip c:\documents and settings\LocalService\Application Data\Zango c:\windows\10931046.exe c:\windows\13333500.exe c:\windows\system32\drivers\mrxdavv.sys c:\windows\system32\kwave.sys c:\windows\system32\oretarik.ini c:\windows\system32\test.ttt c:\windows\system32\uniq.tll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NEW_DRV ((((((((((((((((((((((((((((( SnapShot@2009-04-20_03.06.59 ))))))))))))))))))))))))))))))))))))))))) . + 2009-04-20 03:42 . 2009-04-20 03:42 60416 c:\windows\temp\Perflib_Perfdata__755.dat - 2009-04-20 03:03 . 2009-04-20 02:12 42549 c:\windows\temp\~nsu.tmp\Au_.exe + 2009-04-20 03:43 . 2009-04-20 03:11 42549 c:\windows\temp\~nsu.tmp\Au_.exe + 2005-01-23 13:05 . 2009-04-20 03:23 72212 c:\windows\SYSTEM32\PERFC009.DAT - 2005-01-23 13:05 . 2009-04-20 02:12 72212 c:\windows\SYSTEM32\PERFC009.DAT + 2005-01-23 13:05 . 2009-04-20 03:23 443582 c:\windows\SYSTEM32\PERFH009.DAT - 2005-01-23 13:05 . 2009-04-20 02:12 443582 c:\windows\SYSTEM32\PERFH009.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}] 2007-10-11 13:45 402872 ----a-w c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "U"="copy" [X] "sysguardn"="c:\windows\s" [X] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-05-06 118784] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-23 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248] "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216] "HostManager"="c:\program files\Common Files\AOL\1169921878\ee\AOLSoftware.exe" [2007-10-08 41824] "dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984] "DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072] "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-1-23 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= kozoti?????? HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\1169921878\\ee\\aolsoftware.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "67:UDP"= 67:UDP:DHCP Discovery Service R2 EraserSvc10822;Symantec Eraser Service; [x] S1 swapk;DRAM Cash Driver;c:\windows\system32\swapk.sys [2009-01-22 8512] S2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-01 53248] S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] . Contents of the 'Scheduled Tasks' folder 2008-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-19 20:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bomgar-scc-1240197064] "ImagePath"="\"c:\documents and settings\All Users\Application Data\Bomgar-SCC-49EBE7C8\bomgar-scc.exe\" -service:run" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bomgar-scc-1240197064] "ImagePath"="\"c:\documents and settings\All Users\Application Data\Bomgar-SCC-49EBE7C8\bomgar-scc.exe\" -service:run" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1896) c:\program files\Common Files\AOL\ACS\WLHook.dll c:\windows\system32\mshtml.dll . ------------------------ Other Running Processes ------------------------ . c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\SYSTEM32\wdfmgr.exe c:\windows\wanmpsvc.exe c:\windows\SYSTEM32\java.exe c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe c:\windows\SYSTEM32\WSCNTFY.EXE c:\windows\SYSTEM32\dlbxcoms.exe c:\program files\iPod\bin\iPodService.exe c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe c:\program files\Internet Explorer\iexplore.exe c:\documents and settings\All Users\Application Data\Bomgar-SCC-49EBF23B\bomgar-scc.exe . ************************************************************************** . Completion time: 2009-04-20 20:56 - machine was rebooted [Kimberly] ComboFix-quarantined-files.txt 2009-04-20 03:56 ComboFix2.txt 2009-04-20 03:08 Pre-Run: 140,996,845,568 bytes free Post-Run: 140,921,901,056 bytes free 668 --- E O F --- 2009-04-18 23:19 ================================= Here is my final HJT log before I came to the conclusion that this might just be a "phantom" positive Logfile of HijackThis v1.99.1 Scan saved at 10:02:45 PM, on 4/19/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49EBF8BD\bomgar-scc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\gearsec.exe C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\java.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\AOL\1169921878\ee\AOLSoftware.exe C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\dlbxcoms.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49EBF8BD\bomgar-scc.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe C:\WINDOWS\system32\wuauclt.exe C:\remote-service\fsbl.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\remote-service\h-renamed.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169921878\ee\AOLSoftware.exe O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - Global Startup: Digital Line Detect.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bomgar Support Customer Client [1240201405] (bomgar-scc-1240201405) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49EBF8BD\bomgar-scc.exe" -service:run (file missing) O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe O23 - Service: Symantec Eraser Service (EraserSvc10822) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe