Another WinBlueSoft victim...

I'm posting for my husband who's gotten his computer infected with the WinBlueSoft that seems to be going around. I've looked at several forums, but cannot seem to fix the problem.

The trick is the virus seems to be preventing us from running any programs that would be helpful (MalWareByte, Combofix, etc). We can install them just fine, but when you click the icon to open it doesn't work. I've even tried the trick of renaming the install file, not using the mouse, etc ... maybe I'm not doing it in the right order? I've even tried installing and running the MalWareByte software from a flash drive (and installing it from the flash drive, etc...) with no success. I've also attempted to get into the registry to delete things from there, but I can't get THAT to launch either.

We've also tried going back to a previous restore point and just doing a full system restore from the restore partition, but it's not working. I'd like to avoid having to dig out the OS disc again if at all possible. We JUST re-loaded his PC about a month ago and I don't feel like dealing with that again (if at all possible).

Obviously this is a bit beyond my capabilities and some help would be greatly appreciated.

Also, please note that he's running Windows XP, SP2.

Here's the Hiijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:04 AM, on 6/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Documents and Settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
G:\FIX\H.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DDE0069-C8F3-4F63-B0CB-6F2CAFFEB57B}: NameServer = 85.255.112.84,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2868386-6369-432C-951F-1C0D3A5BBE03}: NameServer = 85.255.112.84,85.255.112.80
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.84,85.255.112.80
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.84,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.84,85.255.112.80
O20 - AppInit_DLLs: blocker.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5749 bytes

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
  O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
  O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
  O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'Default user')
  O17 - HKLM\System\CCS\Services\Tcpip\..\{8DDE0069-C8F3-4F63-B0CB-6F2CAFFEB57B}: NameServer = 85.255.112.84,85.255.112.80
  O17 - HKLM\System\CCS\Services\Tcpip\..\{E2868386-6369-432C-951F-1C0D3A5BBE03}: NameServer = 85.255.112.84,85.255.112.80
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.84,85.255.112.80
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.84,85.255.112.80
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.84,85.255.112.80
  O20 - AppInit_DLLs: blocker.dll
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Next,

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Avira)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Okay, so first problem is that when I ran HJT, the

"O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min"

item is NOT showing up in the log. Wait, just spoke with my husband and in an attempt to 'fix' it (after telling him not to...) he deleted the actual WinblueSoft folder.

Grr...

I'm going paste the new HJT file.

I'm guessing then that not being able to delete that one item is what prevented ComboFix to run as instructed (even with the re-name).

So .... what next? Thanks for the help thus far.

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:39 AM, on 6/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Documents and Settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Ray\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ray\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ray\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ray\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
G:\FIX\H.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2868386-6369-432C-951F-1C0D3A5BBE03}: NameServer = 85.255.112.84,85.255.112.80
O20 - AppInit_DLLs: blocker.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5299 bytes

Hello.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Delete a file on reboot..."
  
• Then find this file: C:\WIndows\system32\blocker.dll
  
• Okay any prompts and select yes to reboot.
  

After reboot, try doing the Hijack This fix on he O20 item and it should go away this time.
Then try running Combofix.

That seemed to do the trick ... here's the ComboFix log:

ComboFix 09-06-01.03 - Ray 06/03/2009 10:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.659 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\10459pyware1081z.cpl
c:\windows\10675hzcktool975.dll
c:\windows\10917s5zmbot7fa9.dll
c:\windows\1132zhackt5ol490.cpl
c:\windows\115579ackzool445.dll
c:\windows\11888n5t-azvirus2a09.cpl
c:\windows\118aadd5aze9181.dll
c:\windows\12345wozm9df.bin
c:\windows\12550spy49z5.dll
c:\windows\1299oznloader3592.ocx
c:\windows\13195hack5ozl6bf.cpl
c:\windows\134z6tro950c5.bin
c:\windows\1421n9t-azvir5s507.ocx
c:\windows\14413not-a-vz5us492.exe
c:\windows\14495zot-9-vir5s192.ocx
c:\windows\145535ot-azvir9s508.cpl
c:\windows\147469p567bz.bin
c:\windows\1475threatz779.ocx
c:\windows\14z5backdoor9159.exe
c:\windows\15184troj9f2z.ocx
c:\windows\151fspywaze1993.cpl
c:\windows\1525troj9z7.exe
c:\windows\1539zvirus2af.exe
c:\windows\15514wzrm259.exe
c:\windows\15759not-a-viruz5905.exe
c:\windows\15760not-9-vir5sz18.ocx
c:\windows\1584viz30599.dll
c:\windows\1595ztroj31c.bin
c:\windows\15aezparse1971.ocx
c:\windows\15z5down9oader2442.bin
c:\windows\16279zi5us753.exe
c:\windows\16515spz9e3.dll
c:\windows\16bzspars95925.ocx
c:\windows\1701859z-a-virus744.cpl
c:\windows\17045hzcktool5b29.bin
c:\windows\1856thrz9t23156.cpl
c:\windows\1859stezl935.bin
c:\windows\1905vir26z79.dll
c:\windows\1935spy5z5.bin
c:\windows\19377s9am5oz39e.exe
c:\windows\19396zi5us195.bin
c:\windows\19769spa5bot4zc.bin
c:\windows\19f8thz5f895.bin
c:\windows\1d0aspyware29z85.cpl
c:\windows\1d7es5eal9z85.dll
c:\windows\1d9fspyw5re3z249.ocx
c:\windows\1ed1a5dwa9e15z1.dll
c:\windows\1f579tea5267z.dll
c:\windows\1z0465py369.exe
c:\windows\1z050not-a-vir9s4da.cpl
c:\windows\1z090s5y3e.cpl
c:\windows\200619az5tool1aa.bin
c:\windows\2095not-a-zirus1a9.exe
c:\windows\21156h9cktozl3a0.cpl
c:\windows\218095ot-a9virus61z.bin
c:\windows\21a8dozn5oa9er2879.dll
c:\windows\222095irus4c0z.bin
c:\windows\2259zorm5c9.dll
c:\windows\23598spz259.bin
c:\windows\23azst5a91522.exe
c:\windows\2431backd95rz040.exe
c:\windows\249z7worm25a.exe
c:\windows\2506vir1z95.cpl
c:\windows\25099s9yz865.cpl
c:\windows\25111z9oj432.dll
c:\windows\25321not-a-vizu5945.dll
c:\windows\255eaddwarz991.bin
c:\windows\2571dow9lozder2559.exe
c:\windows\2573z95975.cpl
c:\windows\25882not-z5virus1859.ocx
c:\windows\2599backdoorz555.cpl
c:\windows\25z23sp52d19.ocx
c:\windows\25zfsp5rse1795.cpl
c:\windows\26450spambot9za.exe
c:\windows\2655sze9l1565.cpl
c:\windows\2656not9a-v5rzs28d.dll
c:\windows\265zspy43b9.ocx
c:\windows\26996tr5j75z.ocx
c:\windows\2748szambot79d5.bin
c:\windows\27558notza-59rus15.dll
c:\windows\27a39ownzoader1653.exe
c:\windows\284zs9a5se1871.ocx
c:\windows\289es5arsez53.exe
c:\windows\28z30wo5m30a9.ocx
c:\windows\29083spa9boz56e.cpl
c:\windows\29d5dowzloader2995.ocx
c:\windows\2b59zddwar91981.cpl
c:\windows\2b7caddw9re2950z.ocx
c:\windows\2c9az9ckdoor1235.bin
c:\windows\2e589hzeat13912.ocx
c:\windows\2e7do9n5oader30z1.cpl
c:\windows\2ff3ba59dzor1392.cpl
c:\windows\2z1e5hr9at17844.dll
c:\windows\2z521t9oj7be.cpl
c:\windows\2z75wo9m4b5.dll
c:\windows\302aspyware9z685.ocx
c:\windows\30524w9zm63.bin
c:\windows\3096hazkt5ol29e.cpl
c:\windows\30z76not-a9virus4745.bin
c:\windows\30z9s5ambot5a1.exe
c:\windows\31298not-a-v5rzs2bf.cpl
c:\windows\313935orm6zb.bin
c:\windows\3155zworm5925.bin
c:\windows\31594n9t-5-vizus5e4.exe
c:\windows\31zb5teal9233.dll
c:\windows\320119zt-a-virusd85.cpl
c:\windows\3243troz589.dll
c:\windows\32z93troj95.cpl
c:\windows\345ethiefz991.dll
c:\windows\348zt9o5389.dll
c:\windows\3554bazk9oor1515.bin
c:\windows\35fddzwnlo9der1955.exe
c:\windows\35z5vir291.bin
c:\windows\3655z9t-a-vir5s269.ocx
c:\windows\37z5pars92617.bin
c:\windows\385vi5z594.ocx
c:\windows\3864sz5al3095.dll
c:\windows\3895vir916z.exe
c:\windows\395e5pzrse662.dll
c:\windows\397ds5arsez58.dll
c:\windows\3ad65tezl21909.bin
c:\windows\3b59st9zl586.cpl
c:\windows\3bcz5py9are2416.cpl
c:\windows\3c7cs9eaz2395.bin
c:\windows\3c95virz945.exe
c:\windows\3d9t5iefz596.dll
c:\windows\3da89pywar5z988.exe
c:\windows\3dz5downl9ader2564.bin
c:\windows\3e2ddo5nlzad9r1085.exe
c:\windows\3e769pywa5e1z8.cpl
c:\windows\3eb9sparse554z.ocx
c:\windows\3ed9z9dwa5e2088.bin
c:\windows\3f5zhreat59994.bin
c:\windows\3z4v5r239.cpl
c:\windows\3z92spyware2501.exe
c:\windows\40165zoj59b.bin
c:\windows\419cdownloade5z595.dll
c:\windows\4275zackto9l781.bin
c:\windows\434bt5reatz791.dll
c:\windows\44489ownlz5der2158.cpl
c:\windows\4505bazkdoor3099.bin
c:\windows\4534bzckdoo93004.bin
c:\windows\45bdzparse9251.ocx
c:\windows\46859t5al19z9.dll
c:\windows\4691stz9l5018.bin
c:\windows\47205ddwzre839.exe
c:\windows\4809thzea56781.dll
c:\windows\4890s5ambotz2.cpl
c:\windows\49z8addwa952818.exe
c:\windows\4aafadzware5609.cpl
c:\windows\4az5th5eat3795.exe
c:\windows\4c55zownlo9der1608.bin
c:\windows\4c82vi51z59.cpl
c:\windows\4d149hr5at21451z.dll
c:\windows\4d58sp9wzre2535.dll
c:\windows\4e52spazse947.cpl
c:\windows\4e9a59reat22160z.exe
c:\windows\4f79d9wnlozder1895.exe
c:\windows\4fbathie59599z.dll
c:\windows\4z59th5eat8361.cpl
c:\windows\503ztroj39f.exe
c:\windows\51159spz9d9.cpl
c:\windows\51215zrus1f9.exe
c:\windows\51984spz19b.ocx
c:\windows\51d5a5dzar9127.cpl
c:\windows\51z94wo9m404.bin
c:\windows\5239znot-a-9irus7d4.bin
c:\windows\52475wormz0b9.exe
c:\windows\52dbthr9az1153.cpl
c:\windows\5309zpars91700.exe
c:\windows\53dz9p5ware617.dll
c:\windows\53e7spzwar91365.exe
c:\windows\53z4th9e52469.exe
c:\windows\54139p5ze8.dll
c:\windows\5467no95a-virus4z.cpl
c:\windows\5497spamb9557z.bin
c:\windows\54996z9y385.cpl
c:\windows\550cthr9at9753z.ocx
c:\windows\552spam9oz6f55.dll
c:\windows\5574spywarez91.ocx
c:\windows\5578thz9at484.ocx
c:\windows\5592stezl2397.ocx
c:\windows\55z4n9t-a-virus73.bin
c:\windows\56552hackzool598.bin
c:\windows\56845vir9s6fz.dll
c:\windows\5719worm2a6z.dll
c:\windows\5728spa9bot13z.exe
c:\windows\579f5ackdoorz44.ocx
c:\windows\57z5addw9re2220.bin
c:\windows\5808wo9maz.cpl
c:\windows\58ed9wzlo5der929.cpl
c:\windows\59174vizu92f8.exe
c:\windows\59312wormz1a.bin
c:\windows\5955backdo9z2826.bin
c:\windows\5966stea514z3.ocx
c:\windows\5969hacktoo5z9f.dll
c:\windows\5994thief1z855.dll
c:\windows\5996ba5zdoor1947.bin
c:\windows\59a5vzr2986.ocx
c:\windows\5a27v9r35z9.ocx
c:\windows\5ae8baczdoor5997.cpl
c:\windows\5b47tz5eat7490.exe
c:\windows\5b49backdozr11175.cpl
c:\windows\5b9avir5z5.dll
c:\windows\5baad9wzloader358.cpl
c:\windows\5babbackdoz9530.cpl
c:\windows\5bzat9ief38.bin
c:\windows\5cbatzief15589.cpl
c:\windows\5cc9v5r569z.cpl
c:\windows\5dbdthre5t2z977.ocx
c:\windows\5dz1addware20669.ocx
c:\windows\5e55addw9rez70.cpl
c:\windows\5eedzp9ware1877.bin
c:\windows\5f35downlo5der49z.bin
c:\windows\5f6fbackzoor9445.bin
c:\windows\5z79downloade52278.ocx
c:\windows\5z992worm12b.exe
c:\windows\601zvirus1859.ocx
c:\windows\6159do5nloadzr2268.dll
c:\windows\61ddbaz5do9r64.ocx
c:\windows\61dzb59kdoor1621.bin
c:\windows\6456hac9tool6zc.exe
c:\windows\6496zhief95455.ocx
c:\windows\64c4ad9warz14955.dll
c:\windows\651zv9r2848.exe
c:\windows\6527sz9rse2531.bin
c:\windows\66z7vi59091.bin
c:\windows\674z5hief2189.exe
c:\windows\6788hack9oo546fz.ocx
c:\windows\68349pambot5ez.dll
c:\windows\6865s9ambzt4a5.ocx
c:\windows\692ethief15z5.dll
c:\windows\69edzir31915.dll
c:\windows\6a5add9arz1551.ocx
c:\windows\6ad9v5r17z5.cpl
c:\windows\6b0ea5zware9568.ocx
c:\windows\6c54add9are14z7.bin
c:\windows\6z59hacktool689.cpl
c:\windows\70b1thiz59000.cpl
c:\windows\70fbvz59895.ocx
c:\windows\714zbac59oor1926.dll
c:\windows\7159spzrse8225.ocx
c:\windows\7194z5y9f9.ocx
c:\windows\7204bacz5oor2979.ocx
c:\windows\734b5pa9se2z74.exe
c:\windows\7354zd9ware1910.bin
c:\windows\7363zpamb5t9c9.bin
c:\windows\74059roj5cz.exe
c:\windows\7459zorm978.dll
c:\windows\7530s9ywarz93.bin
c:\windows\758fbackdozr31259.ocx
c:\windows\765ddownloazer9042.exe
c:\windows\76f4v59z139.dll
c:\windows\7749dzwnloade98395.cpl
c:\windows\77e39teal15z3.cpl
c:\windows\7898vi53z97.exe
c:\windows\789fstea521z2.ocx
c:\windows\78f3z9reat7159.bin
c:\windows\79195o9m20z.cpl
c:\windows\7955not-az9irus575.ocx
c:\windows\797dspywa5e2z939.exe
c:\windows\79zviru5b9.ocx
c:\windows\7a0zpyw9re5909.cpl
c:\windows\7a5bvir2449z.exe
c:\windows\7d0z9ddware555.cpl
c:\windows\7d935ownlozder2371.bin
c:\windows\7dzedownl59der908.bin
c:\windows\7ez5threat19925.exe
c:\windows\7ezeba95door3067.cpl
c:\windows\7z85bac9door2932.cpl
c:\windows\7zbavir39075.ocx
c:\windows\81915acztool9e.exe
c:\windows\8589szy3a8.dll
c:\windows\89czir2524.dll
c:\windows\89espars52691z.ocx
c:\windows\8b9dow9loa5er254z.ocx
c:\windows\9006zsp5797.exe
c:\windows\90260spamb5t4zc.exe
c:\windows\91152spambotaz.exe
c:\windows\91efsteaz2805.bin
c:\windows\92767sp5mboz4de.bin
c:\windows\92z82not-a-virusb45.dll
c:\windows\93192zorm54c.ocx
c:\windows\93473sp5mboz1b4.dll
c:\windows\940545ot-a-zirusc0.bin
c:\windows\940aviz555.bin
c:\windows\9450t9zj139.bin
c:\windows\94z9wo5m598.cpl
c:\windows\95669ha5ktozl755.bin
c:\windows\95961szy33d.cpl
c:\windows\95z2thief987.cpl
c:\windows\96z6v5r219.dll
c:\windows\972795py3b8z.dll
c:\windows\98z765orm4bf.dll
c:\windows\993do5nlozder3259.dll
c:\windows\99610spy2e5z.ocx
c:\windows\99espy9are19z55.bin
c:\windows\9c1astez52942.exe
c:\windows\9cd8threatz69505.ocx
c:\windows\9d22ste5z3041.exe
c:\windows\9dc6sp5rse1z99.cpl
c:\windows\9ecaste5l1z96.cpl
c:\windows\9fb95pyware732z.bin
c:\windows\9z8ev5r1753.dll
c:\windows\b1cdownloa5er39z3.dll
c:\windows\b49zir559.dll
c:\windows\dz9spa9se1525.cpl
c:\windows\e17vir3z59.cpl
c:\windows\e25stzal599.cpl
c:\windows\e26zir9057.cpl
c:\windows\fc9addz9re5373.dll
c:\windows\system32\1014wor54z59.exe
c:\windows\system32\10299tealz577.cpl
c:\windows\system32\1054zspy29b5.ocx
c:\windows\system32\1055backd9orz245.exe
c:\windows\system32\10969zo5-a-virus6da.ocx
c:\windows\system32\11490n5t-azvirus98c.bin
c:\windows\system32\11944n5t-a-z9rus389.dll
c:\windows\system32\11953spzmbot577.bin
c:\windows\system32\11973h59ktool17z.dll
c:\windows\system32\12010nzt-a-5irus93.ocx
c:\windows\system32\12507wozm797.exe
c:\windows\system32\12895n9t-a-vizus7e75.exe
c:\windows\system32\12z8vir10495.bin
c:\windows\system32\13512tzo9338.bin
c:\windows\system32\135zad9ware1654.cpl
c:\windows\system32\1392spywarz3549.dll
c:\windows\system32\13z75s95551.exe
c:\windows\system32\141595pambot6f9z.bin
c:\windows\system32\14241not-5-vir9sza.ocx
c:\windows\system32\14295pambot5z3.ocx
c:\windows\system32\14323tr5z94c.exe
c:\windows\system32\1455szyw5re949.cpl
c:\windows\system32\1527v9r2z59.exe
c:\windows\system32\1539szeal1641.dll
c:\windows\system32\15628t95j23z.bin
c:\windows\system32\1569tro937z5.cpl
c:\windows\system32\15947virzs3b69.exe
c:\windows\system32\15963worz58a9.ocx
c:\windows\system32\15995worm45z.exe
c:\windows\system32\15bddownlo59er3095z.ocx
c:\windows\system32\16181szam95t168.cpl
c:\windows\system32\16302hazk9ool5f5.ocx
c:\windows\system32\16669troz953.bin
c:\windows\system32\16955vi9zs91.bin
c:\windows\system32\16a9sparse1658z.bin
c:\windows\system32\16dz5hre9t8988.cpl
c:\windows\system32\16zds5a9se556.bin
c:\windows\system32\17436not5z-vir9s5d.exe
c:\windows\system32\17832not-z-9irus1b5.bin
c:\windows\system32\178csze9l12245.cpl
c:\windows\system32\17z45hacktoo95b.exe
c:\windows\system32\181949ot-azviru544b.exe
c:\windows\system32\181z9not-a-v5ru993.ocx
c:\windows\system32\1828zspambo595.exe
c:\windows\system32\18393virusz05.dll
c:\windows\system32\18456hack95ol40z.ocx
c:\windows\system32\18554viruz99.cpl
c:\windows\system32\18632no5-azvi9us378.cpl
c:\windows\system32\18645v9ruszdb.cpl
c:\windows\system32\1895b5ckdoor159z.bin
c:\windows\system32\18z69wor530.cpl
c:\windows\system32\19266spa5boz2f5.ocx
c:\windows\system32\19475orz4db.bin
c:\windows\system32\19523vir5s590z.dll
c:\windows\system32\19659no9-a-5irus5az.cpl
c:\windows\system32\19903hazktool6245.dll
c:\windows\system32\19962spz5e6.dll
c:\windows\system32\199zspyware2635.cpl
c:\windows\system32\1a4sp59se21z7.ocx
c:\windows\system32\1a52zownload5r9124.cpl
c:\windows\system32\1b0659iez1777.dll
c:\windows\system32\1f15zi96475.dll
c:\windows\system32\1f5bzckdoor9290.dll
c:\windows\system32\1z874tr5j779.ocx
c:\windows\system32\1z899i52286.cpl
c:\windows\system32\1z929h5ckto9l358.ocx
c:\windows\system32\1z961no9-a-viru560d.ocx
c:\windows\system32\1zs9eal650.exe
c:\windows\system32\20115wor9dfz.bin
c:\windows\system32\2012s95rze2723.cpl
c:\windows\system32\201z9tro5799.cpl
c:\windows\system32\205z2wor961.bin
c:\windows\system32\20950hacktozl596.bin
c:\windows\system32\21058hackz95l2ba.dll
c:\windows\system32\2185znot-a-vir9s592.exe
c:\windows\system32\21969zot-a-virus754.dll
c:\windows\system32\21a9thzef1755.bin
c:\windows\system32\22700nzt-a5vi9us66.cpl
c:\windows\system32\22838zpam95t1d8.dll
c:\windows\system32\22z59hack95ol6d9.ocx
c:\windows\system32\23021not9a-vizus5ff5.bin
c:\windows\system32\23589spyz9d5.cpl
c:\windows\system32\235z3worm9a9.bin
c:\windows\system32\23992wor9z5e.ocx
c:\windows\system32\24413spa5b9t5fcz.dll
c:\windows\system32\2465nzt-a-v5r9s3e6.bin
c:\windows\system32\2483s9ambo5z01.cpl
c:\windows\system32\25127s9y4z5.cpl
c:\windows\system32\25189spambzt78f.exe
c:\windows\system32\25544no9-a-vizus700.cpl
c:\windows\system32\255z8vi9us18c.ocx
c:\windows\system32\256759amboz79a.bin
c:\windows\system32\2592zpy5c.exe
c:\windows\system32\25953spa9botb2z.dll
c:\windows\system32\2598vir1989z.dll
c:\windows\system32\26093sp9mboz259.exe
c:\windows\system32\265downloz9er2810.bin
c:\windows\system32\269549i5us1za.ocx
c:\windows\system32\26b5st9al1z18.bin
c:\windows\system32\26ethrea5z9509.exe
c:\windows\system32\26f5addzare4049.exe
c:\windows\system32\27155zroj94a.ocx
c:\windows\system32\27388viru95z5.exe
c:\windows\system32\277z5h95ktool4c0.cpl
c:\windows\system32\27993vzr5s42a9.exe
c:\windows\system32\27z7sparse52679.bin
c:\windows\system32\28294hzckt5ol43e.bin
c:\windows\system32\28459v5rus67z.cpl
c:\windows\system32\2890spywarz21865.bin
c:\windows\system32\28a59ackdoor735z.dll
c:\windows\system32\29071hzckt9o5ae.ocx
c:\windows\system32\29197virusz4d5.exe
c:\windows\system32\2951z5orm21a.cpl
c:\windows\system32\29528nzt-a-virus74f.cpl
c:\windows\system32\295739orm5za.bin
c:\windows\system32\29625wor5z3e.ocx

c:\windows\system32\297419ot-a-virz5210.dll
c:\windows\system32\2aa9stezl525.ocx
c:\windows\system32\2ac5szy5are2896.dll
c:\windows\system32\2ae35dzw9re1457.bin
c:\windows\system32\2b3cspywaze9551.exe
c:\windows\system32\2bb9add9arz533.exe
c:\windows\system32\2z565w59m463.ocx
c:\windows\system32\2z569sp9mbot517.dll
c:\windows\system32\2z65th9ef2166.dll
c:\windows\system32\2z7485ir9s445.dll
c:\windows\system32\30419not-a-viruz505.exe
c:\windows\system32\305739zrm658.exe
c:\windows\system32\30829not-z-v9rus5a55.exe
c:\windows\system32\3097zsp5194.bin
c:\windows\system32\31550szambo92d85.ocx
c:\windows\system32\31581z9ambot59f.bin
c:\windows\system32\319z9worm555.cpl
c:\windows\system32\32285spyz379.exe
c:\windows\system32\32577zroj9a1.cpl
c:\windows\system32\3295sparse29z5.exe
c:\windows\system32\3445viru9z75.exe
c:\windows\system32\3489a5dzare32529.cpl
c:\windows\system32\34fbspar5z2949.exe
c:\windows\system32\34zfs9yware1645.exe
c:\windows\system32\3508t9zef2486.dll
c:\windows\system32\35cdad95aze1806.exe
c:\windows\system32\35cfdownlz9der2583.ocx
c:\windows\system32\35cfzte5l9719.cpl
c:\windows\system32\35z6ste9l2459.cpl
c:\windows\system32\36589ac5zool649.exe
c:\windows\system32\3698spy45z5.ocx
c:\windows\system32\372zspyw59e653.ocx
c:\windows\system32\3759py52z.cpl
c:\windows\system32\379bazkdoor5995.bin
c:\windows\system32\3908backz9or1452.ocx
c:\windows\system32\3911znot-a5virus1e2.dll
c:\windows\system32\3976hack5oo93ez.cpl
c:\windows\system32\3a53spars918z.exe
c:\windows\system32\3az35ackdoo9944.bin
c:\windows\system32\3b19do5nl9zder2891.bin
c:\windows\system32\3c55spz9se655.bin
c:\windows\system32\3de2spyware589z.ocx
c:\windows\system32\3e1ez5dware639.cpl
c:\windows\system32\3efa5ownl9ader201z.bin
c:\windows\system32\3z2do9nload5r147.dll
c:\windows\system32\3z589hacktool521.exe
c:\windows\system32\3z930worm655.cpl
c:\windows\system32\3z96dow5loader950.cpl
c:\windows\system32\400zt9r5at17214.cpl
c:\windows\system32\4069spyw5rez391.exe
c:\windows\system32\40d95ownloaze92139.bin
c:\windows\system32\4100sp9mboz44e5.dll
c:\windows\system32\41ezsteal957.exe
c:\windows\system32\41w9rm354z.cpl
c:\windows\system32\42dfb59kdooz2456.ocx
c:\windows\system32\4306bazkdo5r2594.dll
c:\windows\system32\43d195z683.dll
c:\windows\system32\43e5thr9at22685z.cpl
c:\windows\system32\447159rzs747.exe
c:\windows\system32\4530s9ezl15.exe
c:\windows\system32\4537ztea9619.cpl
c:\windows\system32\4550z9ief2795.ocx
c:\windows\system32\45z2a5dwar9603.ocx
c:\windows\system32\45z9h9cktoo549b.cpl
c:\windows\system32\45zcste9l2189.bin
c:\windows\system32\46959pywarz2869.bin
c:\windows\system32\477z5hi9f1320.dll
c:\windows\system32\47919ow5loader16z6.dll
c:\windows\system32\4799d5wnloadzr622.bin
c:\windows\system32\48599zt-a-virus3a9.bin
c:\windows\system32\48d9addw5rz665.exe
c:\windows\system32\48dzs5eal889.cpl
c:\windows\system32\4955zteal5965.exe
c:\windows\system32\49b59pywzre3135.ocx
c:\windows\system32\4a85spzware2999.bin
c:\windows\system32\4b97vir4z5.exe
c:\windows\system32\4bb2a5dwzre1991.dll
c:\windows\system32\4becdo5nloaderz69.bin
c:\windows\system32\4c83zow5loader99.dll
c:\windows\system32\4c98tzief18485.exe
c:\windows\system32\4e5zvi930715.exe
c:\windows\system32\4ed8s5yw9re72z.ocx
c:\windows\system32\4f57dowzloader9482.dll
c:\windows\system32\4z76thr9at28524.dll
c:\windows\system32\4z93spyware19095.cpl
c:\windows\system32\50313hacktool9cz.bin
c:\windows\system32\5053sparse5893z.ocx
c:\windows\system32\505b9hreat31z415.dll
c:\windows\system32\5090t9reat50180z.cpl
c:\windows\system32\50znot-a-virus3bc9.bin
c:\windows\system32\5139sp95zd.ocx
c:\windows\system32\51539troj50z.ocx
c:\windows\system32\5171steal9011z.cpl
c:\windows\system32\525zsparse2693.bin
c:\windows\system32\526bdzwnlo5der3429.bin
c:\windows\system32\52c3downlozd9r5866.cpl
c:\windows\system32\52efstezl9652.cpl
c:\windows\system32\53772troj39z.cpl
c:\windows\system32\538z9hi5f1940.bin
c:\windows\system32\53945not-a-zirus2c0.dll
c:\windows\system32\53b0steal15z9.bin
c:\windows\system32\5402spywarez559.ocx
c:\windows\system32\5445stea92523z.exe
c:\windows\system32\546449py230z.ocx
c:\windows\system32\54z76spy57a9.bin
c:\windows\system32\5528bac9dozr1259.bin
c:\windows\system32\55818szy398.exe
c:\windows\system32\559zvir178.ocx
c:\windows\system32\55c9bazkdoor3154.ocx
c:\windows\system32\55e8viz1239.dll
c:\windows\system32\56ab9ir305z.ocx
c:\windows\system32\56z4downl9ader787.exe
c:\windows\system32\56zas9ea51014.exe
c:\windows\system32\572z5pyware1956.bin
c:\windows\system32\57z8s5ea9699.bin
c:\windows\system32\581729pz413.dll
c:\windows\system32\58acs9yw5rez814.exe
c:\windows\system32\58d79t5al1257z.bin
c:\windows\system32\5902spyz23.bin
c:\windows\system32\593spambotz6d.exe
c:\windows\system32\59486trzj25b.exe
c:\windows\system32\594astea924z15.bin
c:\windows\system32\5953sparse257z.cpl
c:\windows\system32\59600wzrm59e.exe
c:\windows\system32\5978szarse16445.dll
c:\windows\system32\59b6bac5dooz1795.ocx
c:\windows\system32\59f9th9eatz0575.bin
c:\windows\system32\5b49sparsz5154.cpl
c:\windows\system32\5c95s9arse53z.bin
c:\windows\system32\5ca5thief579z.dll
c:\windows\system32\5d6bspywar9109z.cpl
c:\windows\system32\5dz6sp95are2939.cpl
c:\windows\system32\5dz8addware15369.ocx
c:\windows\system32\5e59stz5l2043.cpl
c:\windows\system32\5ez4t9rea513157.bin
c:\windows\system32\5faspzrse7905.dll
c:\windows\system32\5z12s9eal130.exe
c:\windows\system32\5z333not-a-virus909.bin
c:\windows\system32\5z559worm595.bin
c:\windows\system32\5z5ste9l547.exe
c:\windows\system32\5z85steal91.dll
c:\windows\system32\5z99spyw5re1882.bin
c:\windows\system32\5zcf9ackdoor400.dll
c:\windows\system32\6044sparsz9586.cpl
c:\windows\system32\6159steaz3049.ocx
c:\windows\system32\6265spyw9rez53.bin
c:\windows\system32\6294szambot752.cpl
c:\windows\system32\62dspa9sez558.exe
c:\windows\system32\6300bac95ooz2038.bin
c:\windows\system32\6471h9ckto5l30z.dll
c:\windows\system32\649zsparse951.exe
c:\windows\system32\64z09i5941.bin
c:\windows\system32\6526wor92b8z.ocx
c:\windows\system32\652aspywz9e25715.bin
c:\windows\system32\6546zte951411.dll
c:\windows\system32\665fspyzare1799.bin
c:\windows\system32\6695stealz415.exe
c:\windows\system32\66b6sp9r5e2796z.exe
c:\windows\system32\670fspy59re63z.dll
c:\windows\system32\6713s5z549.cpl
c:\windows\system32\680zadd59re336.dll
c:\windows\system32\6863hack5o9l1zc.bin
c:\windows\system32\69b9vir298z5.dll
c:\windows\system32\69d5vi5732z.bin
c:\windows\system32\6c53steal19z6.bin
c:\windows\system32\6czt5ief1956.exe
c:\windows\system32\6d25stezl2399.ocx
c:\windows\system32\6fc45ownloaze92424.exe
c:\windows\system32\6ze9steal1358.ocx
c:\windows\system32\70139py5z5.dll
c:\windows\system32\705fdo9nloadez839.cpl
c:\windows\system32\7136sp5mzo96f2.exe
c:\windows\system32\7151sp9rse356z.bin
c:\windows\system32\7459zpars91562.dll
c:\windows\system32\754asteal294z.bin
c:\windows\system32\75a1backdozr1698.dll
c:\windows\system32\75fzthre5t6909.dll
c:\windows\system32\76389or51z3.dll
c:\windows\system32\7663downlzade59183.ocx
c:\windows\system32\76adzpyware5909.bin
c:\windows\system32\7730z9wn5oader1382.cpl
c:\windows\system32\77845zwnloader15839.exe
c:\windows\system32\7850tro5ze99.cpl
c:\windows\system32\7875nzt-a-virus19e.cpl
c:\windows\system32\7905szambo56eb.dll
c:\windows\system32\7935pa9se2z1.dll
c:\windows\system32\79c95ddwzr9280.dll
c:\windows\system32\7a8f5pzware2930.bin
c:\windows\system32\7a9czownloader5048.dll
c:\windows\system32\7a9spyw5re7z8.ocx
c:\windows\system32\7bzfsteal5194.dll
c:\windows\system32\7d299pzware1529.exe
c:\windows\system32\7d6avir75z9.bin
c:\windows\system32\7e9downloadz5814.ocx
c:\windows\system32\8787spa5bot9z5.dll
c:\windows\system32\8879zpambot28d5.exe
c:\windows\system32\90998z5rm6e3.exe
c:\windows\system32\9196not-a-vizus524.cpl
c:\windows\system32\91fdown5ozder166.cpl
c:\windows\system32\9259tzoj795.exe
c:\windows\system32\9393wo5z7f9.cpl
c:\windows\system32\9479tzoj509.ocx
c:\windows\system32\9498vzrus5d6.exe
c:\windows\system32\9564spy4z.cpl
c:\windows\system32\95853zpambot3d5.cpl
c:\windows\system32\9587ztroj1485.exe
c:\windows\system32\95spambz91a8.ocx
c:\windows\system32\9655szy48.ocx
c:\windows\system32\9659zir603.bin
c:\windows\system32\97514wzrm538.bin
c:\windows\system32\9977viz9s1635.cpl
c:\windows\system32\99897zacktool5d5.cpl
c:\windows\system32\9a53szar5e823.dll
c:\windows\system32\9a88backdoorz2385.exe
c:\windows\system32\9b0addwa5e2z39.ocx
c:\windows\system32\9ca59zeat12601.bin
c:\windows\system32\9e9ezhreat46175.dll
c:\windows\system32\9fb5pywarz2004.dll
c:\windows\system32\9z395acktool38.cpl
c:\windows\system32\9za9sparse5056.exe
c:\windows\system32\9zf35ir87.bin
c:\windows\system32\ae5t9iez2629.bin
c:\windows\system32\b79azdw5r93169.ocx
c:\windows\system32\bdz5eal999.cpl
c:\windows\system32\cd4backdzor16259.bin
c:\windows\system32\cfbsparse5921z.cpl
c:\windows\system32\drivers\gxvxcltkmnboboejboaqjomgurqxdujwndtkw.sys
c:\windows\system32\ez85d9ware3080.ocx
c:\windows\system32\f7fthi9f3057z.bin
c:\windows\system32\fezaddware17519.cpl
c:\windows\system32\gxvxchcsoevcrvpxtiqtvykxukdulhefdypfr.dll
c:\windows\system32\gxvxcngpetodwuyavyxukrqttqptvtqsoaomp.dll
c:\windows\system32\mpg4c32.dll
c:\windows\system32\z060t5reat118559.bin
c:\windows\system32\z06ddo5nloader5559.dll
c:\windows\system32\z0a6backdoor97655.exe
c:\windows\system32\z15159yware456.exe
c:\windows\system32\z29threat7549.exe
c:\windows\system32\z2a2do9nloader5226.ocx
c:\windows\system32\z3570s9y1c.dll
c:\windows\system32\z52cspywar55459.cpl
c:\windows\system32\z52faddw9re929.dll
c:\windows\system32\z56f9d5ware2392.dll
c:\windows\system32\z59785p979e.dll
c:\windows\system32\z597spyware9354.dll
c:\windows\system32\z5a79teal2722.exe
c:\windows\system32\z751vir3589.exe
c:\windows\system32\z7e5spa9s5472.bin
c:\windows\system32\z845vir459.ocx
c:\windows\system32\z8556s9ambot5f.dll
c:\windows\system32\z88edow9loade52072.dll
c:\windows\system32\z99c5ir1292.dll
c:\windows\system32\zf07vir5191.ocx
c:\windows\system32\zf9add9a5e925.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z0799troj599.exe
c:\windows\z226troj4359.dll
c:\windows\z421v59us415.exe
c:\windows\z425v5r399.bin
c:\windows\z4975troj554.exe
c:\windows\z4a1vir596.exe
c:\windows\z5927s9ambot67b.ocx
c:\windows\z629backd5or2839.bin
c:\windows\z6c1d9wnload5r497.dll
c:\windows\z795thief1438.ocx
c:\windows\z884sp9ware3155.ocx
c:\windows\z89415ir9s12c.dll
c:\windows\z9244tro5685.dll
c:\windows\z938tr5j44d.dll
c:\windows\z9474hacktool9c55.cpl
c:\windows\z9558not-a-virus189.bin
c:\windows\zc505pyware399.cpl
c:\windows\zc5vir28569.exe
c:\windows\zc9bsteal1495.dll
c:\windows\zce2t5reat91090.ocx
c:\windows\zd5vir9155.cpl
c:\windows\ze19s5yware1773.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 13:02 . 2009-06-03 13:02 -------- d-----w- c:\program files\Ace Utilities
2009-06-03 04:30 . 2009-06-03 04:30 -------- d-----w- c:\program files\RegCure
2009-06-03 03:03 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 03:03 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 02:57 . 2009-06-03 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 02:09 . 2009-06-03 02:09 -------- d-----w- c:\program files\CCleaner
2009-06-03 02:08 . 2009-06-03 02:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-06-03 01:38 . 2009-06-03 01:38 -------- d-----w- c:\program files\Your Uninstaller 2008
2009-06-03 01:21 . 2009-06-03 03:00 -------- d-----w- c:\program files\mblah
2009-06-03 01:05 . 2009-06-03 01:05 361472 ----a-w- c:\windows\system32\tempo-setup2.exe
2009-06-03 00:59 . 2009-06-03 01:09 529 ----a-w- c:\windows\eReg.dat
2009-06-02 21:10 . 2009-06-02 21:10 -------- d-----w- c:\program files\CUEcards 2000
2009-06-01 16:43 . 2009-06-01 16:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-01 16:42 . 2009-06-01 16:42 -------- d-----w- c:\program files\PluginVideo
2009-06-01 16:42 . 2004-08-10 19:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-01 16:11 . 2009-06-01 16:11 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-01 16:09 . 2009-06-01 16:10 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-06-01 16:09 . 2009-06-01 16:09 -------- d-----w- c:\windows\system32\LogFiles
2009-05-30 15:51 . 2006-03-03 14:02 658432 ----a-w- c:\windows\system32\cc3270mt.dll
2009-05-30 15:51 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-28 14:54 . 2009-05-28 15:06 -------- d-----w- c:\documents and settings\All Users\AdobeTemp
2009-05-28 03:44 . 2009-05-30 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-05-28 03:44 . 2009-05-28 03:44 -------- d-----w- C:\ProgramData
2009-05-28 03:42 . 2008-09-05 00:22 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-05-28 03:42 . 2009-05-28 03:42 10134 ----a-r- c:\documents and settings\Ray\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-28 03:42 . 2009-05-28 03:42 -------- d-----w- c:\program files\Microsoft WSE
2009-05-28 03:42 . 2006-09-28 20:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-05-28 03:42 . 2009-05-28 03:42 -------- d-----w- c:\windows\Logs
2009-05-28 03:36 . 2009-05-28 03:43 -------- d-----w- c:\program files\Electronic Arts
2009-05-28 02:46 . 2009-05-28 02:46 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-28 02:46 . 2009-05-28 02:46 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-28 02:40 . 2009-05-28 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-28 02:36 . 2009-05-28 02:43 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-28 02:36 . 2009-05-28 03:32 -------- d-----w- c:\documents and settings\Ray\Application Data\DAEMON Tools Lite
2009-05-25 19:16 . 2009-05-25 19:16 -------- d-----w- c:\documents and settings\Ray\Application Data\PlayFirst
2009-05-25 19:16 . 2009-05-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-05-21 21:41 . 2009-05-21 21:41 -------- d-----w- c:\documents and settings\Ray\Application Data\UClick
2009-05-21 21:41 . 2009-05-21 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\UClick
2009-05-21 21:40 . 2009-05-27 21:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-16 00:54 . 2007-12-06 22:12 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-05-16 00:54 . 2007-12-06 21:41 220032 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-05-16 00:54 . 2007-12-06 21:20 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-05-16 00:54 . 2009-05-16 00:54 -------- d-----w- c:\program files\Synaptics
2009-05-16 00:54 . 2007-12-06 21:09 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2009-05-16 00:54 . 2007-12-06 21:08 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-05-11 14:50 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-05-11 14:50 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-05-11 02:33 . 2009-05-11 02:33 -------- d-----w- c:\windows\Sun
2009-05-11 02:33 . 2009-05-11 02:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-11 02:33 . 2009-05-11 02:33 -------- d-----w- c:\program files\Java
2009-05-11 02:32 . 2009-05-11 02:32 152576 ----a-w- c:\documents and settings\Ray\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-10 23:17 . 2009-05-10 23:19 -------- d-----w- c:\documents and settings\Ray\Application Data\Windows Live Writer
2009-05-10 23:17 . 2009-05-10 23:17 -------- d-----w- c:\documents and settings\Ray\Local Settings\Application Data\Windows Live Writer
2009-05-10 21:27 . 2009-05-10 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-10 19:04 . 2009-06-02 08:08 -------- d-----w- c:\documents and settings\Ray\Tracing
2009-05-10 18:57 . 2009-05-10 18:57 -------- d-----w- c:\program files\Microsoft
2009-05-10 18:57 . 2009-05-10 18:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-10 18:56 . 2009-05-10 18:58 -------- d-----w- c:\program files\Windows Live
2009-05-10 18:49 . 2009-05-10 18:49 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-10 18:13 . 2009-05-10 18:16 -------- d-----w- c:\documents and settings\Ray\Application Data\Intuit
2009-05-10 18:11 . 2009-05-10 18:11 -------- d-----w- c:\program files\Common Files\Intuit
2009-05-10 18:11 . 2009-05-10 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-05-10 18:11 . 2007-10-22 22:58 1721712 ------w- c:\windows\system32\InetClnt.dll
2009-05-10 18:01 . 2009-05-10 18:01 -------- d-----w- c:\program files\TurboTax
2009-05-10 16:13 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-10 16:13 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-10 16:13 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-10 16:13 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-10 16:13 . 2009-05-10 16:13 -------- d-----w- c:\program files\Avira
2009-05-10 16:13 . 2009-05-10 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-09 18:35 . 2009-05-09 18:35 -------- d-----w- c:\program files\7-Zip
2009-05-09 10:31 . 2009-05-09 10:31 8328 ----a-w- c:\windows\system32\fdevi95z4.dll
2009-05-05 23:45 . 2009-05-05 23:45 -------- d-----w- c:\documents and settings\Ray\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 01:10 . 2009-05-01 00:00 -------- d-----w- c:\documents and settings\Ray\Application Data\uTorrent
2009-06-03 01:00 . 2009-04-30 12:23 12400 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-06-01 16:09 . 2009-05-01 16:57 -------- d-----w- c:\program files\AVS4YOU
2009-06-01 16:09 . 2009-05-01 16:57 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-30 18:20 . 2009-04-30 14:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 15:06 . 2009-05-01 23:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-27 22:03 . 2009-05-01 02:22 -------- d-----w- c:\program files\Trillian
2009-05-17 01:21 . 2009-05-17 01:14 -------- d-----w- c:\documents and settings\Ray\Application Data\LimeWire
2009-05-12 15:17 . 2005-11-23 09:38 20000 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 23:03 . 2009-05-03 23:03 -------- d-----w- c:\program files\GPLGS
2009-05-03 23:03 . 2009-05-03 23:03 -------- d-----w- c:\program files\Acro Software
2009-05-02 10:41 . 2005-11-23 08:58 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-01 23:17 . 2009-05-01 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-01 23:14 . 2009-05-01 23:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-01 16:57 . 2009-05-01 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-05-01 15:54 . 2009-05-01 15:53 -------- d-----w- c:\program files\Yahoo!
2009-05-01 15:54 . 2009-05-01 15:54 -------- d-----w- c:\documents and settings\Ray\Application Data\Yahoo!
2009-05-01 15:54 . 2009-05-01 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-15 20:25 . 2005-11-23 08:54 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-03-18 21:55 . 2009-05-01 15:53 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-03-06 14:44 . 2009-04-30 12:22 283648 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-30 133104]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/10/2009 12:13 PM 108289]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/25/2005 2:26 PM 200576]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [4/30/2009 8:27 AM 69692]
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1682703293-1251011013-3375665933-1006.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-30 23:39]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 10:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-06-03 10:11
ComboFix-quarantined-files.txt 2009-06-03 14:11

Pre-Run: 150,102,544,384 bytes free
Post-Run: 150,695,477,248 bytes free

884 --- E O F --- 2009-06-02 07:00

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\tempo-setup2.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-06-01.03 - Ray 06/03/2009 10:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.624 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\Combo-Fix.exe
Command switches used :: G:\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\tempo-setup2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tempo-setup2.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 13:02 . 2009-06-03 13:02 -------- d-----w- c:\program files\Ace Utilities
2009-06-03 04:30 . 2009-06-03 04:30 -------- d-----w- c:\program files\RegCure
2009-06-03 03:03 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 03:03 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 02:57 . 2009-06-03 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 02:09 . 2009-06-03 02:09 -------- d-----w- c:\program files\CCleaner
2009-06-03 02:08 . 2009-06-03 02:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-06-03 01:38 . 2009-06-03 01:38 -------- d-----w- c:\program files\Your Uninstaller 2008
2009-06-03 01:21 . 2009-06-03 03:00 -------- d-----w- c:\program files\mblah
2009-06-03 00:59 . 2009-06-03 01:09 529 ----a-w- c:\windows\eReg.dat
2009-06-02 21:10 . 2009-06-02 21:10 -------- d-----w- c:\program files\CUEcards 2000
2009-06-01 16:43 . 2009-06-01 16:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-01 16:42 . 2009-06-01 16:42 -------- d-----w- c:\program files\PluginVideo
2009-06-01 16:42 . 2004-08-10 19:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-01 16:11 . 2009-06-01 16:11 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-01 16:09 . 2009-06-01 16:10 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-06-01 16:09 . 2009-06-01 16:09 -------- d-----w- c:\windows\system32\LogFiles
2009-05-30 15:51 . 2006-03-03 14:02 658432 ----a-w- c:\windows\system32\cc3270mt.dll
2009-05-30 15:51 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-28 14:54 . 2009-05-28 15:06 -------- d-----w- c:\documents and settings\All Users\AdobeTemp
2009-05-28 03:44 . 2009-05-30 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-05-28 03:44 . 2009-05-28 03:44 -------- d-----w- C:\ProgramData
2009-05-28 03:42 . 2008-09-05 00:22 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-05-28 03:42 . 2009-05-28 03:42 10134 ----a-r- c:\documents and settings\Ray\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-28 03:42 . 2009-05-28 03:42 -------- d-----w- c:\program files\Microsoft WSE
2009-05-28 03:42 . 2006-09-28 20:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-05-28 03:42 . 2009-05-28 03:42 -------- d-----w- c:\windows\Logs
2009-05-28 03:36 . 2009-05-28 03:43 -------- d-----w- c:\program files\Electronic Arts
2009-05-28 02:46 . 2009-05-28 02:46 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-28 02:46 . 2009-05-28 02:46 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-28 02:40 . 2009-05-28 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-28 02:36 . 2009-05-28 02:43 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-28 02:36 . 2009-05-28 03:32 -------- d-----w- c:\documents and settings\Ray\Application Data\DAEMON Tools Lite
2009-05-25 19:16 . 2009-05-25 19:16 -------- d-----w- c:\documents and settings\Ray\Application Data\PlayFirst
2009-05-25 19:16 . 2009-05-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-05-21 21:41 . 2009-05-21 21:41 -------- d-----w- c:\documents and settings\Ray\Application Data\UClick
2009-05-21 21:41 . 2009-05-21 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\UClick
2009-05-21 21:40 . 2009-05-27 21:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-16 00:54 . 2007-12-06 22:12 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-05-16 00:54 . 2007-12-06 21:41 220032 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-05-16 00:54 . 2007-12-06 21:20 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-05-16 00:54 . 2009-05-16 00:54 -------- d-----w- c:\program files\Synaptics
2009-05-16 00:54 . 2007-12-06 21:09 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2009-05-16 00:54 . 2007-12-06 21:08 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-05-11 14:50 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-05-11 14:50 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-05-11 02:33 . 2009-05-11 02:33 -------- d-----w- c:\windows\Sun
2009-05-11 02:33 . 2009-05-11 02:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-11 02:33 . 2009-05-11 02:33 -------- d-----w- c:\program files\Java
2009-05-11 02:32 . 2009-05-11 02:32 152576 ----a-w- c:\documents and settings\Ray\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-10 23:17 . 2009-05-10 23:19 -------- d-----w- c:\documents and settings\Ray\Application Data\Windows Live Writer
2009-05-10 23:17 . 2009-05-10 23:17 -------- d-----w- c:\documents and settings\Ray\Local Settings\Application Data\Windows Live Writer
2009-05-10 21:27 . 2009-05-10 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-10 19:04 . 2009-06-03 14:25 -------- d-----w- c:\documents and settings\Ray\Tracing
2009-05-10 18:57 . 2009-05-10 18:57 -------- d-----w- c:\program files\Microsoft
2009-05-10 18:57 . 2009-05-10 18:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-10 18:56 . 2009-05-10 18:58 -------- d-----w- c:\program files\Windows Live
2009-05-10 18:49 . 2009-05-10 18:49 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-10 18:13 . 2009-05-10 18:16 -------- d-----w- c:\documents and settings\Ray\Application Data\Intuit
2009-05-10 18:11 . 2009-05-10 18:11 -------- d-----w- c:\program files\Common Files\Intuit
2009-05-10 18:11 . 2009-05-10 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-05-10 18:11 . 2007-10-22 22:58 1721712 ------w- c:\windows\system32\InetClnt.dll
2009-05-10 18:01 . 2009-05-10 18:01 -------- d-----w- c:\program files\TurboTax
2009-05-10 16:13 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-10 16:13 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-10 16:13 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-10 16:13 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-10 16:13 . 2009-05-10 16:13 -------- d-----w- c:\program files\Avira
2009-05-10 16:13 . 2009-05-10 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-09 18:35 . 2009-05-09 18:35 -------- d-----w- c:\program files\7-Zip
2009-05-09 10:31 . 2009-05-09 10:31 8328 ----a-w- c:\windows\system32\fdevi95z4.dll
2009-05-05 23:45 . 2009-05-05 23:45 -------- d-----w- c:\documents and settings\Ray\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 01:10 . 2009-05-01 00:00 -------- d-----w- c:\documents and settings\Ray\Application Data\uTorrent
2009-06-03 01:00 . 2009-04-30 12:23 12400 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-06-01 16:09 . 2009-05-01 16:57 -------- d-----w- c:\program files\AVS4YOU
2009-06-01 16:09 . 2009-05-01 16:57 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-30 18:20 . 2009-04-30 14:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 15:06 . 2009-05-01 23:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-27 22:03 . 2009-05-01 02:22 -------- d-----w- c:\program files\Trillian
2009-05-17 01:21 . 2009-05-17 01:14 -------- d-----w- c:\documents and settings\Ray\Application Data\LimeWire
2009-05-12 15:17 . 2005-11-23 09:38 20000 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 23:03 . 2009-05-03 23:03 -------- d-----w- c:\program files\GPLGS
2009-05-03 23:03 . 2009-05-03 23:03 -------- d-----w- c:\program files\Acro Software
2009-05-02 10:41 . 2005-11-23 08:58 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-01 23:17 . 2009-05-01 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-01 23:14 . 2009-05-01 23:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-01 16:57 . 2009-05-01 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-05-01 15:54 . 2009-05-01 15:53 -------- d-----w- c:\program files\Yahoo!
2009-05-01 15:54 . 2009-05-01 15:54 -------- d-----w- c:\documents and settings\Ray\Application Data\Yahoo!
2009-05-01 15:54 . 2009-05-01 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-15 20:25 . 2005-11-23 08:54 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-03-18 21:55 . 2009-05-01 15:53 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-03-06 14:44 . 2009-04-30 12:22 283648 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-03_14.10.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-03 14:24 . 2009-06-03 14:24 16384 c:\windows\temp\Perflib_Perfdata_110.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-30 133104]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/10/2009 12:13 PM 108289]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/25/2005 2:26 PM 200576]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [4/30/2009 8:27 AM 69692]
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1682703293-1251011013-3375665933-1006.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-30 23:39]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 10:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2752)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRAY.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-06-03 10:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 14:28
ComboFix2.txt 2009-06-03 14:11

Pre-Run: 150,711,406,592 bytes free
Post-Run: 150,691,119,104 bytes free

202 --- E O F --- 2009-06-02 07:00

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

I think we may be fixed. The desktop is back to normal, I can run regedit and I'm not getting anymore warnings.

Thanks! I'll update if that changes.

Hello.
Few more things.

Do you have a USB stick or any other external hardware that uses USB? I believe they maybe infected too.