TOM-J-LAEL

June 27, 2012

Merged two post

We look for post with 0 replies, so when you replied to your own topic, we assume you were being helped.

Do Not bump your topic.

I have a user who is still suffering from Google redirects.

MWB comes up clean, Trend Micro WFB reports no infections, SAS comes up clean, TDSS Killer comes up clean, MBR Check came up clean, et cetera, et cetera. HitmanPro intially reported some ZeroAccess stuff which it allegedly removed.

Combofix does not delete any files. Yes, I know I'm not supposed to run Combofix without being asked to. Hopefully you all will anoint me for my sins. I just need a resolution. I'm at IT Professional (or at least I play one on TV), and I have a disk image backup prior to trying anything.

After running all of these tools, and straight from reboot, the System Idle Process starts jabbering out to random locations on the Internet. I know this from running Netstat. I thought that was strange. It's a Windows 7 Pro machine as you'll tell, as well is mine. My System Idle Process does not show any connections out to the Internet.

Here's the Combofix Log

ComboFix 12-06-26.02 - jeanne 06/27/2012 11:27:29.4.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2035.974 [GMT -4:00]

Running from: c:\users\jeanne\Desktop\ComboFix.exe

AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

FW: Trend Micro Personal Firewall *Disabled* {50C2E989-60CF-0845-AFD3-290B7D301E79}

SP: Trend Micro Client/Server Security Agent Anti-spyware *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2012-05-27 to 2012-06-27 )))))))))))))))))))))))))))))))

.

2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\SMS\AppData\Local\temp

2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\administrator\AppData\Local\temp

2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\temp

2012-06-27 15:02 . 2012-06-27 15:02 -------- d-----w- c:\users\jeanne\AppData\Roaming\SUPERAntiSpyware.com

2012-06-27 15:01 . 2012-06-27 15:02 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-06-27 15:01 . 2012-06-27 15:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-06-27 14:43 . 2012-06-27 14:43 12872 ----a-w- c:\windows\system32\bootdelete.exe

2012-06-25 12:17 . 2012-06-25 12:17 -------- d-----w- c:\users\jeanne\AppData\Local\Macromedia

2012-06-22 21:00 . 2012-06-22 21:00 -------- d-----w- c:\program files (x86)\Dell Digital Delivery

2012-06-21 12:24 . 2012-06-21 12:24 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll

2012-06-21 12:24 . 2012-06-21 12:24 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll

2012-06-19 16:35 . 2012-06-19 16:35 -------- d-----w- c:\users\DefaultAppPool

2012-06-18 00:41 . 2012-06-18 00:41 -------- d-----w- c:\windows\system32\log

2012-06-18 00:40 . 2012-06-18 00:41 -------- d-----w- c:\program files (x86)\Trend Micro

2012-06-13 07:04 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-13 07:04 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-13 07:04 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-13 07:01 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-06-13 07:01 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-06-13 07:01 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-06-13 07:01 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 07:01 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-03 21:27 . 2012-06-03 21:27 -------- d-----w- c:\users\jeanne\AppData\Local\Apple

2012-06-01 19:27 . 2012-06-27 14:44 -------- d-----w- c:\programdata\HitmanPro

2012-06-01 18:15 . 2012-06-01 18:15 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Mozilla

2012-06-01 17:46 . 2012-06-27 15:37 -------- d-----w- c:\users\jeanne\AppData\Local\temp

2012-05-31 16:21 . 2012-05-31 16:21 -------- d-----w- c:\users\jeanne\AppData\Roaming\Malwarebytes

2012-05-31 13:00 . 2012-05-31 13:00 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Malwarebytes

2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\programdata\Malwarebytes

2012-05-31 12:59 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-31 12:31 . 2012-05-31 12:31 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Roxio Burn

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\ICAClient

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Hewlett-Packard Company

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Citrix

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26}

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\LogMeIn

2012-05-30 17:45 . 2012-05-30 17:45 -------- d-----w- c:\users\jeanne\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26}

2012-05-30 17:38 . 2012-05-30 17:38 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-05-30 17:35 . 2012-05-31 16:27 -------- d-----w- c:\program files (x86)\Common Files\Outlook

2012-05-30 17:34 . 2012-05-31 11:52 -------- d-----w- c:\users\jeanne\AppData\Roaming\Ifysi

2012-05-30 17:34 . 2012-05-30 17:44 -------- d-----w- c:\users\jeanne\AppData\Roaming\Elor

2012-05-30 17:34 . 2012-05-30 17:34 -------- d-----w- c:\users\jeanne\AppData\Roaming\Akpuor

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-23 15:20 . 2012-04-04 19:19 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-23 15:20 . 2012-03-28 15:42 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-23 15:20 . 2012-04-13 20:20 9815752 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2012-05-22 15:52 . 2012-05-22 15:52 608 --sha-w- c:\windows\system32\winzvprt5.sys

2012-05-22 12:13 . 2012-04-22 18:23 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-05-22 12:13 . 2012-04-22 18:23 34688 ----a-w- c:\windows\system32\LMIport.dll

2012-05-22 12:13 . 2012-04-22 18:23 80768 ----a-w- c:\windows\system32\LMIinit.dll

2012-05-08 17:02 . 2012-05-30 03:04 8955792 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{310DB10C-D086-496B-86CD-

8E51A4A25BE9}\mpengine.dll

2012-04-04 16:39 . 2010-06-24 16:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-03-30 11:35 . 2012-05-09 07:00 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AutomatedTaskLauncher"="c:\program files (x86)\Comdata\Shared\Applications\CDAtl.exe" [2004-06-01 77824]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-26 4787072]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]

"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-04-05 371864]

"ToolboxFX"="c:\program files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936]

"OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" [2012-01-09 1712656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

"EnableLinkedConnections"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3699739257-3343509579-3915199227-500\Scripts\Logon\0\0]

"Script"=LaunchNotificationUI.cmd

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-12-20 1691848]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056]

R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-21 113120]

R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-21 168448]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-21 22528]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-04 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2012-02-14 93272]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]

S2 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-06-19 173056]

S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2010-10-25 145920]

S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-05-22 375176]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-09-16 15928]

S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]

S2 svcGenericHost;Trend Micro Client/Server Security Agent;c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [2012-05-14

50704]

S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2011-07-12 342288]

S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2011-07-12 42768]

S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppdbulkio.sys [2010-12-14 22040]

S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppdfaxio.sys [2010-12-14 23576]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]

S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]

S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [2012-04-27 918032]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 15:20]

.

2012-05-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]

.

2012-06-26 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\pcdrcui.exe [2011-12-14 04:09]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-04 167960]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-04 391704]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-04 418328]

"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 57928]

"HP LaserJet Professional M1530 MFP Series Fax"="c:\program files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2010-08-24 3706424]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.foxnews.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

Trusted Zone: iconnectdata.com\w6

Trusted Zone: vospro.net\go

TCP: DhcpNameServer = 192.168.0.2

FF - ProfilePath - c:\users\jeanne\AppData\Roaming\Mozilla\Firefox\Profiles\ar10f2xn.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/|http://www.drudgereport.com/|http://www.msn.com/

FF - prefs.js: network.proxy.type - 0

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe

c:\program files (x86)\Citrix\ICA Client\Receiver\Receiver.exe

c:\program files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe

c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe

c:\program files (x86)\Citrix\SelfServicePlugin\SelfService.exe

.

**************************************************************************

.

Completion time: 2012-06-27 11:42:45 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-27 15:42

ComboFix2.txt 2012-06-01 17:46

.

Pre-Run: 419,192,397,824 bytes free

Post-Run: 419,038,064,640 bytes free

.

Here's the Netstat Log:

Active Connections

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:7 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:9 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:13 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:17 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:19 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:80 SMSPC16:0 LISTENING 4

TCP 0.0.0.0:135 SMSPC16:0 LISTENING 772

TCP 0.0.0.0:445 SMSPC16:0 LISTENING 4

TCP 0.0.0.0:515 SMSPC16:0 LISTENING 1548

TCP 0.0.0.0:2002 SMSPC16:0 LISTENING 2036

TCP 0.0.0.0:3389 SMSPC16:0 LISTENING 1084

TCP 0.0.0.0:5357 SMSPC16:0 LISTENING 4

TCP 0.0.0.0:49152 SMSPC16:0 LISTENING 432

TCP 0.0.0.0:49153 SMSPC16:0 LISTENING 856

TCP 0.0.0.0:49154 SMSPC16:0 LISTENING 948

TCP 0.0.0.0:49187 SMSPC16:0 LISTENING 508

TCP 0.0.0.0:49197 SMSPC16:0 LISTENING 492

TCP 0.0.0.0:61116 SMSPC16:0 LISTENING 1240

TCP 127.0.0.1:2002 SMSPC16:49246 ESTABLISHED 2036

TCP 127.0.0.1:6999 SMSPC16:0 LISTENING 2616

TCP 127.0.0.1:6999 SMSPC16:49346 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49349 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49350 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49351 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49353 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49354 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49355 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49364 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49367 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49372 TIME_WAIT 0

TCP 127.0.0.1:21112 SMSPC16:0 LISTENING 2868

TCP 127.0.0.1:49246 SMSPC16:2002 ESTABLISHED 4392

TCP 127.0.0.1:49361 SMSPC16:6999 TIME_WAIT 0

TCP 127.0.0.1:49369 SMSPC16:6999 TIME_WAIT 0

TCP 192.168.0.127:139 SMSPC16:0 LISTENING 4

TCP 192.168.0.127:49191 smssrvr:ldap ESTABLISHED 316

TCP 192.168.0.127:49210 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49211 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49213 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49214 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49219 smssrvr:microsoft-ds ESTABLISHED 4

TCP 192.168.0.127:49229 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49244 smssrvr:6012 ESTABLISHED 1332

TCP 192.168.0.127:49274 smssrvr:6012 ESTABLISHED 1332

TCP 192.168.0.127:49288 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49292 64.74.103.163:https ESTABLISHED 2036

TCP 192.168.0.127:49317 64.74.103.163:https ESTABLISHED 2036

TCP 192.168.0.127:49320 64.74.103.163:https ESTABLISHED 2036

TCP 192.168.0.127:49327 64.74.103.163:https ESTABLISHED 2036

TCP 192.168.0.127:49334 network-098-027-088-048:http TIME_WAIT 0

TCP 192.168.0.127:49341 65.55.53.190:http TIME_WAIT 0

TCP 192.168.0.127:49342 network-098-027-088-030:http TIME_WAIT 0

TCP 192.168.0.127:49348 network-098-027-088-030:http TIME_WAIT 0

TCP 192.168.0.127:49362 216.35.15.168:http TIME_WAIT 0

TCP 192.168.0.127:49363 network-098-027-088-030:http TIME_WAIT 0

TCP 192.168.0.127:49370 iad23s06-in-f1:http TIME_WAIT 0

TCP 192.168.0.127:49371 network-098-027-088-030:http TIME_WAIT 0

TCP [::]:7 SMSPC16:0 LISTENING 2516

TCP [::]:9 SMSPC16:0 LISTENING 2516

TCP [::]:13 SMSPC16:0 LISTENING 2516

TCP [::]:17 SMSPC16:0 LISTENING 2516

TCP [::]:19 SMSPC16:0 LISTENING 2516

TCP [::]:80 SMSPC16:0 LISTENING 4

TCP [::]:135 SMSPC16:0 LISTENING 772

TCP [::]:445 SMSPC16:0 LISTENING 4

TCP [::]:515 SMSPC16:0 LISTENING 1548

TCP [::]:3389 SMSPC16:0 LISTENING 1084

TCP [::]:5357 SMSPC16:0 LISTENING 4

TCP [::]:49152 SMSPC16:0 LISTENING 432

TCP [::]:49153 SMSPC16:0 LISTENING 856

TCP [::]:49154 SMSPC16:0 LISTENING 948

TCP [::]:49187 SMSPC16:0 LISTENING 508

TCP [::]:49197 SMSPC16:0 LISTENING 492

UDP 0.0.0.0:7 *:* 2516

UDP 0.0.0.0:9 *:* 2516

UDP 0.0.0.0:13 *:* 2516

UDP 0.0.0.0:17 *:* 2516

UDP 0.0.0.0:19 *:* 2516

UDP 0.0.0.0:123 *:* 328

UDP 0.0.0.0:427 *:* 5848

UDP 0.0.0.0:500 *:* 948

UDP 0.0.0.0:3702 *:* 1812

UDP 0.0.0.0:4500 *:* 948

UDP 0.0.0.0:5355 *:* 1084

UDP 0.0.0.0:51335 *:* 1812

UDP 0.0.0.0:56305 *:* 1240

UDP 0.0.0.0:61117 *:* 1240

UDP 127.0.0.1:1900 *:* 1812

UDP 127.0.0.1:51265 *:* 316

UDP 127.0.0.1:51709 *:* 3144

UDP 127.0.0.1:53037 *:* 1084

UDP 127.0.0.1:58742 *:* 508

UDP 127.0.0.1:63173 *:* 1812

UDP 192.168.0.127:137 *:* 4

UDP 192.168.0.127:138 *:* 4

UDP 192.168.0.127:427 *:* 5848

UDP 192.168.0.127:1900 *:* 1812

UDP 192.168.0.127:32527 *:* 2036

UDP 192.168.0.127:32528 *:* 2036

UDP 192.168.0.127:63172 *:* 1812

UDP [::]:7 *:* 2516

UDP [::]:9 *:* 2516

UDP [::]:13 *:* 2516

UDP [::]:17 *:* 2516

UDP [::]:19 *:* 2516

UDP [::]:123 *:* 328

UDP [::]:500 *:* 948

UDP [::]:3702 *:* 1812

UDP [::]:4500 *:* 948

UDP [::]:5355 *:* 1084

UDP [::]:51336 *:* 1812

UDP [::1]:1900 *:* 1812

UDP [::1]:63171 *:* 1812

UDP [fe80::3473:e559:9252:a169%11]:1900 *:* 1812

UDP [fe80::3473:e559:9252:a169%11]:63170 *:* 1812

bump...

May 24, 2010

As this is a corporate customer you should send an email to corporate-support@malwarebytes.org with order number and contact info and they will take care of your issue there.

How long do I wait for a reply?

I emailed suggested email address today at 12:10pm EST.

thanks,

paul

May 24, 2010

Hello,

MWB reseller here.

Have a corporate customer whose computer is suddenly freezing when it boots, and it also blue screened at one point.

I analyzed the dump file and it blue screened due to Malwarebytes driver file.

Booted into safe mode, no malware detected by MWB w/ latest definitions.

Disabled MBAM service and booted into normal mode fine.

Already uninstalled using mbam-clean.exe file and reinstalled, re-registered, et cetera. Same problem.

They use Trend Micro WFB 6.0 as their corporate Anti-Virus, and I've long had all the mbam related files and services that I know of excluded from scanning by Trend.

This also is exclusive to just this computer, and not company wide.

Any ideas?

March 20, 2010

Hello,

I was trying to visit my friend's webpage www.toastskateboards.com and I couldn't. Later I come to realize it's because MWB Ip Protection is blocking 207.45.187.58, the server in which his website is hosted.

Can I ask what prompted that IP Address to be blocked so that I may present that evidence to my friend?

thanks,

Tom

February 19, 2010

Is bettanews.com a legtimate source for downloading MBAM? or is only CNET and majorgeeks ?

thanks,

TOM-J-LAEL

February 2, 2010

Here's the log:

Malwarebytes' Anti-Malware 1.44

Database version: 3677

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

2/2/2010 9:10:42 AM

mbam-log-2010-02-02 (09-10-42).txt

Scan type: Full Scan (C:\|)

Objects scanned: 190096

Time elapsed: 23 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\ComboFix\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\ComboFix\PV.cfxxe (Adware.Swizzor) -> Quarantined and deleted successfully.

C:\ComboFix\pv.com (Adware.Swizzor) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1F0E2A49-C1EF-40FB-8206-7BBD9911558F}\RP101\A0017473.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1F0E2A49-C1EF-40FB-8206-7BBD9911558F}\RP101\A0017511.com (Adware.Swizzor) -> Quarantined and deleted successfully.

January 25, 2010

it probably pays to know a little bit of Russian in the malware research field too, huh?

January 25, 2010

yah...my friend's in development and makes about $30k more a year than me...I chose the wrong path =)

January 25, 2010

This isn't exactly "off topic" but I wasn't sure where else to put it.

Let me start about my background.

I'm 27, I've been working in IT for about 6 years, I'm an MCSA and do a lot of network admin stuff for small-medium sized businesses/networks. Everything from replacing mice to implementing/managing/maintaing Exchange Servers, Active Directory, backups, etc. etc.

Like most, everything I know is self taught and a lot of times it's been"trial by fire".

I get great joy from battling and removing a tough piece of malware and rootkits, and I posses a great deal of awe and fascination in the sophistication of these types of problems.

However, I want to step up my malware removal game away from the defensive to the offensive.

I want to do something along the same lines that your researches at MWB do, FireEye, ThreatPost, etc. etc.

What I don't posses is any experience what so ever in software development or programming.

What I do posses is a yearning and eagerness to learn, and a great ability to think abstractly, see the "big picture", and solve problems.

Where do I start?

May 24, 2009

I would finish the install. In fact, it may be necessary to do so in order to receive important operating system updates from Microsoft. I would not foresee this being a problem installing WGA unless you know you have a non-legitimate copy of Windows.

good luck

May 24, 2009

i'm sorry...i actually just read the forum rules and I'm not supposed to help...

May 24, 2009

Looks like you might be infected with Koobface...are you able to open the task manager?

Press CTRL , ALT , and DELETE on your keyboard all at the same time and then release them to open the task manager.

or, right click on the taskbar (the bar across the bottom of the screen) and choose "Task manager"

If you're able to open the task manager , click the "Processes" Tab, then click the top of the "Image Name" column to sort all processes by name alphabetically.

Highlight these processes (if applicable) , one at a time and choose "End Process". After you choose end process, task manager is going to give you a warning about ending a process, just click ok.

Here are the processes to look for and end:

ld08.exe

sysguard.exe

winav.exe

Then try to open MWB and update and run it.

If that does not work, let me know.

May 23, 2009

So weird...MWB did it again today...during a normal quick scan (latest updates) it flagged that same file as being a trojan again. However, as soon as I run mbam.exe /developer from the run box, it doesn't flag it. I then reboot, ran the scan again using the /developer switch...nothing.

I have no real reason to believe that her computer is infected, I just like to do scans for ease of mind. We do banking and stuff on our computers and she's a myspace/facebook user as well.

May 23, 2009

well..the logs you posted after AdvancedSetup had you run the last Combofix script look good...he might say otherwise..and he would know more about that then me.

It looks like TCP/IP may have been corrupted on your computer...

Try following these KB articles to reset WINSOCK and TCP/IP

http://support.microsoft.com/kb/811259

http://support.microsoft.com/kb/299357

basically... open Command prompt again

type:

netsh winsock reset

press enter and reboot the computer

try to access the internet... if no go...

open command prompt again

type:

netsh int ip resetlog.txt

press enter

for good measure reboot...

let us know...

May 23, 2009

Open the command prompt again by clicking start....choose run...type CMD and click ok....

Inside the command prompt and type:

IPConfig /all and press enter...

paste the results in here...

Ping on 4.2.2.1 resulted with four lines of
destination host unreachable
The ping statistics for 4.2.2.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
Ping for google.com resulted with: Ping request could not find host google.com. Please check the name and try again.

May 23, 2009

Are you able to PING any servers out on the internet. A ping is basically a "hello are you there?" kind of command...

First, try to ping 4.2.2.1 , which is a root dns server that replies to pings. If that works, we know that at least at a basic level the internet is working.

Afterwards, try to ping Google.com , and see if you get a "reply from" or "request timed out".

If you're successful at pinging 4.2.2.1 , but not Google.com , then your issue is DNS resolution, which could be caused by a still present infection, or just left over damage from the infection that was eventually removed.

If you're not familiar on how to ping....do the following

Click Start, then choose run.

If anything is already typed in the run box, delete the text and type CMD in its place. Then click the OK button.

This will bring up the command prompt.

Inside the command prompt

Type:

PING 4.2.2.1 , then press the enter button.

Make note of the results.

After that, type

PING Google.com , and note the results...

May 23, 2009

Hey guys...just adding my two cents. Not trying to break up the support AdvancedSupport is giving here....

I just wanted to add that if you were/are indeed infected with Koobface ...then it's possible, even after the rootkit and malware files are removed, IE and/or FF may be configured to use a blank proxy. Therefore "blocking" you from accessing the internet.

Check to see if your IE is using a proxy server, if so , uncheck the proxy server settings.

http://support.microsoft.com/kb/135982

The instructions for IE 6.0 will work for IE7 and above....

If you use FF you'll need to do the same as well....the graphics give you and idea of where to look, but you want to remove the proxy server settings..not create them

http://uniqueinternetservices.com/configur...or-firefox.html

good luck out there!!

DOWN WITH MALWARE!!

-paul

May 15, 2009

looks like your Userinit.exe file has been compromised...it really shouldn't be running in the middle of a windows session...

May 3, 2009

would you believe that after I used mbam.exe /developer in the run box, it did not detect that file as malware, and I have not added that file to the ignore list at all. very strange. maybe a fluke? I ran it under the normal mode one more time just for giggles, and it did not detect it as malware that time either.

Malwarebytes' Anti-Malware 1.36

Database version: 2067

Windows 5.1.2600 Service Pack 3

5/2/2009 8:13:18 PM

mbam-log-2009-05-02 (20-13-18).txt

Scan type: Quick Scan

Objects scanned: 73817

Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

May 2, 2009

Just for giggles I updated and ran MWB on my girlfriends computer. The only detection that it wound was WindowsXP-KB936929-SP3-x86-ENU.exe located on my C Drive.

That is the SP3 install that I downloaded months and months ago. Other from this false positive, MWB doesn't detect anything, and my ESET NOD32 anti-virus is always up to date and clean.

HEre's the log file

Malwarebytes' Anti-Malware 1.36

Database version: 2067

Windows 5.1.2600 Service Pack 3

5/2/2009 10:45:09 AM

mbam-log-2009-05-02 (10-45-03).txt

Scan type: Quick Scan

Objects scanned: 73892

Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WindowsXP-KB936929-SP3-x86-ENU.exe (Trojan.Agent) -> No action taken.

April 24, 2009

Hey guys... I've been lurking here off and on lately.

I'm Paul...I'm an MCSA by trade..for whatever that's worth....

I'm in the midwest.

I enjoy fighting malware by night, and skateboarding by day!

April 20, 2009

I should say that when I renamed combofix.exe , I renamed it while I downloaded it, and not after the fact. This issue is "resolved" because I dont have access to the customer's computer any longer.

My assumption was since I nuked those two .SYS files using Windows Recovery Console, that the MWB scan was just a false positive. Those were the only two remaining infections being found.

Combofix already has its own way of dealing with that without renaming it - that's why, don't rename tools if they run anyway.
And yes, in some cases, renaming is needed, but then you should already rename it before you download it.
It is unclear for me if you still need help or not though, because your last couple of posts look like you already resolved the issue?

April 20, 2009

I see. I will keep that in mind from here on out. Is it still plausable to rename the .exe if for instance some malware is blocking it? Will it still work as efficient?

Hi,
Not sure why running from the desktop is impossible there. Combofix is designed to enumerate startup entries - in case if it's not run from desktop, it won't enumerate properly, miss a lot and won't be able to fix things properly as well.

April 20, 2009

Actually, re-running combofix on this computer will be more or less impossible for various reasons. I was just hoping to get some sort of idea of how I might battle this if I encounter it again

I had been in the habit of routinely renaming combofix.exe to something different out of the fact that modern malware will block combofix.exe from running.

Does it truly make much of a difference as far as the functionality of combofix if it's renamed or not ran from the desktop?

If so, please explain.

thanks,

Paul

Hi,
This isn't going to work..
First of all, not sure where you read the instructions how to use Combofix, but please run it normally from the desktop without any command switches.
Also, since Combofix has been updated, * Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the NEW log from ComboFix in your next reply, ran from your desktop and not anywhere else.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

April 20, 2009

Here is the first combofix log

ComboFix 09-04-20.02 - Kimberly 04/19/2009 20:05.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.267 [GMT -7:00]

Running from: c:\remote-service\cf.exe

Command switches used :: cf

.

/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_TDSSserv.sys

-------\Legacy_TDSSserv.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]

2007-10-11 13:45 402872 ----a-w c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"U"="copy" [X]

"sysguardn"="c:\windows\s" [X]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Bomgar Support Reconnect [1240194042]"="c:\documents and settings\All Users\Application Data\Bomgar-SCC-49EBDBFA\bomgar-scc.exe" [2009-01-22 16:35 627064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-05-06 118784]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-23 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"HostManager"="c:\program files\Common Files\AOL\1169921878\ee\AOLSoftware.exe" [2007-10-08 41824]

"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]

"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-1-23 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"= kozoti??????

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\1169921878\\ee\\aolsoftware.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\WINDOWS\\explorer.exe"=

"c:\\WINDOWS\\SYSTEM32\\LOGONUI.EXE"=

"c:\\WINDOWS\\SYSTEM32\\WINLOGON.EXE"=

R2 EraserSvc10822;Symantec Eraser Service; [x]

S1 swapk;DRAM Cash Driver;c:\windows\system32\swapk.sys [2009-01-22 8512]

S2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-01 53248]

S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.

Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)

HKCU-Run-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe

HKCU-Run-94044748075064655077752744509708 - c:\program files\Antivirus 2009\av2009.exe

HKLM-Run-msci - c:\docume~1\Kimberly\LOCALS~1\Temp\2009124172852_mcinfo.exe

HKLM-Run-Cleanup - c:\docume~1\Kimberly\LOCALS~1\Temp\2009124172855_mcappins.exe

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe

DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-19 20:06

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

msci = c:\docume~1\Kimberly\LOCALS~1\Temp\2009124172852_mcinfo.exe /insfin???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????A?X?D????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-04-20 20:08

ComboFix-quarantined-files.txt 2009-04-20 03:08

Pre-Run: 140,961,583,104 bytes free

Post-Run: 140,986,294,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

123 --- E O F --- 2009-04-18 23:19

======================================

Here is the second combofix log

ComboFix 09-04-20.02 - 04/19/2009 20:37.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.151 [GMT -7:00]

Running from: c:\remote-service\cf.exe

Command switches used :: cf

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Kimberly\Application Data\Zango

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1043399.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055540.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055568.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055669.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055782.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1055804.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1056318.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1056420.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1056834.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1057182.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1057189.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1057324.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1059618.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1059739.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1063425.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1063497.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1064992.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1066422.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1066790.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1070123.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1070563.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1187583.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\118843.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\12077.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1224397.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\124590.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1272086.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1322051.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1336969.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1385286.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1385437.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1386157.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1386476.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1386522.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1386873.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1389807.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1390845.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1393218.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1395121.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1395210.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1401474.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1652519.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1679695.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\175807.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\177685.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1790014.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1840276.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\1908825.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2177739.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2208948.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\221540.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2357589.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2363825.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2443538.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\262482.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\287322.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2883915.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2884305.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2884307.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2884308.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2884484.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2885061.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2894154.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\2901962.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\313273.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3240891.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3270243.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3296585.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3340762.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\340902.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\341848.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3425829.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3428586.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3434590.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\346907.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3478095.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3696057.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3699090.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\371523.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3720784.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3730773.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3757876.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3779920.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3781281.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3786174.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3852296.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3852706.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3852810.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3855009.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3855406.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3859514.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3873144.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3874886.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\3893454.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\44279.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\478227.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\483647.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\498796.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\506745.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\513396.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\558625.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\600583.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\6156.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\617792.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\620184.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\625696.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\639036.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\650435.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\665123.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\671709.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\673128.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\678816.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\680914.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\686602.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\691517.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\698191.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\724427.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\737654.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\760440.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\766692.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\77601.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\779698.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\805478.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\848349.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\890068.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\913528.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\914605.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\921771.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\927431.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\939832.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\945978.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\951146.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\952211.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\953318.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\976123.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\992161.sdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\domains.txt

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1000067685

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1000067988

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\104622

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\11213

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\116250

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\12772

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\128568

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\13613

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\13620

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\13634

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14001

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14575

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15024

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15436

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\155411

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\159370

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\16204

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\16210

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\18676

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\18721

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\18906

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\19052

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\192365

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\193255

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\19616

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\202699

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\20517

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\213263

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\218712

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\21889

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\22254

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\22257

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\22265

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\223385

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\224717

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\23923

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\24341

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\24619

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\251440

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\25509

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\25929

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\263771

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\272773

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\27503

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\282887

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\28713

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\28812

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\29115

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\29338

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\302699

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\305025

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\308719

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\308850

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\321317

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32276

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32290

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\32541

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34123

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34162

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34186

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\349801

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35006

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35017

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\357281

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\360144

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\36079

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\36834

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\372500

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\389560

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\41215

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43120

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43719

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\446994

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44878

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\449183

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\4501

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\453218

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\456216

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\469131

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\478548

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\482360

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\4899

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\509213

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51233

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51239

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51252

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\512635

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51666

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\519224

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51988

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52778

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\531510

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\53310

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\539163

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\550370

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\577975

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58197

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58804

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58965

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6098

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\61367

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\61779

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\61837

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\628146

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6292

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64441

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64495

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64517

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64646

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\650494

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65429

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6552

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6556

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6558

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65770

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65782

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65933

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\6635

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\66851

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67733

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68016

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68019

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68021

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68040

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68055

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68257

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\68386

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69288

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69325

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\70449

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\72163

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\72846

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\72889

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\737665

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\738258

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745434

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745556

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745758

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745992

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\746486

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\747254

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\747687

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\74777

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748176

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748893

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\749354

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\751219

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\751227

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753197

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753230

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753300

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753378

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753408

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753417

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753433

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753441

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753447

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753468

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753545

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753561

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\75777

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79079

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79246

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79257

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79432

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80657

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80667

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80670

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83706

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83783

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83891

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\84369

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\8443

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\85062

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\86632

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\873

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\87555

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\87584

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\90008

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\92573

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\92930

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93921

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\94125

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95701

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95716

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\97734

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\97741

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\97760

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\98615

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\99871

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\ustat\378b.dat

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\dynamic\ustat\378c.dat

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\avatar.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\btntrans.idx

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\btntrans1.dat

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\buttondir.txt

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\components.cdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\cursors.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_1000.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_2000.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_3000.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bar.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bbar1.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_logos.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_other.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\d_icons_weather.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\default.cdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_511745-514279.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-ca.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-us.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_categorize.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_comparison.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-Mails.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-people.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_favorites.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_Games.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_Hide.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_hotbarcom.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_Hotmail.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_hsskin.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_jemster.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_jemsterie.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_jemsteruk.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_jobsearch.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_Mails.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_MobileSidewalk.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_new.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_premium.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_reun.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_ringtones.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_SearchBoxTrapper.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_searchfor.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_searchgo.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_weather.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Default_yellowpages.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\editblbuttons.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-548964.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-9595.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\email-t1-bg.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\icons2.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\ie_games_icon.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\ie_video.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\keywords.idx

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\keywords1.dat

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\layout.cdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\linkpathlegal.txt

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\progress.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\s_icons_buttons.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\sales_buttons.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\sdfmodifier.xml

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\top7.cdf

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res

c:\documents and settings\Kimberly\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res

c:\documents and settings\Kimbrae\Application Data\WeatherDPA

c:\documents and settings\Kimbrae\Application Data\WeatherDPA\Weather\WeatherStartup.xml

c:\documents and settings\Kimbrae\Application Data\Zango

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\1.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\1055993.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\1066422.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\1551349.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\221540.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\3340762.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\3425829.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\3700736.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\3859514.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\456868.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\472852.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\600583.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\724427.sdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\domains.txt

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\159370

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\251440

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\357281

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\577975

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\751219

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\751227

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\dynamic\ustat\377d.dat

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\avatar.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\btntrans.idx

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\btntrans1.dat

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\buttondir.txt

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\components.cdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\cursors.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_1000.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_2000.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_3000.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bar.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bbar1.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_logos.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_other.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\d_icons_weather.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\default.cdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_511745-514279.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-ca.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-us.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_categorize.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_comparison.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-Mails.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-people.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_favorites.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_Games.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_Hide.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_hotbarcom.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_Hotmail.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_hsskin.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_jemster.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_jemsterie.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_jemsteruk.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_jobsearch.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_Mails.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_MobileSidewalk.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_new.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_premium.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_reun.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_ringtones.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_SearchBoxTrapper.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_searchfor.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_searchgo.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_weather.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Default_yellowpages.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\editblbuttons.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-548964.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-9595.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\email-t1-bg.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\icons2.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\ie_games_icon.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\ie_video.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\keywords.idx

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\keywords1.dat

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\layout.cdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\linkpathlegal.txt

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\progress.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\s_icons_buttons.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\sales_buttons.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\sdfmodifier.xml

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\top7.cdf

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip

c:\documents and settings\Kimbrae\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip

c:\documents and settings\LocalService\Application Data\Zango

c:\windows\10931046.exe

c:\windows\13333500.exe

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\kwave.sys

c:\windows\system32\oretarik.ini

c:\windows\system32\test.ttt

c:\windows\system32\uniq.tll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NEW_DRV

((((((((((((((((((((((((((((( SnapShot@2009-04-20_03.06.59 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-04-20 03:42 . 2009-04-20 03:42 60416 c:\windows\temp\Perflib_Perfdata__755.dat

- 2009-04-20 03:03 . 2009-04-20 02:12 42549 c:\windows\temp\~nsu.tmp\Au_.exe

+ 2009-04-20 03:43 . 2009-04-20 03:11 42549 c:\windows\temp\~nsu.tmp\Au_.exe

+ 2005-01-23 13:05 . 2009-04-20 03:23 72212 c:\windows\SYSTEM32\PERFC009.DAT

- 2005-01-23 13:05 . 2009-04-20 02:12 72212 c:\windows\SYSTEM32\PERFC009.DAT

+ 2005-01-23 13:05 . 2009-04-20 03:23 443582 c:\windows\SYSTEM32\PERFH009.DAT

- 2005-01-23 13:05 . 2009-04-20 02:12 443582 c:\windows\SYSTEM32\PERFH009.DAT