WinBlueSoft

c:\windows\57d9downloazer1135.dll
c:\windows\5856a5dwar931z4.cpl
c:\windows\58z99ownloader1719.bin
c:\windows\593abackdo5r303z.exe
c:\windows\5944zi51993.bin
c:\windows\5948not-a-5izus45a.exe
c:\windows\594a5ackdzor731.exe
c:\windows\595thzeat25949.ocx
c:\windows\5975virz07.cpl
c:\windows\597bspyw5re2458z.bin
c:\windows\59939trojz5.dll
c:\windows\5998spywar9106z.cpl
c:\windows\5a18back9o5r2464z.exe
c:\windows\5azbaddw5r93134.bin
c:\windows\5bd1ad9zare2789.ocx
c:\windows\5c5bspzrse12419.cpl
c:\windows\5ca859reat17988z.bin
c:\windows\5d57backdozr9062.dll
c:\windows\5d5zt9reat1943.bin
c:\windows\5d7spywarz31439.dll
c:\windows\5daes5yzar9541.dll
c:\windows\5e1fa9dwarez626.bin
c:\windows\5e1fthi5f224z9.cpl
c:\windows\5f759teal116z.exe
c:\windows\5fd6addw9re20z.dll
c:\windows\5ffdbackd5o9166z.dll
c:\windows\5z252spy292.cpl
c:\windows\5z2949py305.dll
c:\windows\5z395acktool125.ocx
c:\windows\5z762spambot29a.bin
c:\windows\5z945spy499.bin
c:\windows\61195hief95z.exe
c:\windows\615b9teal1z59.exe
c:\windows\62a6thie59z1.ocx
c:\windows\64d8spa5se1z69.exe
c:\windows\6555hacz9ool74a.bin
c:\windows\655dthrea9207z.ocx
c:\windows\65e1vzr19079.ocx
c:\windows\65fcszarse1946.ocx
c:\windows\6757downzoade93166.cpl
c:\windows\6758st9az910.cpl
c:\windows\6766zddwar59164.ocx
c:\windows\67ffsteaz19755.dll
c:\windows\6850spambo56z9.exe
c:\windows\68z2thr5at22649.bin
c:\windows\699abackd5or52z.dll
c:\windows\69fbt5zef1059.bin
c:\windows\6c4c5hizf1931.exe
c:\windows\6d1esp9rse956z.dll
c:\windows\6da59hief15z6.exe
c:\windows\6e52z5r9144.dll
c:\windows\6e69bac5door616z.exe
c:\windows\6efadownlzade5929.bin
c:\windows\6f09za5kdoor9510.exe
c:\windows\6f3b59azse3034.bin
c:\windows\6z02thief9455.ocx
c:\windows\6z675h9ef1098.exe
c:\windows\6z925roj113.bin
c:\windows\708cb5ckzoor9974.cpl
c:\windows\711d95reat5z60.exe
c:\windows\71c9t5reaz6175.ocx
c:\windows\7249vi5zs39f.ocx
c:\windows\7255backdoor29z0.exe
c:\windows\730d9pzware2645.bin
c:\windows\739e5ac9dooz1003.bin
c:\windows\739zst59l2062.cpl
c:\windows\7475vir392z.ocx
c:\windows\7515hack59ol6z2.bin
c:\windows\7602azdw95e1891.dll
c:\windows\76509iruz58b.dll
c:\windows\76fdzownloa9er11305.dll
c:\windows\7705sp9za1.exe
c:\windows\77az5ownl9ader1697.bin
c:\windows\78559izus585.ocx
c:\windows\79495hreat12947z.exe
c:\windows\7980t5reat15z7.ocx
c:\windows\7b02doznloa5er1977.bin
c:\windows\7c3bbackdoo599z.bin
c:\windows\7c9fspars51z89.dll
c:\windows\7cfcspyzare1935.ocx
c:\windows\7de5v9r15z9.cpl
c:\windows\7e18downloa5erz98.ocx
c:\windows\7e80steal1z945.cpl
c:\windows\7f0fs9ywarz8795.dll
c:\windows\7z57s95rse1042.ocx
c:\windows\7z59troj3a9.cpl
c:\windows\7z9d5hrea98298.dll
c:\windows\7zespar5e1489.ocx
c:\windows\805wo9m29z.cpl
c:\windows\8342spambo559bz.dll
c:\windows\8777not-az5iru9489.bin
c:\windows\899ad5w9re276z.cpl
c:\windows\909athief125z.cpl
c:\windows\912z25orm2e0.cpl
c:\windows\914zthie5596.ocx
c:\windows\91549r5z593.exe
c:\windows\9161zhief5389.bin
c:\windows\91dszyware29445.dll
c:\windows\920z1vir5s740.cpl
c:\windows\922z3virus5bb.exe
c:\windows\92347sza5bot78d.ocx
c:\windows\925azir2501.cpl
c:\windows\9385troj2z9.cpl
c:\windows\945zspy7f9.exe
c:\windows\950495azbot6b2.exe
c:\windows\95077zo5m41d.bin
c:\windows\952hacktooz12d.cpl
c:\windows\9545viru556z.bin
c:\windows\95647zacktool40c.exe
c:\windows\9596hackzo5l56.bin
c:\windows\959sz55c59.exe
c:\windows\9621sz5379.bin
c:\windows\96268tzo5739.dll
c:\windows\962sza9s5854.exe
c:\windows\96419pazbot7595.dll
c:\windows\96565acktool4z9.exe
c:\windows\966cadd5aze2539.exe
c:\windows\9677spars52z98.exe
c:\windows\9837spyware2755z.ocx
c:\windows\99526vizus290.bin
c:\windows\99575vzrus792.ocx
c:\windows\9a53thie5148z.dll
c:\windows\9baespz5se909.bin
c:\windows\9c6ctzie51692.bin
c:\windows\9ecfthreat305z8.cpl
c:\windows\9fa5threat2z148.bin
c:\windows\9z15s9y5e2.exe
c:\windows\9z458t5oj7e4.dll
c:\windows\9z50downlo5der1564.exe
c:\windows\a9dthreat2z759.dll
c:\windows\b59viz2449.exe
c:\windows\bdz5h9ef752.ocx
c:\windows\e59zhr9at354.cpl
c:\windows\f58bac5dooz2699.bin
c:\windows\sysguard.exe
c:\windows\system32\105809acktooz7c55.cpl
c:\windows\system32\11166hacktooz3695.bin
c:\windows\system32\114575or9542z.bin
c:\windows\system32\1153zw5r977d.ocx
c:\windows\system32\119889acktzo5c1.bin
c:\windows\system32\11cdtzreat19359.dll
c:\windows\system32\1238zviru5196.cpl
c:\windows\system32\1245doznloader9094.dll
c:\windows\system32\12847troj5z9.dll
c:\windows\system32\12952troj9z5.ocx
c:\windows\system32\12a9sza5se2943.exe
c:\windows\system32\12z08troj6975.exe
c:\windows\system32\12z259roj20f.ocx
c:\windows\system32\12z90not-a-v9rus785.cpl
c:\windows\system32\135zth9eat4252.exe
c:\windows\system32\13648n5t-a9virus21z.exe
c:\windows\system32\13954zot-a-viru965c.bin
c:\windows\system32\14058not9z-virus615.cpl
c:\windows\system32\14926szambo56e2.dll
c:\windows\system32\14930zp5319.exe
c:\windows\system32\149troj251z.cpl
c:\windows\system32\14z25w9rm75e.exe
c:\windows\system32\150cthrezt39642.bin
c:\windows\system32\1511threa5923z.ocx
c:\windows\system32\152205zy369.cpl
c:\windows\system32\15254trojz95.cpl
c:\windows\system32\1575vir147z9.exe
c:\windows\system32\1581zvirus5e9.dll
c:\windows\system32\15934spy299z.exe
c:\windows\system32\15999pyzfe.ocx
c:\windows\system32\15c0tzreat95135.exe
c:\windows\system32\16538h9zktool6ad.dll
c:\windows\system32\16589spam5ot5zb.cpl
c:\windows\system32\165z3wor9588.cpl
c:\windows\system32\1690zpambot1359.dll
c:\windows\system32\16926not-a-9iru53zf.exe
c:\windows\system32\17036zroj954.dll
c:\windows\system32\17225zirus5f99.ocx
c:\windows\system32\17367tzoj529.bin
c:\windows\system32\1749595amzot150.dll
c:\windows\system32\1817d59nloader41z.exe
c:\windows\system32\181z5troj9c9.dll
c:\windows\system32\18465v95zs788.dll
c:\windows\system32\18525n9t-a-zir5s258.exe
c:\windows\system32\18540h9c5tool6az.ocx
c:\windows\system32\190thz5f51.ocx
c:\windows\system32\191z9virus495.ocx
c:\windows\system32\192175roj5bz.exe
c:\windows\system32\19612ha5ktoozc7.bin
c:\windows\system32\19674not-a-vzrus4395.cpl
c:\windows\system32\19918troj596z.ocx
c:\windows\system32\1998z5r2481.ocx
c:\windows\system32\199z995oj4b.cpl
c:\windows\system32\19z859py384.bin
c:\windows\system32\1az5spa9se1818.exe
c:\windows\system32\1cf9thz5f2561.ocx
c:\windows\system32\1d59thief419z.exe
c:\windows\system32\1df4tzief54259.ocx
c:\windows\system32\1f61bac5doo91272z.bin
c:\windows\system32\1z10spa5bot9e2.ocx
c:\windows\system32\1z282tr9j7295.dll
c:\windows\system32\1z563troj9b8.ocx
c:\windows\system32\20026noz-a9vi5us697.dll
c:\windows\system32\20455hackto9z6dd.bin
c:\windows\system32\20555n9t-5-virusz30.bin
c:\windows\system32\20589ha5ktozl9ab.dll
c:\windows\system32\2073backdz5r18589.dll
c:\windows\system32\210z9troj9725.ocx
c:\windows\system32\2139s5amboz134.cpl
c:\windows\system32\21525zro9659.exe
c:\windows\system32\21557trzj6d99.ocx
c:\windows\system32\215cz9r488.ocx
c:\windows\system32\2199z5py981.bin
c:\windows\system32\21z99virus352.bin
c:\windows\system32\2201z9irus725.cpl
c:\windows\system32\22355noz-a-vi9us3fc5.dll
c:\windows\system32\227189acktool45z.bin
c:\windows\system32\227975ot-a-vzrus950.cpl
c:\windows\system32\230475p983z.bin
c:\windows\system32\233zno5-a-virus9c2.bin
c:\windows\system32\23420hackt9zl15f.ocx
c:\windows\system32\2441th5ez992.ocx
c:\windows\system32\24z39tr5j580.bin
c:\windows\system32\2503spy5az955.cpl
c:\windows\system32\252899py375z.cpl
c:\windows\system32\2539zhac5tool629.ocx
c:\windows\system32\25420hackz5ol1799.dll
c:\windows\system32\25490tr95z66.dll
c:\windows\system32\25519not-a9virus5z8.cpl
c:\windows\system32\25533s9z7a9.cpl
c:\windows\system32\27249sp9mb5z388.dll
c:\windows\system32\2732zhreat15859.ocx
c:\windows\system32\2755ztro912c.dll
c:\windows\system32\27658spzmbot559.ocx
c:\windows\system32\27730spambot5z59.exe
c:\windows\system32\2807bazkdoo92589.bin
c:\windows\system32\28298not9z-vi5usf7.dll
c:\windows\system32\28411zirus259.cpl
c:\windows\system32\2854ba9kdoor18z5.ocx
c:\windows\system32\28772z5r923d.bin
c:\windows\system32\2890trzj9dc5.bin
c:\windows\system32\29055wzrm675.dll
c:\windows\system32\29058spy2z49.exe
c:\windows\system32\29255s5y3fz.ocx
c:\windows\system32\2945hacktozl4f5.cpl
c:\windows\system32\295z1hack9ool2ba.bin
c:\windows\system32\297athre5t154z99.bin
c:\windows\system32\297zdown5oa9er140.cpl
c:\windows\system32\29877haz5to9l5d4.dll
c:\windows\system32\29901wozm56a.dll
c:\windows\system32\299fspyware52z1.ocx
c:\windows\system32\2b59threzt49015.bin
c:\windows\system32\2dzsp5rs91563.dll
c:\windows\system32\2e95add5are32z3.cpl
c:\windows\system32\2ff5owzloader2129.bin
c:\windows\system32\2z147tro923c5.bin
c:\windows\system32\2z325w9rm75f.dll
c:\windows\system32\2z399vi95s522.bin
c:\windows\system32\2z54a5dwa9e2559.ocx
c:\windows\system32\2z7095pambot4919.bin
c:\windows\system32\2z7495ackto9l184.exe
c:\windows\system32\2zc6thie93695.ocx
c:\windows\system32\30580szy794.ocx
c:\windows\system32\31483n9tza-virus215.dll
c:\windows\system32\31696vir958dz.bin
c:\windows\system32\3189zhi951324.cpl
c:\windows\system32\31z5wor9604.cpl
c:\windows\system32\31zbs9yw5re865.cpl
c:\windows\system32\32395hzeat12968.exe
c:\windows\system32\32484not-a-59rzs24a.cpl
c:\windows\system32\32d1vz531949.exe
c:\windows\system32\3359not-azvirus26.dll
c:\windows\system32\349ba9dw5rez075.ocx
c:\windows\system32\3538virzs7cc9.exe
c:\windows\system32\3545spzmbot2d9.ocx
c:\windows\system32\3571vi5usz9b.ocx
c:\windows\system32\3572z9t-a-virus5cb.exe
c:\windows\system32\3590worm7z9.ocx
c:\windows\system32\35fspzware1992.ocx
c:\windows\system32\35z98n9t-a-virus56.ocx
c:\windows\system32\3694sp56z2.exe
c:\windows\system32\37a9vir1z59.ocx
c:\windows\system32\37eabazk95or443.ocx
c:\windows\system32\3948wo5m73dz.ocx
c:\windows\system32\3980vz918615.cpl
c:\windows\system32\39fbs5ezl1789.cpl
c:\windows\system32\3ab0z9yware31575.exe
c:\windows\system32\3b8esp95sz2712.cpl
c:\windows\system32\3c4downloade9z752.cpl
c:\windows\system32\3d61vir9z59.dll
c:\windows\system32\3f77s5arse235z9.dll
c:\windows\system32\3f7dowzl5ade92529.cpl
c:\windows\system32\3z171w9r5196.exe
c:\windows\system32\3z50vir9945.dll
c:\windows\system32\3z602h5ckto9l689.bin
c:\windows\system32\3z874s9ambot65a.cpl
c:\windows\system32\412zpy9c5.exe
c:\windows\system32\4177wo9m3z5.exe
c:\windows\system32\41b5spyzare2095.exe
c:\windows\system32\4279vi9z585.exe
c:\windows\system32\42zav5r599.cpl
c:\windows\system32\43559rzj112.dll
c:\windows\system32\435b9ckdzor1651.dll
c:\windows\system32\435zth9eat16551.cpl
c:\windows\system32\43zt5ief23789.exe

c:\windows\system32\4557s9zware1957.ocx
c:\windows\system32\456dv5r2z219.bin
c:\windows\system32\459faddwa9e2z95.exe
c:\windows\system32\461z5py935.exe
c:\windows\system32\479evir235z.exe
c:\windows\system32\4917tzreat17568.bin
c:\windows\system32\495zaddw5re23209.ocx
c:\windows\system32\497zspar5e1936.exe
c:\windows\system32\499szarse1598.exe
c:\windows\system32\49zct5ief9311.exe
c:\windows\system32\4c3f5hiefz1739.cpl
c:\windows\system32\4d7d9tezl17455.exe
c:\windows\system32\4e1cspazse9583.exe
c:\windows\system32\4f5spywzr5914.cpl
c:\windows\system32\4f5stea93z71.cpl
c:\windows\system32\4z4ddow5load9r3011.dll
c:\windows\system32\4z9859dware773.exe
c:\windows\system32\4za5dwar9495.cpl
c:\windows\system32\4zdcback9oor2527.bin
c:\windows\system32\504bt9ief3042z.cpl
c:\windows\system32\504f9hrea5z8219.dll
c:\windows\system32\5050wzrm491.bin
c:\windows\system32\5061t5zef1192.bin
c:\windows\system32\51429irus768z.dll
c:\windows\system32\522759t-a-zirus629.dll
c:\windows\system32\522929acktool46z.exe
c:\windows\system32\5275not-a-zi9us360.exe
c:\windows\system32\53749pa5se3z19.ocx
c:\windows\system32\5384not-a-ziru95e0.dll
c:\windows\system32\53d5thizf592.dll
c:\windows\system32\5426zack9ool76.bin
c:\windows\system32\5525thiez5925.bin
c:\windows\system32\555zth9ef900.dll
c:\windows\system32\556569irzs35b.ocx
c:\windows\system32\5569add5aze498.dll
c:\windows\system32\5599worz554.exe
c:\windows\system32\55z5vir1199.exe
c:\windows\system32\5650s9amzot366.bin
c:\windows\system32\5695dowz9oader25745.ocx
c:\windows\system32\574589irus4z3.bin
c:\windows\system32\57649zroj3b9.bin
c:\windows\system32\57bft9re5t7701z.ocx
c:\windows\system32\57cbdown59zder3059.bin
c:\windows\system32\5840sz5war9627.exe
c:\windows\system32\5856troj59z.bin
c:\windows\system32\5897t5iefz42.exe
c:\windows\system32\58d6spywa9z3153.exe
c:\windows\system32\59519zamb5t506.dll
c:\windows\system32\59539troz14f.exe
c:\windows\system32\5955zteal536.bin
c:\windows\system32\595aspy5are140z.exe
c:\windows\system32\598cdownloader75z.dll
c:\windows\system32\5993spazse5466.cpl
c:\windows\system32\59z59i5us1f9.ocx
c:\windows\system32\59z5hacktool9d5.ocx
c:\windows\system32\5a5cthre9tz335.bin
c:\windows\system32\5a96thiefz055.bin
c:\windows\system32\5c71spa9sez394.dll
c:\windows\system32\5c8zdownloade59784.bin
c:\windows\system32\5czfthre9t2873.bin
c:\windows\system32\5d9astzal485.ocx
c:\windows\system32\5daa9zief8055.dll
c:\windows\system32\5f12thr9atz2631.ocx
c:\windows\system32\5fzfstea92655.bin
c:\windows\system32\5z890not-a-virus31b.cpl
c:\windows\system32\5z940spy572.dll
c:\windows\system32\5zcfbackdoor969.bin
c:\windows\system32\6198hackto95729z.dll
c:\windows\system32\6497vzrus57d.exe
c:\windows\system32\657795oz4f4.ocx
c:\windows\system32\6732do9nl5ader2z63.bin
c:\windows\system32\675dsp5z9re1695.cpl
c:\windows\system32\6772spywaze1599.exe
c:\windows\system32\678zv9r5596.exe
c:\windows\system32\67acback59oz2558.cpl
c:\windows\system32\6832hac95ozl76b.ocx
c:\windows\system32\68455i9us1z2.bin
c:\windows\system32\68b659yzare799.cpl
c:\windows\system32\6962thief215z.dll
c:\windows\system32\6993sza59e948.exe
c:\windows\system32\699zaddwa9e2915.bin
c:\windows\system32\69a4b5zkdoor3157.exe
c:\windows\system32\69e9th95f2z12.cpl
c:\windows\system32\6a5zs9arse1556.ocx
c:\windows\system32\6a7zspywa5e1936.ocx
c:\windows\system32\6ce9back5oor372z.ocx
c:\windows\system32\6e72zpyw5re793.dll
c:\windows\system32\6f72addwa95z895.ocx
c:\windows\system32\6z1ddown9o5der1201.dll
c:\windows\system32\6z39vir1959.exe
c:\windows\system32\6z97steal956.dll
c:\windows\system32\6zd2vir19975.dll
c:\windows\system32\709esteal48z5.ocx
c:\windows\system32\7276wz5m6f9.bin
c:\windows\system32\73a0a5dwzre2049.ocx
c:\windows\system32\73e9s5ealz239.ocx
c:\windows\system32\7455notza-vi9us683.exe
c:\windows\system32\74639owzloa5er309.dll
c:\windows\system32\7490add5are51z.ocx
c:\windows\system32\74959ir4z6.exe
c:\windows\system32\7549iz925.ocx
c:\windows\system32\75fa9hrezt22575.exe
c:\windows\system32\75z8threat35497.dll
c:\windows\system32\76ezparse22459.exe
c:\windows\system32\76f99pyware1z125.ocx
c:\windows\system32\773z5py599.exe
c:\windows\system32\79azst5al990.bin
c:\windows\system32\79d1vi53175z.dll
c:\windows\system32\79z9sp5rse1228.cpl
c:\windows\system32\7b59stzal910.dll
c:\windows\system32\7c4z5r2519.exe
c:\windows\system32\7c93thze5t264.cpl
c:\windows\system32\7e16steaz1695.cpl
c:\windows\system32\7e8et9izf17395.ocx
c:\windows\system32\7fd8addwaz93553.cpl
c:\windows\system32\7feb95ief2697z.cpl
c:\windows\system32\7z09spyware9925.exe
c:\windows\system32\7z9athreat22905.exe
c:\windows\system32\8209zr953dd.dll
c:\windows\system32\8c9zi5896.cpl
c:\windows\system32\8e95ir9z1.dll
c:\windows\system32\90972hzc5tool331.dll
c:\windows\system32\910z3virus5d.ocx
c:\windows\system32\9145no9-a-vi5zs200.dll
c:\windows\system32\91z85tro53f4.exe
c:\windows\system32\9325zi5us95e.exe
c:\windows\system32\933th9eat2z1275.dll
c:\windows\system32\941zthreat25868.cpl
c:\windows\system32\9456zpy951.exe
c:\windows\system32\945tzief558.exe
c:\windows\system32\94600worm8z5.bin
c:\windows\system32\94a9azdw5re213.bin
c:\windows\system32\95145spy3cz.cpl
c:\windows\system32\952165iruzf2.exe
c:\windows\system32\95301troj7z.exe
c:\windows\system32\95306szambot55b.bin
c:\windows\system32\9545irus9zc.exe
c:\windows\system32\9547worm4zb5.ocx
c:\windows\system32\95685ro94az.dll
c:\windows\system32\95759zrm52a.bin
c:\windows\system32\95779viruz1a.bin
c:\windows\system32\95bzth5eat28210.cpl
c:\windows\system32\95z85spy5fa.ocx
c:\windows\system32\95z99irus640.ocx
c:\windows\system32\96575not-a-viru5581z.exe
c:\windows\system32\96z48t5oj321.exe
c:\windows\system32\97625sp5mbzt395.ocx
c:\windows\system32\9762virz154.cpl
c:\windows\system32\9765worm1zf9.ocx
c:\windows\system32\98158troj1z6.cpl
c:\windows\system32\98979s5y668z.ocx
c:\windows\system32\98z975roj69b.exe
c:\windows\system32\99270n5t-z-virus4b4.ocx
c:\windows\system32\9955viz14485.ocx
c:\windows\system32\99585izus737.exe
c:\windows\system32\9dbzddware5391.ocx
c:\windows\system32\9f03downlzader535.exe
c:\windows\system32\9z359troj1ee.bin
c:\windows\system32\a.exe
c:\windows\system32\a395parse1z47.ocx
c:\windows\system32\b0cbackdzo59793.ocx
c:\windows\system32\b92stea9158z.dll
c:\windows\system32\c13zh5eat20597.exe
c:\windows\system32\c85stea9520z.dll
c:\windows\system32\cfbs5a9se2z22.ocx
c:\windows\system32\drivers\gxvxcarpowquoelxxgakyeaeoiysrmmcjaoyl.sys
c:\windows\system32\drivers\gxvxcecuwruucntxmtvelddndgodqhhlkxeaf.sys
c:\windows\system32\drivers\gxvxcitfpppejklbusdotjrlcxadvhmtqmwxg.sys
c:\windows\system32\drivers\gxvxcwiryqkljnoelwvqjciquhwvgqghcuahs.sys
c:\windows\system32\eb9azdwa9e5370.exe
c:\windows\system32\ebspaz951575.dll
c:\windows\system32\f24dzw5lo9der2605.dll
c:\windows\system32\ff6bazkdo5r957.dll
c:\windows\system32\gxvxcwvhoiopoepnubhnpyhtjunknwokxelck.dll
c:\windows\system32\gxvxcwyloeonvxyalsmyacvjnjnbjyruvjnse.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\z029s9arse1505.dll
c:\windows\system32\z0353worm9e.dll
c:\windows\system32\z0749w5r91b.exe
c:\windows\system32\z0759s958e.cpl
c:\windows\system32\z1416viru5a99.cpl
c:\windows\system32\z17895roj709.cpl
c:\windows\system32\z18749py5a5.exe
c:\windows\system32\z2559troj726.cpl
c:\windows\system32\z32edownlo5der28069.dll
c:\windows\system32\z3900spy9b05.cpl
c:\windows\system32\z418w9rm235.cpl
c:\windows\system32\z48135pambot693.exe
c:\windows\system32\z502ad5ware2494.dll
c:\windows\system32\z55929irus7c7.exe
c:\windows\system32\z746bac9d5or1319.ocx
c:\windows\system32\z750steal9685.ocx
c:\windows\system32\z8398troj6d35.bin
c:\windows\system32\z8b7do9n5oader1784.dll
c:\windows\system32\z966d5wnloader2113.bin
c:\windows\system32\z995troj7f45.ocx
c:\windows\system32\z9ccthief1459.dll
c:\windows\system32\zac7ste9l3305.dll
c:\windows\system32\zb58s5arse995.dll
c:\windows\system32\zba759ckdoor1319.bin
c:\windows\system32\zc229ddware29255.ocx
c:\windows\system32\zf67downloa5er2930.ocx
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z1118vi9u5286.exe
c:\windows\z1779sp95.bin
c:\windows\z2679s9a5bot4c2.cpl
c:\windows\z33099ot-5-virus29.exe
c:\windows\z349s9amb5t10c.exe
c:\windows\z3687hacktoo975e.cpl
c:\windows\z39dspar5e3149.ocx
c:\windows\z449worm555.bin
c:\windows\z68bsparse359.bin
c:\windows\z6bthreat555039.dll
c:\windows\z75t59ef405.dll
c:\windows\z935thief925.cpl
c:\windows\z995orm1b5.cpl
c:\windows\za03spyware975.bin
c:\windows\zc9bv5r2015.exe
c:\windows\zeb1thie51296.dll
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 01:47 . 2009-06-03 01:47 3602 ----a-w- c:\windows\87759rz.bin
2009-06-03 01:47 . 2009-06-03 01:47 361472 ----a-w- c:\windows\system32\tempo-setup2.exe
2009-06-03 01:47 . 2009-06-03 01:47 -------- d-----w- c:\program files\WinBlueSoft Software
2009-06-02 07:01 . 2009-06-02 07:01 -------- d-----w- c:\program files\MSXML

6.0
2009-05-29 02:44 . 2009-05-29 02:48 -------- d-----w- c:\windows\system32\NtmsData
2009-05-28 14:59 . 2009-05-28 17:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Ashtons. Family Resort
2009-05-28 14:59 . 2009-05-28 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Ashtons. Family Resort
2009-05-28 12:15 . 2009-05-28 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-28 12:15 . 2009-05-28 12:30 -------- d-----w- c:\program files\NOS
2009-05-27 20:36 . 2009-05-27 20:36 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-27 20:36 . 2009-06-03 14:25 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-05-27 20:34 . 2009-06-03 14:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-05-27 20:33 . 2009-06-01 21:19 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\program files\Common Files\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----r- c:\program files\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2009-05-27 20:26 . 2009-05-27 20:26 -------- d-----w- c:\program files\JRE
2009-05-27 20:25 . 2009-05-27 20:25 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-27 12:22 . 2009-06-01 00:15 -------- d-----w- c:\program files\Absolute Poker
2009-05-27 12:21 . 2009-05-27 12:21 -------- d-----w- c:\program files\_uninstallation_info
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Common Files\HP
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Hewlett-Packard
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-05-27 11:39 . 2004-08-04 02:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-05-27 11:39 . 2004-08-04 02:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-05-27 11:38 . 2008-01-25 12:22 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2009-05-27 11:38 . 2008-01-25 12:22 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2009-05-27 11:38 . 2008-01-25 12:22 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2009-05-27 11:38 . 2009-05-27 11:38 -------- dc----w- c:\windows\system32\DRVSTORE
2009-05-27 11:38 . 2008-01-25 12:22 729088 ----a-w- c:\windows\system32\hpowiax7.dll
2009-05-27 11:38 . 2008-01-25 12:22 303104 ----a-w- c:\windows\system32\hpovst15.dll
2009-05-27 11:38 . 2008-01-25 12:22 581632 ----a-w- c:\windows\system32\hpotscl6.dll
2009-05-27 11:38 . 2008-01-25 12:22 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2009-05-27 11:38 . 2008-01-25 12:22 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-05-27 11:37 . 2009-05-27 11:37 -------- d-----w- c:\program files\HP
2009-05-27 11:36 . 2009-05-27 11:40 163142 ----a-w- c:\windows\hpoins28.dat
2009-05-27 11:36 . 2008-05-12 19:46 796 ------w- c:\windows\hpomdl28.dat
2009-05-26 23:52 . 2009-05-26 23:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Nero
2009-05-26 23:52 . 2009-05-27 00:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2009-05-26 19:44 . 2009-05-26 19:44 -------- d-----w- c:\program files\Windows Sidebar
2009-05-26 19:22 . 2009-05-26 19:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-26 19:20 . 2009-05-26 19:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-26 19:19 . 2009-05-26 19:47 -------- d-----w- c:\program files\Nero
2009-05-26 19:18 . 2009-05-26 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-05-26 19:18 . 2009-05-26 20:11 -------- d-----w- c:\program files\Common Files\Nero
2009-05-26 17:31 . 2009-05-26 17:31 -------- d-----w- c:\program files\MSBuild
2009-05-26 17:30 . 2009-05-26 17:30 154152 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-26 17:24 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2009-05-26 17:24 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2009-05-26 17:24 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2009-05-26 17:23 . 2007-07-19 22:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-05-26 17:23 . 2007-07-20 04:54 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2009-05-26 17:23 . 2007-06-21 00:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2009-05-26 17:23 . 2009-05-26 17:23 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-26 17:23 . 2007-05-16 20:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2009-05-26 17:23 . 2007-05-16 20:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2009-05-26 17:23 . 2007-05-16 20:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-05-26 17:23 . 2007-04-04 22:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-05-26 17:23 . 2007-04-04 22:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-05-26 17:23 . 2007-03-15 20:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2009-05-26 17:23 . 2007-03-12 20:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2009-05-26 17:21 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-05-26 17:21 . 2009-05-26 17:21 -------- d-----w- c:\program files\Reference Assemblies
2009-05-26 17:20 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\program files\DAEMON
Tools Lite
2009-05-26 14:24 . 2009-05-26 14:30 -------- d-----w- c:\program files\Brain Challenge
2009-05-26 12:53 . 2009-05-26 13:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Reflexive Ashtons Family Resort
2009-05-26 12:53 . 2009-05-26 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Reflexive Ashtons Family Resort
2009-05-26 12:52 . 2009-05-26 14:09 -------- d-----w- c:\program files\Ashtons Family Resort
2009-05-26 11:19 . 2009-05-26 11:19 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-26 11:19 . 2009-05-26 16:59 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Lite
2009-05-25 18:56 . 2009-05-27 01:09 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-05-24 05:41 . 2009-06-02 19:02 -------- d-----w- c:\program files\UltimateBet
2009-05-23 14:34 . 2009-05-27 12:47 -------- d-----w- c:\documents and settings\Owner\Shared
2009-05-23 14:33 . 2009-05-27 12:47 -------- d-----w- c:\documents and settings\Owner\Incomplete
2009-05-23 14:33 . 2009-05-24 06:53 -------- d-----w- c:\documents and settings\Owner\Application Data\MP3Rocket
2009-05-20 16:13 . 2009-05-20 16:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Jane s Hotel Family Hero
2009-05-17 21:41 . 2009-05-17 21:41 57136 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-17 21:41 . 2009-05-17 21:41 40960 ----a-w- c:\windows\uneng.exe
2009-05-17 21:41 . 2009-05-17 21:41 23721 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-17 21:40 . 2009-05-17 21:41 -------- d-----w- c:\program files\Common Files\Adaptec Shared
2009-05-17 21:40 . 2009-05-17 21:40 -------- d-----w- c:\program files\Adaptec
2009-05-15 20:54 . 2009-05-15 20:54 -------- d-----w- c:\program files\farm mania
2009-05-15 20:54 . 2009-05-15 20:54 -------- d-----w- c:\windows\farm mania,
2009-05-14 23:12 . 2009-05-14 23:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Viewpoint
2009-05-13 15:36 . 2009-05-13 15:36 -------- d-sh--w- c:\windows\ftpcache
2009-05-13 15:32 . 2009-05-28 18:40 -------- d-----w- c:\program files\Selectsoft
2009-05-13 01:20 . 2009-05-13 01:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-05-12 02:34 . 2009-05-28 14:58 -------- d-----w- C:\games
2009-05-11 19:44 . 2009-05-11 19:44 -------- d-----w- c:\windows\BBSTORE
2009-05-11 19:39 . 2009-05-28 18:45 -------- d-----w- c:\program files\Riven
2009-05-11 19:35 . 1996-08-16 17:49 298496 ----a-w- c:\windows\uninst.exe
2009-05-10 14:54 . 2009-05-10 15:10 -------- d-----w- c:\documents and settings\Owner\Application Data\ICQ
2009-05-10 14:53 . 2009-05-10 15:10 -------- d-----w- c:\program files\ICQ6.5
2009-05-10 14:26 . 2009-06-03 02:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FLVService
2009-05-10 14:26 . 2009-05-10 14:26 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-05-10 14:23 . 2009-05-10 14:23 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-05-06 09:46 . 2009-05-06 10:17 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-05-05 22:27 . 2009-05-05 22:27 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-05-05 18:20 . 2009-05-05 18:20 -------- d-----w- c:\windows\Sun
2009-05-05 18:19 . 2009-05-05 18:18 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-05 18:17 . 2009-05-05 18:17 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-05 07:04 . 2009-05-05 07:04 -------- d-----w- c:\program files\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 11:10 . 2009-04-30 03:03 75184 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 10:53 . 2009-05-01 02:07 1148 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-05-29 11:44 . 2009-04-29 19:58 -------- d-----w- c:\program files\Pure Networks
2009-05-28 18:44 . 2009-04-29 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-28 18:43 . 2009-04-29 19:57 -------- d-----w- c:\program files\Common Files\AOL
2009-05-28 18:43 . 2009-04-29 20:13 -------- d-----w- c:\documents and settings\Owner\Application Data\AOL
2009-05-26 12:44 . 2009-04-30 03:06 -------- d-----w- c:\program files\Virtual Villagers
2009-05-17 21:41 . 2002-01-23 15:43 45056 ----a-w- c:\windows\system32\cdrtc.dll
2009-05-17 21:41 . 2002-01-23 15:20 45056 ----a-w- c:\windows\system32\cdral.dll
2009-05-10 14:55 . 2009-04-29 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-08 15:44 . 2009-04-29 20:03 -------- d-----w- c:\program files\McAfee
2009-05-05 18:18 . 2009-04-29 19:51 -------- d-----w- c:\program files\Java
2009-05-04 13:00 . 2009-05-04 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-05-04 04:19 . 2009-05-04 04:19 -------- d-----w- c:\program files\MSSOAP
2009-05-03 18:57 . 2009-05-03 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-05-01 21:04 . 2009-04-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy2
2009-05-01 12:15 . 2009-04-29 18:37 -------- d-----w- c:\program files\Alawar
2009-05-01 03:55 . 2009-05-01 02:54 -------- d-----w- c:\program files\Farm Frenzy Pizza Party
2009-05-01 03:54 . 2009-05-01 02:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-01 02:54 . 2009-05-01 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-05-01 02:43 . 2009-05-01 02:43 -------- d-----w- c:\program files\ReflexiveArcade
2009-05-01 02:07 . 2009-05-01 02:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Template
2009-05-01 01:51 . 2009-04-29 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-04-30 20:42 . 2009-04-30 20:39 -------- d-----w- c:\program files\Efficient Networks
2009-04-30 02:47 . 2009-04-30 02:47 -------- d-----w- c:\program files\Common Files\Nova Development
2009-04-30 02:47 . 2009-04-30 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative Home
2009-04-30 02:45 . 2009-04-30 02:45 -------- d-----w- c:\program files\Creative

Home
2009-04-30 01:37 . 2009-04-29 20:57 -------- d-----w- c:\program files\Sierra On-Line
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\Webroot
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\program files\Webroot
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Webroot
2009-04-30 00:46 . 2009-04-30 00:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-04-30 00:46 . 2009-04-30 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee.com Personal Firewall
2009-04-29 20:57 . 2009-04-29 20:57 -------- d-----w- c:\program files\WON
2009-04-29 20:48 . 2009-04-29 19:54 -------- d-----w- c:\program files\Napster
2009-04-29 20:48 . 2009-04-29 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-04-29 20:03 . 2009-04-29 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-04-29 20:01 . 2009-04-29 20:00 -------- d-----w- c:\program files\Microsoft Money 2006
2009-04-29 19:59 . 2009-04-29 19:59 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2009-04-29 19:59 . 2009-04-29 19:59 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-04-29 19:59 . 2009-04-29 19:58 -------- d-----w- c:\program files\QuickTime
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-04-29 19:58 . 2009-04-29 19:58 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\program files\Common Files\Real
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\program files\Real
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2009-04-29 19:57 . 2009-04-29 19:57 335 ----a-w- c:\windows\nsreg.dat
2009-04-29 19:57 . 2009-04-29 19:57 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-04-29 19:57 . 2009-04-29 19:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-04-29 19:57 . 2009-04-29 19:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-04-29 19:57 . 2009-04-29 19:57 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-04-29 19:57 . 2009-04-29 19:57 -------- d-----w- c:\program files\BigFix
2009-04-29 19:57 . 2009-04-29 19:56 -------- d-----w- c:\program files\Microsoft Works
2009-04-29 19:56 . 2009-04-29 19:56 -------- d-----w- c:\program files\MSN Encarta Plus
2009-04-29 19:56 . 2009-04-29 19:56 -------- d-----w- c:\program files\Digital Media Reader
2009-04-29 19:55 . 2009-04-29 19:41 -------- d-----w- c:\program files\Common Files\InstallShield
2009-04-29 19:54 . 2009-04-29 19:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\Realtek Sound Manager
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\AvRack
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\Realtek AC97
2009-04-29 19:52 . 2009-04-29 19:51 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2009-04-29 19:52 . 2009-04-29 19:52 4 ----a-w- c:\windows\Pix11.dat
2009-04-29 19:51 . 2009-04-29 19:51 -------- d-----w- c:\program files\Common Files\Java
2009-04-29 19:45 . 2009-04-29 19:45 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-04-29 19:44 . 2009-04-29 19:44 -------- d-----w- c:\program files\Google
2009-04-29 19:44 . 2009-04-29 19:44 -------- d-----w- c:\program files\CyberLink
2009-04-29 19:44 . 2009-04-29 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Farm Frenzy
2009-04-29 19:43 . 2009-04-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2009-04-29 19:37 . 2009-04-29 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Prism Deploy
2009-04-29 19:37 . 2009-04-29 19:37 -------- d-----w- c:\program files\Common Files\New Boundary
2009-04-29 19:34 . 2009-04-29 19:34 -------- d-----w- c:\program files\CONEXANT
2009-04-29 19:22 . 2004-08-26 18:04 -------- d-----w- c:\program files\microsoft frontpage
2009-04-06 17:32 . 2009-05-04 04:18 1563008 ----a-w- c:\windows\WRSetup.dll
2009-04-02 18:30 . 2009-04-02 18:30 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 18:30 . 2009-04-02 18:30 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 18:30 . 2009-04-02 18:30 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-06 14:00 . 2009-04-29 19:17 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money 2006\MNYCoreFiles\System\Money Express.exe" [1999-08-04 122940]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-29 98304]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-04-06 6345840]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2009-4-29 2168360]
Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2009-4-29 25896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/2/2009 2:30 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [5/4/2009 12:21 AM 1181040]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [4/30/2009 4:42 PM 40832]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S3 ENDETECT;ENDETECT;c:\progra~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [4/30/2009 4:42 PM 7752]
S3 L2XPSR;L2XPSR;c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS [4/30/2009 4:42 PM 18478]
S3 NTSTPL1;NTSTPL1;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [4/30/2009 4:42 PM 16160]
S3 TAPBIND;TAPBIND;c:\progra~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [4/30/2009 4:42 PM 44736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-06-03 c:\windows\Tasks\wrSpySweeper20090430221446.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-05-04 17:32]

2009-06-03 c:\windows\Tasks\wrSpySweeper20090430221446.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-05-04 17:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
SafeBoot-procexp90.Sys
SafeBoot-svcWRSSSDK


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windstream.net/wind/portal/index.aspx
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 10:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-03 10:52
ComboFix-quarantined-files.txt 2009-06-03 14:52

Pre-Run: 116,199,342,080 bytes free
Post-Run: 119,412,076,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

1035 --- E O F --- 2009-06-02 07:01

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
ASKUpgrade

File::
c:\windows\87759rz.bin
c:\windows\system32\tempo-setup2.exe

Folder::
c:\program files\WinBlueSoft Software
c:\program files\Napster

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-06-01.03 - Owner 06/03/2009 11:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.120 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\tim\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\tim\CFScript.txt
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\87759rz.bin"
"c:\windows\system32\tempo-setup2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Napster
c:\program files\Napster\NMSubscriptionStub.dll
c:\program files\Napster\xdetect.ocx
c:\program files\WinBlueSoft Software
c:\program files\WinBlueSoft Software\WinBlueSoft\data.bin
c:\program files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe
c:\windows\87759rz.bin
c:\windows\system32\tempo-setup2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASKUPGRADE
-------\Service_ASKUpgrade


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-02 07:01 . 2009-06-02 07:01 -------- d-----w- c:\program files\MSXML 6.0
2009-05-29 02:44 . 2009-05-29 02:48 -------- d-----w- c:\windows\system32\NtmsData
2009-05-28 14:59 . 2009-05-28 17:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Ashtons. Family Resort
2009-05-28 14:59 . 2009-05-28 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Ashtons. Family Resort
2009-05-28 12:15 . 2009-05-28 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-28 12:15 . 2009-05-28 12:30 -------- d-----w- c:\program files\NOS
2009-05-27 20:36 . 2009-05-27 20:36 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-27 20:36 . 2009-06-03 14:25 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-05-27 20:34 . 2009-06-03 14:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-05-27 20:33 . 2009-06-01 21:19 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\program files\Common Files\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----r- c:\program files\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-27 20:32 . 2009-05-27 20:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2009-05-27 20:26 . 2009-05-27 20:26 -------- d-----w- c:\program files\JRE
2009-05-27 20:25 . 2009-05-27 20:25 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-27 12:22 . 2009-06-01 00:15 -------- d-----w- c:\program files\Absolute Poker
2009-05-27 12:21 . 2009-05-27 12:21 -------- d-----w- c:\program files\_uninstallation_info
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Common Files\HP
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Hewlett-Packard
2009-05-27 11:40 . 2009-05-27 11:40 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-05-27 11:39 . 2004-08-04 02:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-05-27 11:39 . 2004-08-04 02:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-05-27 11:38 . 2008-01-25 12:22 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2009-05-27 11:38 . 2008-01-25 12:22 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2009-05-27 11:38 . 2008-01-25 12:22 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2009-05-27 11:38 . 2009-05-27 11:38 -------- dc----w- c:\windows\system32\DRVSTORE
2009-05-27 11:38 . 2008-01-25 12:22 729088 ----a-w- c:\windows\system32\hpowiax7.dll
2009-05-27 11:38 . 2008-01-25 12:22 303104 ----a-w- c:\windows\system32\hpovst15.dll
2009-05-27 11:38 . 2008-01-25 12:22 581632 ----a-w- c:\windows\system32\hpotscl6.dll
2009-05-27 11:38 . 2008-01-25 12:22 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2009-05-27 11:38 . 2008-01-25 12:22 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-05-27 11:37 . 2009-05-27 11:37 -------- d-----w- c:\program files\HP
2009-05-27 11:36 . 2009-05-27 11:40 163142 ----a-w- c:\windows\hpoins28.dat
2009-05-27 11:36 . 2008-05-12 19:46 796 ------w- c:\windows\hpomdl28.dat
2009-05-26 23:52 . 2009-05-26 23:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Nero
2009-05-26 23:52 . 2009-05-27 00:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2009-05-26 19:44 . 2009-05-26 19:44 -------- d-----w- c:\program files\Windows Sidebar
2009-05-26 19:22 . 2009-05-26 19:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-26 19:20 . 2009-05-26 19:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-26 19:19 . 2009-05-26 19:47 -------- d-----w- c:\program files\Nero
2009-05-26 19:18 . 2009-05-26 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-05-26 19:18 . 2009-05-26 20:11 -------- d-----w- c:\program files\Common Files\Nero
2009-05-26 17:31 . 2009-05-26 17:31 -------- d-----w- c:\program files\MSBuild
2009-05-26 17:30 . 2009-05-26 17:30 154152 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-26 17:24 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2009-05-26 17:24 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2009-05-26 17:24 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2009-05-26 17:23 . 2007-07-19 22:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-05-26 17:23 . 2007-07-20 04:54 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2009-05-26 17:23 . 2007-06-21 00:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2009-05-26 17:23 . 2009-05-26 17:23 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-26 17:23 . 2007-05-16 20:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2009-05-26 17:23 . 2007-05-16 20:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2009-05-26 17:23 . 2007-05-16 20:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-05-26 17:23 . 2007-04-04 22:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-05-26 17:23 . 2007-04-04 22:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-05-26 17:23 . 2007-03-15 20:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2009-05-26 17:23 . 2007-03-12 20:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2009-05-26 17:21 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-05-26 17:21 . 2009-05-26 17:21 -------- d-----w- c:\program files\Reference Assemblies
2009-05-26 17:20 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-26 16:57 . 2009-05-26 16:57 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-26 14:24 . 2009-05-26 14:30 -------- d-----w- c:\program files\Brain Challenge
2009-05-26 12:53 . 2009-05-26 13:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Reflexive Ashtons Family Resort
2009-05-26 12:53 . 2009-05-26 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Reflexive Ashtons Family Resort
2009-05-26 12:52 . 2009-05-26 14:09 -------- d-----w- c:\program files\Ashtons Family Resort
2009-05-26 11:19 . 2009-05-26 11:19 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-26 11:19 . 2009-05-26 16:59 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Lite
2009-05-25 18:56 . 2009-05-27 01:09 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-05-24 05:41 . 2009-06-02 19:02 -------- d-----w- c:\program files\UltimateBet
2009-05-23 14:34 . 2009-05-27 12:47 -------- d-----w- c:\documents and settings\Owner\Shared
2009-05-23 14:33 . 2009-05-27 12:47 -------- d-----w- c:\documents and settings\Owner\Incomplete
2009-05-23 14:33 . 2009-05-24 06:53 -------- d-----w- c:\documents and settings\Owner\Application Data\MP3Rocket
2009-05-20 16:13 . 2009-05-20 16:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Jane s Hotel Family Hero
2009-05-17 21:41 . 2009-05-17 21:41 57136 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-17 21:41 . 2009-05-17 21:41 40960 ----a-w- c:\windows\uneng.exe
2009-05-17 21:41 . 2009-05-17 21:41 23721 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-17 21:40 . 2009-05-17 21:41 -------- d-----w- c:\program files\Common Files\Adaptec Shared
2009-05-17 21:40 . 2009-05-17 21:40 -------- d-----w- c:\program files\Adaptec
2009-05-15 20:54 . 2009-05-15 20:54 -------- d-----w- c:\program files\farm mania
2009-05-15 20:54 . 2009-05-15 20:54 -------- d-----w- c:\windows\farm mania,
2009-05-14 23:12 . 2009-05-14 23:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Viewpoint
2009-05-13 15:36 . 2009-05-13 15:36 -------- d-sh--w- c:\windows\ftpcache
2009-05-13 15:32 . 2009-05-28 18:40 -------- d-----w- c:\program files\Selectsoft
2009-05-13 01:20 . 2009-05-13 01:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-05-12 02:34 . 2009-05-28 14:58 -------- d-----w- C:\games
2009-05-11 19:44 . 2009-05-11 19:44 -------- d-----w- c:\windows\BBSTORE
2009-05-11 19:39 . 2009-05-28 18:45 -------- d-----w- c:\program files\Riven
2009-05-11 19:35 . 1996-08-16 17:49 298496 ----a-w- c:\windows\uninst.exe
2009-05-10 14:54 . 2009-05-10 15:10 -------- d-----w- c:\documents and settings\Owner\Application Data\ICQ
2009-05-10 14:53 . 2009-05-10 15:10 -------- d-----w- c:\program files\ICQ6.5
2009-05-10 14:26 . 2009-06-03 02:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FLVService
2009-05-10 14:26 . 2009-05-10 14:26 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-05-10 14:23 . 2009-05-10 14:23 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-05-06 09:46 . 2009-05-06 10:17 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-05-05 22:27 . 2009-05-05 22:27 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-05-05 18:20 . 2009-05-05 18:20 -------- d-----w- c:\windows\Sun
2009-05-05 18:19 . 2009-05-05 18:18 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-05 18:17 . 2009-05-05 18:17 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-05 07:04 . 2009-05-05 07:04 -------- d-----w- c:\program files\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 11:10 . 2009-04-30 03:03 75184 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 10:53 . 2009-05-01 02:07 1148 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-05-29 11:44 . 2009-04-29 19:58 -------- d-----w- c:\program files\Pure Networks
2009-05-28 18:44 . 2009-04-29 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-28 18:43 . 2009-04-29 19:57 -------- d-----w- c:\program files\Common Files\AOL
2009-05-28 18:43 . 2009-04-29 20:13 -------- d-----w- c:\documents and settings\Owner\Application Data\AOL
2009-05-26 12:44 . 2009-04-30 03:06 -------- d-----w- c:\program files\Virtual Villagers
2009-05-17 21:41 . 2002-01-23 15:43 45056 ----a-w- c:\windows\system32\cdrtc.dll
2009-05-17 21:41 . 2002-01-23 15:20 45056 ----a-w- c:\windows\system32\cdral.dll
2009-05-10 14:55 . 2009-04-29 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-08 15:44 . 2009-04-29 20:03 -------- d-----w- c:\program files\McAfee
2009-05-05 18:18 . 2009-04-29 19:51 -------- d-----w- c:\program files\Java
2009-05-04 13:00 . 2009-05-04 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-05-04 04:19 . 2009-05-04 04:19 -------- d-----w- c:\program files\MSSOAP
2009-05-03 18:57 . 2009-05-03 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-05-01 21:04 . 2009-04-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy2
2009-05-01 12:15 . 2009-04-29 18:37 -------- d-----w- c:\program files\Alawar
2009-05-01 03:55 . 2009-05-01 02:54 -------- d-----w- c:\program files\Farm Frenzy Pizza Party
2009-05-01 03:54 . 2009-05-01 02:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-01 02:54 . 2009-05-01 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-05-01 02:43 . 2009-05-01 02:43 -------- d-----w- c:\program files\ReflexiveArcade
2009-05-01 02:07 . 2009-05-01 02:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Template
2009-05-01 01:51 . 2009-04-29 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-04-30 20:42 . 2009-04-30 20:39 -------- d-----w- c:\program files\Efficient Networks
2009-04-30 02:47 . 2009-04-30 02:47 -------- d-----w- c:\program files\Common Files\Nova Development
2009-04-30 02:47 . 2009-04-30 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative Home
2009-04-30 02:45 . 2009-04-30 02:45 -------- d-----w- c:\program files\Creative Home
2009-04-30 01:37 . 2009-04-29 20:57 -------- d-----w- c:\program files\Sierra On-Line
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\Webroot
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\program files\Webroot
2009-04-30 01:32 . 2009-04-30 01:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Webroot
2009-04-30 00:46 . 2009-04-30 00:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-04-30 00:46 . 2009-04-30 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee.com Personal Firewall
2009-04-29 20:57 . 2009-04-29 20:57 -------- d-----w- c:\program files\WON
2009-04-29 20:48 . 2009-04-29 19:55 -------- d-----w- c:\documents and

settings\All Users\Application Data\Napster
2009-04-29 20:03 . 2009-04-29 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-04-29 20:01 . 2009-04-29 20:00 -------- d-----w- c:\program files\Microsoft Money 2006
2009-04-29 19:59 . 2009-04-29 19:59 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2009-04-29 19:59 . 2009-04-29 19:59 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-04-29 19:59 . 2009-04-29 19:58 -------- d-----w- c:\program files\QuickTime
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-04-29 19:58 . 2009-04-29 19:58 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\program files\Common Files\Real
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\program files\Real
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-04-29 19:58 . 2009-04-29 19:58 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2009-04-29 19:57 . 2009-04-29 19:57 335 ----a-w- c:\windows\nsreg.dat
2009-04-29 19:57 . 2009-04-29 19:57 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-04-29 19:57 . 2009-04-29 19:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-04-29 19:57 . 2009-04-29 19:57 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-04-29 19:57 . 2009-04-29 19:57 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-04-29 19:57 . 2009-04-29 19:57 -------- d-----w- c:\program files\BigFix
2009-04-29 19:57 . 2009-04-29 19:56 -------- d-----w- c:\program files\Microsoft Works
2009-04-29 19:56 . 2009-04-29 19:56 -------- d-----w- c:\program files\MSN Encarta Plus
2009-04-29 19:56 . 2009-04-29 19:56 -------- d-----w- c:\program files\Digital Media Reader
2009-04-29 19:55 . 2009-04-29 19:41 -------- d-----w- c:\program files\Common Files\InstallShield
2009-04-29 19:54 . 2009-04-29 19:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\Realtek Sound Manager
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\AvRack
2009-04-29 19:52 . 2009-04-29 19:52 -------- d-----w- c:\program files\Realtek AC97
2009-04-29 19:52 . 2009-04-29 19:51 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2009-04-29 19:52 . 2009-04-29 19:52 4 ----a-w- c:\windows\Pix11.dat
2009-04-29 19:51 . 2009-04-29 19:51 -------- d-----w- c:\program files\Common Files\Java
2009-04-29 19:45 . 2009-04-29 19:45 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-04-29 19:44 . 2009-04-29 19:44 -------- d-----w- c:\program files\Google
2009-04-29 19:44 . 2009-04-29 19:44 -------- d-----w- c:\program files\CyberLink
2009-04-29 19:44 . 2009-04-29 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Farm Frenzy
2009-04-29 19:43 . 2009-04-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2009-04-29 19:37 . 2009-04-29 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Prism Deploy
2009-04-29 19:37 . 2009-04-29 19:37 -------- d-----w- c:\program files\Common Files\New Boundary
2009-04-29 19:34 . 2009-04-29 19:34 -------- d-----w- c:\program files\CONEXANT
2009-04-29 19:22 . 2004-08-26 18:04 -------- d-----w- c:\program files\microsoft frontpage
2009-04-06 17:32 . 2009-05-04 04:18 1563008 ----a-w- c:\windows\WRSetup.dll
2009-04-02 18:30 . 2009-04-02 18:30 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 18:30 . 2009-04-02 18:30 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 18:30 . 2009-04-02 18:30 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-06 14:00 . 2009-04-29 19:17 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-03_14.50.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-03 15:13 . 2009-06-03 15:13 16384 c:\windows\temp\Perflib_Perfdata_298.dat
+ 2009-06-03 15:15 . 2009-06-03 15:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-26 18:07 . 2009-06-03 15:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-26 18:07 . 2009-06-03 14:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-26 18:07 . 2009-06-03 15:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-26 18:07 . 2009-06-03 14:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money 2006\MNYCoreFiles\System\Money Express.exe" [1999-08-04 122940]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-29 98304]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-04-06 6345840]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2009-4-29 2168360]
Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2009-4-29 25896]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/2/2009 2:30 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [5/4/2009 12:21 AM 1181040]
R3 ENDETECT;ENDETECT;c:\progra~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [4/30/2009 4:42 PM 7752]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [4/30/2009 4:42 PM 40832]
R3 L2XPSR;L2XPSR;c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS [4/30/2009 4:42 PM 18478]
R3 NTSTPL1;NTSTPL1;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [4/30/2009 4:42 PM 16160]
R3 TAPBIND;TAPBIND;c:\progra~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [4/30/2009 4:42 PM 44736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windstream.net/wind/portal/index.aspx
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {A2908D85-E3F9-4FC3-AE88-480B3C435ED6} = 166.102.165.11 166.102.165.13
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 11:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3752)
c:\documents and settings\Owner\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Efficient Networks\Tango Manager\app\TangoService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\rundll32.exe
c:\progra~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-06-03 11:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 15:21
ComboFix2.txt 2009-06-03 14:52

Pre-Run: 119,426,543,616 bytes free
Post-Run: 119,298,183,168 bytes free

320 --- E O F --- 2009-06-02 07:01

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Everything appears to be running fine. Does this mean I am done? What is the best way to protect the system in future?

Hello.
Do you have any external hardware you've used that you have used around the time the infection started? this infection has autorun worm included in it, so any USB stick/external hardrives can possibly be infection.

I do have a thumb drive, I don't know if it was used, but should probably be checked

Please download USBNoRisk to your Desktop and run it by double clicking the program's icon.

1. Wait a couple of seconds for initial scan to finish.
   
2. Connect all of your USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds.
   
3. If there are more USB storage devices to scan, please take a note about the order in which these were connected.
   
4. After all the devices are scanned, right click in the Monitor tab, and choose "Save log". That will open the log in Notepad. Please copy and paste the log into this thread.
   

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/3/2009 11:43:57 AM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {8014b06e-34fb-11de-a04a-806d6172696f}
D: {8014b06f-34fb-11de-a04a-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 8014b06e-34fb-11de-a04a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 8014b06f-34fb-11de-a04a-806d6172696f
----------------------------------------
Desktop.ini found at D:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
Desktop.ini found at D:\MiniNT\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\i386\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\updgoi\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\System Restore\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\System Volume Information\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\PRELOAD\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 6/3/2009 11:44:36 AM

Scanning for connected USB mass storage...
----------------------------------------
L: {ca5581d4-48db-11de-a059-000b23602733}
Added L:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on L:
----------------------------------------
autorun.inf found on L:
----------------------------------------
File L:\autorun.inf renamed successfully

Content of L:\autorun.inf.blocked
----------------------------------------
[autorun]
;xskxsrrfbemflkfynpsgjodctcxnmtpougqihnkkvccgemnniimuzobntzosecxlmcumffzdupxlxjrvpeqynkwwutfiecneour
shellexecute="RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com l:\"
;kxecrgjoaisbqodzrfzuvzfbww
shell\Open\command="RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com l:\"
;tbwzzeiabcpwolhehjowfbwwpefcgsgpgdoeyobyszmqcjydbfldfn
shell=Open
----------------------------------------

Files referenced from L:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

Possible references from L:\autorun.inf.blocked
(beware, these are possible false detections)
----------------------------------------
L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com -r-hs 39936
----------------------------------------

Sanitized mountpoint for ca5581d4-48db-11de-a059-000b23602733
----------------------------------------

No Desktop.ini files found on L:
----------------------------------------

No mimics found on drive L:
========================================

Hello.
Yep, whatever your L drive is, it's infected too.

Please open USBNoRisk again, we need to use a custom script to delete the malicious autorun.inf files.

1. When USBNoRisk opens, go into the Script tab, and insert the bolded script below.
   
   
   {8014b06e-34fb-11de-a04a-806d6172696f}
   protect:
   {8014b06f-34fb-11de-a04a-806d6172696f}
   protect:
   {ca5581d4-48db-11de-a059-000b23602733}
   f_delete: L:\autorun.inf.blocked
   f_delete: L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com
   protect:
   
   
   
   
2. Then press the Run Script button.
   
3. Copy and paste the report back here.
   

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/3/2009 11:50:20 AM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {8014b06e-34fb-11de-a04a-806d6172696f}
D: {8014b06f-34fb-11de-a04a-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 8014b06e-34fb-11de-a04a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 8014b06f-34fb-11de-a04a-806d6172696f
----------------------------------------
Desktop.ini found at D:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
Desktop.ini found at D:\MiniNT\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\i386\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\updgoi\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\System Restore\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\System Volume Information\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\PRELOAD\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 6/3/2009 11:51:06 AM

Scanning for connected USB mass storage...
----------------------------------------
L: {ca5581d4-48db-11de-a059-000b23602733}
Added L:
========================================

Scanning USB mass storage for files...
----------------------------------------
Blocked file found: L:\autorun.inf.blocked
----------------------------------------
Content of L:\autorun.inf.blocked
----------------------------------------
[autorun]
;xskxsrrfbemflkfynpsgjodctcxnmtpougqihnkkvccgemnniimuzobntzosecxlmcumffzdupxlxjrvpeqynkwwutfiecneour
shellexecute="RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com l:\"
;kxecrgjoaisbqodzrfzuvzfbww
shell\Open\command="RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com l:\"
;tbwzzeiabcpwolhehjowfbwwpefcgsgpgdoeyobyszmqcjydbfldfn
shell=Open
----------------------------------------

Files referenced from L:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

Possible references from L:\autorun.inf.blocked
(beware, these are possible false detections)
----------------------------------------
L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com -r-hs 39936
----------------------------------------

----------------------------------------
No Autorun.inf files found on L:
No mountpoint found for ca5581d4-48db-11de-a059-000b23602733
----------------------------------------

No Desktop.ini files found on L:
----------------------------------------

No mimics found on drive L:
========================================


Processing script
----------------------------------------
ca5581d4-48db-11de-a059-000b23602733
Drive letter for GUID: L:
SectionStart = 4
SectionEnd = 6
f_delete:
driver version mismatch: use command "net stop catchme" to stop old driver
driver version mismatch: use command "net stop catchme" to stop old driver
delete file error: L:\autorun.inf.blocked, The handle is invalid.
f_delete:
driver version mismatch: use command "net stop catchme" to stop old driver
driver version mismatch: use command "net stop catchme" to stop old driver
delete file error: L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com, The handle is invalid.
----------------------------------------

8014b06e-34fb-11de-a04a-806d6172696f
Drive letter for GUID: C:
SectionStart = 0
SectionEnd = 1
----------------------------------------

8014b06f-34fb-11de-a04a-806d6172696f
Drive letter for GUID: D:
SectionStart = 2
SectionEnd = 3
----------------------------------------

Hmm, not sure why that didn't work.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com
  L:\autorun.inf
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

L:\RECYCLER\S-1-3-78-100023270-100010130-100029709-1602.com moved successfully.
File/Folder L:\autorun.inf not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 06032009_120339

Hello.
I made a slight mistake on my old script, so use this next script in OTMoveIt.



:files
L:\autorun.inf.blocked

========== FILES ==========
L:\autorun.inf.blocked moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 06032009_121052

We can remove OTMoveIt now.

• Please double-click OTMoveIt3.exe to run it again.
  
• Press the green CleanUp! button.
  
• Press Yes cleanup process prompt, do the same for the reboot prompt.
  

That should do it now.

Ok, done it. Any suggestions on preventing future problems of this kind?

You guys are amazing! Thank you very much.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.