Nasty WinPC Virus

My sons computer has a nasty WinPC virus that is not allowing me to use any malware removal tools. Hijackthis and Mbam are both dowloaded bu twill not start after trying to run them. It also looks like he has Spyware Portect 2009 on his computer also.. how can I work around these?

Can you rename the Hijack This installer file?

Yes, but when I double click nothing

I rename mbam and it froze on the final screen

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

Can you run the Hijack This installer now?

I can bring up the menu to put it into safe mode, but the arrow keys are not working on my usb keyboard. Does that make any sense to you? I am trying to get an older keyboard to see if that will work...

Lets try this.

Download FileLister from here:
http://bamajim.com/Tools/FileLister.zip

Unzip the files and run FileLister.vbe.
Allow the scan to run and post the log back here.

OK, got the keyboard and was able to install HIJackThis. Here is a copy of the log file...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:05 PM, on 5/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldofwarcraft.com/index.xml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Zango /fleok=1D8A83A5C4E719779DA4692A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Zango\bin\10.0.341.0\HostIE.dll (file missing)
O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: BHO - {BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GEST] ]
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\RocketFish\RF5.1\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [AVScan] C:\Documents and Settings\Adam Lyons\Application Data\winav.exe
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcclub.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss23.jpg
O24 - Desktop Component 1: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss18-thumb.jpg
O24 - Desktop Component 10: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss10-thumb.jpg
O24 - Desktop Component 11: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss17-thumb.jpg
O24 - Desktop Component 12: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss16-thumb.jpg
O24 - Desktop Component 13: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss23-thumb.jpg
O24 - Desktop Component 14: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss14-thumb.jpg
O24 - Desktop Component 15: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss11-thumb.jpg
O24 - Desktop Component 2: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss8-thumb.jpg
O24 - Desktop Component 3: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss15-thumb.jpg
O24 - Desktop Component 4: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss19-thumb.jpg
O24 - Desktop Component 5: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss20-thumb.jpg
O24 - Desktop Component 6: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss5-thumb.jpg
O24 - Desktop Component 7: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss6-thumb.jpg
O24 - Desktop Component 8: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss21-thumb.jpg
O24 - Desktop Component 9: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss13-thumb.jpg

--
End of file - 10113 bytes

BTW, I had to switch to another computer, becasue now I can't seem to get IE to open up... even in Safe Mode with Networking

Hello. You'll need to use a USB stick from another machine then, but the Hijack This fix below should help somewhat.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
  O1 - Hosts: ::1 localhost
  O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
  O1 - Hosts: 94.232.248.66 antivirprotection.com
  O1 - Hosts: 94.232.248.66 www.antivirprotection.com
  O2 - BHO: Zango /fleok=1D8A83A5C4E719779DA4692A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Zango\bin\10.0.341.0\HostIE.dll (file missing)
  O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll
  O2 - BHO: BHO - {BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - C:\WINDOWS\system32\iehelper.dll
  O4 - HKCU\..\Run: [AVScan] C:\Documents and Settings\Adam Lyons\Application Data\winav.exe
  O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Malwarebyte will not install, it stops and does not finish about half way through installation..

Hello.

1. Open My Computer.
   
2. Go to Tools > Folder Options.
   
3. Select the View tab.
   
4. Scroll down to Hidden files and folders.
   
5. Select Show hidden files and folders.
   
6. Uncheck (untick) Hide extensions of known file types.
   
7. Uncheck (untick) Hide protected operating system files (Recommended).
   
8. Click Yes when prompted.
   
9. Click OK.
   
10. Close My Computer.
    

Delete the following files in bold:
C:\WINDOWS\system32\iehelper.dll
C:\WINDOWS\sysguard.exe
C:\WINDOWS\ieocx.dll
C:\Documents and Settings\Adam Lyons\Application Data\winav.exe

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Symantec Antivirus)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

OK.
C:\WINDOWS\system32\iehelper.dll
C:\WINDOWS\ieocx.dll

Were not in the specified files. The other two were deleted.

I downloaded Combofix but it will not install either, the running icon flashes on then leaves and nothing happens...

btw, I hvae lost interent on the other computer, so I am downloading on my daughters computer and transferring the files with a flash card

Hold on I didn't change the name, redownloading again...

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Adam Lyons\Application Data\Zango
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\1037777.sdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\1066422.sdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\221540.sdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\2883915.sdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\3702929.sdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\625696.sdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1382
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15039
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\20898
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\25469
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\281064
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\286256
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\3338
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34150
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35015
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35047
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\371724
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\39245
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\4382
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\475788
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\523861
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\529505
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\57918
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64434
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\64517
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\66836
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\67226
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\738022
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748893
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\749354
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79972
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79989
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\85307
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\93921
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\99795
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\dynamic\ustat\35cc.dat
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\btntrans.idx
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\btntrans1.dat
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\buttondir.txt
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\components.cdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\cursors.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\d_icons_weather.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\default.cdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_511745-514279.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-ca.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-us.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_categorize.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_comparison.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-Mails.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-people.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_favorites.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_Games.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_Hide.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_hotbarcom.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_Hotmail.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_hsskin.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_jemster.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_jemsterie.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_jemsteruk.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_jobsearch.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_Mails.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_MobileSidewalk.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_new.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_premium.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_reun.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_ringtones.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_SearchBoxTrapper.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_searchfor.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_searchgo.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_weather.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Default_yellowpages.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\email-t1-bg.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\icons2.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\ie_games_icon.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\ie_video.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\keywords.idx
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\keywords1.dat
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\layout.cdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\linkpathlegal.txt
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\progress.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\s_icons_buttons.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\sales_buttons.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\t2_bg.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\theweb.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\top7.cdf
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\Top7_theweb.mnu
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\tsd_bg.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\zango_btn.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\1\zango_ie_menu.res
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
c:\documents and settings\Adam Lyons\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\ZangoSA
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA_kyf.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAau.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAEULA.mht

C:\smp.bat
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\drivers\UACmksjrumxnirftew.sys
c:\windows\system32\UACgjfevqfnyxwtccf.dat
c:\windows\system32\UACguoqrgamndecvox.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjkdltbktquqlmbn.log
c:\windows\system32\UAClnnucumkguwweaf.dll
c:\windows\system32\UACpjxbsgtbjoeslel.log
c:\windows\system32\UACpqldaplwkkytpso.dll
c:\windows\system32\UACqxerhhtxukycyes.dll
c:\windows\system32\UACuapqdtbcojwpcvt.dll
c:\windows\system32\UACuunhaskxotoopkl.log

----- BITS: Possible infected sites -----

hxxp://softwaredownloadcentercom.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-19 00:59 . 2009-05-19 00:59 -------- d-----w c:\documents and settings\Administrator.ADAMSCOMPUTER\Application Data\U3
2009-05-19 00:21 . 2009-05-19 00:21 -------- d-----w c:\program files\Trend Micro
2009-05-19 00:15 . 2009-05-19 00:15 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-19 00:14 . 2009-05-19 00:14 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-05-18 23:35 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-18 23:35 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-18 23:35 . 2009-05-18 23:35 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 23:35 . 2009-05-19 00:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-18 22:57 . 2009-05-18 22:57 -------- d-----w c:\documents and settings\Adam Lyons\.housecall6.6
2009-05-18 22:56 . 2009-05-18 22:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-17 18:10 . 2009-05-17 18:10 191 ----a-w c:\documents and settings\Adam Lyons\Application Data\asd.bat
2009-05-17 18:10 . 2009-05-17 18:10 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-13 04:50 . 2009-05-13 04:50 114688 ----a-w c:\windows\system32\OpenAL32.dll
2009-05-13 04:50 . 2009-05-13 04:50 409600 ----a-w c:\windows\system32\wrap_oal.dll
2009-05-13 04:49 . 2005-06-27 10:37 133632 ----a-r c:\windows\system32\CtDvInst.dll
2009-05-13 04:49 . 2009-05-13 04:49 -------- d-----w c:\windows\system32\Data
2009-05-13 04:49 . 2005-06-15 03:07 11264 ----a-w c:\windows\INRES.DLL
2009-05-13 04:48 . 2009-05-13 04:48 -------- d-----w c:\program files\RocketFish
2009-05-13 04:48 . 2009-05-13 04:48 -------- d-----w c:\program files\Creative
2009-05-05 03:40 . 2009-05-05 03:40 -------- d-----w c:\program files\Common Files\DirectX
2009-05-05 03:38 . 2008-09-27 07:00 118176 ----a-w c:\windows\patchw.dll
2009-05-05 03:38 . 2008-09-27 07:00 230752 ----a-w c:\windows\patchw32.dll
2009-05-05 03:31 . 2009-05-05 03:31 -------- d-----w c:\program files\Outspark
2009-05-05 01:34 . 2009-05-05 01:34 -------- d-sh--w c:\documents and settings\Adam Lyons\PrivacIE
2009-05-05 01:33 . 2009-05-05 01:33 -------- d-sh--w c:\documents and settings\Adam Lyons\IETldCache
2009-05-05 01:30 . 2009-05-05 01:30 -------- d-----w c:\windows\ie8updates
2009-05-05 01:28 . 2009-05-05 01:28 -------- dc-h--w c:\windows\ie8
2009-05-05 00:58 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-04 23:23 . 2009-05-04 23:23 -------- d-----w c:\documents and settings\Adam Lyons\Application Data\MSNInstaller
2009-05-04 22:36 . 2005-02-18 23:40 45056 ------w c:\windows\system32\KmRemove.exe
2009-05-04 22:36 . 2009-05-04 22:36 -------- d-----w c:\program files\HP Wireless Keyboard
2009-05-02 06:22 . 2008-03-19 02:54 151552 ------r c:\windows\system32\xRaidAPI.dll
2009-05-02 06:22 . 2007-11-19 03:28 1966080 ------r c:\windows\system32\xRaidSetup.exe
2009-05-02 06:22 . 2009-05-02 06:22 -------- d-----w C:\RaidTool
2009-05-02 06:22 . 2007-11-22 22:55 105088 ----a-w c:\windows\system32\drivers\Rtenicxp.sys
2009-05-02 06:22 . 2008-08-07 03:38 9728 ----a-r c:\windows\system32\RtNicProp32.dll
2009-05-02 06:22 . 2008-07-31 02:21 79960 ----a-r c:\windows\system32\drivers\jraid.sys
2009-05-02 06:18 . 2009-05-02 06:18 319488 ----a-w c:\windows\HideWin.exe
2009-05-02 06:18 . 2008-07-15 05:58 524288 ------r c:\windows\RtlExUpd.dll
2009-05-01 16:53 . 2004-08-04 06:08 20480 ----a-w c:\windows\system32\drivers\usbuhci.sys
2009-05-01 16:52 . 2004-08-04 05:59 5504 ----a-w c:\windows\system32\drivers\intelide.sys
2009-05-01 16:22 . 2008-08-19 02:56 53248 ----a-r c:\windows\system32\CSVer.dll
2009-05-01 16:22 . 2009-05-01 16:22 -------- d-----w c:\program files\Intel
2009-05-01 16:22 . 2009-05-01 16:22 -------- d-----w C:\Intel
2009-05-01 16:21 . 2008-05-02 22:08 146528 ----a-w c:\windows\system32\dvmurl.dll
2009-05-01 16:21 . 2009-05-01 16:21 -------- d-----w c:\program files\Browser Configuration Utility
2009-05-01 16:21 . 2009-05-01 16:21 -------- d-----w c:\program files\GIGABYTE
2009-05-01 16:20 . 2009-05-19 02:02 16608 ----a-w c:\windows\gdrv.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 01:40 . 2009-05-19 01:40 0 ----a-w C:\LOG5.tmp
2009-05-19 01:25 . 2009-05-19 01:25 0 ----a-w C:\LOG4.tmp
2009-05-19 01:10 . 2009-05-19 01:10 0 ----a-w C:\LOG3.tmp
2009-05-19 00:59 . 2009-05-19 00:59 0 ----a-w C:\LOG6E.tmp
2009-05-19 00:55 . 2006-03-17 10:45 -------- d-----w c:\program files\Common Files\Adobe
2009-05-19 00:27 . 2009-05-19 00:27 0 ----a-w C:\LOG2.tmp
2009-05-18 23:32 . 2005-12-05 02:53 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-18 22:56 . 2006-06-30 02:37 -------- d-----w c:\program files\Java
2009-05-17 03:03 . 2005-10-06 01:20 -------- d-----w c:\program files\World of Warcraft
2009-05-13 04:50 . 2005-10-04 22:25 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-04 23:47 . 2005-10-06 01:26 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-05-03 00:53 . 2009-05-03 00:53 0 ----a-w C:\LOG2B.tmp
2009-05-02 06:22 . 2009-05-02 06:19 -------- d-----w c:\program files\Realtek
2009-04-12 05:31 . 2009-04-12 05:31 -------- d-----w c:\program files\iTunes
2009-04-12 05:31 . 2009-04-12 05:31 -------- d-----w c:\program files\iPod
2009-04-12 05:31 . 2007-09-05 02:32 -------- d-----w c:\program files\Common Files\Apple
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 11:34 . 2005-10-04 21:56 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2005-10-04 21:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2005-10-04 21:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2005-10-04 21:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2005-10-04 21:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2005-10-04 21:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2005-10-04 21:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2005-10-04 21:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2005-10-04 21:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2005-10-04 21:56 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:44 . 2005-10-04 21:56 283648 ----a-w c:\windows\system32\pdh.dll

------- Sigcheck -------

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[-] 2004-08-04 07:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe
[-] 2004-08-04 07:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\dllcache\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
[-] 2004-08-04 07:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll
[-] 2004-08-04 07:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\dllcache\ws2_32.dll

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB884020$\tcpip.sys
[-] 2004-08-13 22:50 359040 4092C56967175F009DC8458DC434358E c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
[-] 2004-08-04 07:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe
[-] 2004-08-04 07:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys
[-] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
[-] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\dllcache\ip6fw.sys
[-] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\explorer.exe
[-] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB884883$\explorer.exe
[-] 2005-04-07 09:33 1032192 45757077A47C68A603A79B03A1A836AB c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
[-] 2004-08-04 07:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe
[-] 2004-08-04 07:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\dllcache\lsass.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
[-] 2004-08-04 07:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe
[-] 2004-08-04 07:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\dllcache\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2004-08-04 07:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\dllcache\spoolsv.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2004-08-04 07:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe
[-] 2004-08-04 07:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\dllcache\userinit.exe

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
[-] 2004-08-04 07:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll
[-] 2004-08-04 07:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\dllcache\termsrv.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
[-] 2004-08-04 07:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll
[-] 2004-08-04 07:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\dllcache\powrprof.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
[-] 2004-08-04 07:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll
[-] 2004-08-04 07:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\dllcache\imm32.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
[-] 2004-08-04 07:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll
[-] 2004-08-04 07:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\dllcache\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2002-12-03 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="]" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13529088]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-12-10 139264]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-07 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-07-14 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-07-14 659456]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-18 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"BtcMaestro"="c:\program files\HP Wireless Keyboard\KMaestro.exe" [2005-02-21 245760]
"CTSysVol"="c:\program files\RocketFish\RF5.1\Surround Mixer\CTSysVol.exe" [2007-09-05 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-25 1630208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2008-06-18 77824]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2008-07-16 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [5/1/2009 9:21 AM 68136]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 5:07 AM 24652]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 XDva248;XDva248;\??\c:\windows\system32\XDva248.sys --> c:\windows\system32\XDva248.sys [?]
S3 XDva273;XDva273;\??\c:\windows\system32\XDva273.sys --> c:\windows\system32\XDva273.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{74CC49F7-EB32-4A08-B204-948962A6E3DB} - (no file)
WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.worldofwarcraft.com/index.xml
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 19:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-379768361-2182499166-620149785-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3348)
c:\windows\system32\nview.dll
c:\program files\HP Wireless Keyboard\HidKeybd.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-05-19 19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-19 02:05

Pre-Run: 30,530,764,800 bytes free
Post-Run: 31,740,833,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

434 --- E O F --- 2009-05-13 06:06

Whew, that was a long text file...

Anything else I need to do?

Hello.
That was a pretty nasty infection you got yourself, I'm sure Combofix has helped some and you already notice a difference.
Next, lets see what's installed.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Like I said on the original topic.. Very nasty. I am away from my son's computer now. I will re run Hi Jack This and post later. The computer is running much, much better. I do have another question. My daughter said that all she did was upload a couple of pictures to her My Space Account. She promised me that she did not click on anything. Is it possible to get an infection like this by only uploading a photo onto My Space?

One other question I have is what Virus Portection would yuo reccomend that would do the job and not be so intrusive on the computer. This is a gaming machine...

Thanks...

Hello.
I would recommend Avira, but lets finish up here before install anything, because as soon as Avira is on the system, it will only interfere with our work and cause more problems before it does any good.

It's very possible to get an infection from Myspace, malware writers put malicious scripts on their fake/hacked accounts pages so you visit and fall for them, then your machine becomes part of their botnet attacking other machines. If your daughter uploaded a file on a fake website/a part of Myspace with a malicious script on it, then that's how it happened, you don't actually have to download/run anything to become infected.

Post the log when your ready, I should be here.

It tool me a few days to get to my sons computer, but here is the log from HiJackThis...

C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldofwarcraft.com/index.xml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GEST] ]
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\RocketFish\RF5.1\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcclub.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 10: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss10-thumb.jpg
O24 - Desktop Component 11: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss17-thumb.jpg
O24 - Desktop Component 12: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss16-thumb.jpg
O24 - Desktop Component 13: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss23-thumb.jpg
O24 - Desktop Component 14: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss14-thumb.jpg
O24 - Desktop Component 15: (no name) - http://www.worldofwarcraft.com/contests/07-10-pumpkin/images/ss11-thumb.jpg

--
End of file - 8273 bytes

Hello.
Wrong type of log, the instructions I posted would of generated an uninstall list, that's just a normal Hijack This system scan.

Re-read my instructions here:
http://www.geekpolice.net/virus-spyware-malware-removal-f11/nasty-winpc-virus-t9569-15.htm#60066

Sorry about that...Here you go..

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album Starter Edition 3.0
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
AviSynth 2.5
Browser Configuration Utility
Critical Update for Windows Media Player 11 (KB959772)
Energy Saver Advance B8.1015.1
Fiesta
GameSpy Arcade
Gigabyte Raid Configurer
Google Updater
High Definition Audio Driver Package - KB888111
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB889527)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB903234)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hoyle Casino 2004
HP Image Zone 4.0
HP Wireless Keyboard Driver V1.7 (2.0.W-127AU MUL)
iTunes
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 13
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multimedia Card Reader
Music Rescue 3.1.6
Nero Suite
NVIDIA Drivers
Photosmart 320,370,7400,8100,8400 Series
Picasa 2
PowerDVD
PowerPacket Ethernet Adapter
QuickTime
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RocketFish 5.1
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB900930)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Symantec KB-DocID:2003093015493306
Symantec Technical Support Web Controls
Turbo Tanks
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
URGE
Ventrilo Client
Ventrilo Server
Videora iPod classic Converter 3.07
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtools 3D Life Player
W Photo Studio
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Hotfix - KB895181
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884883
Windows XP Hotfix - KB885222
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB886677
Windows XP Hotfix - KB886716
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896626
WordPerfect Office 12
World of Warcraft

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• J2SE Runtime Environment 5.0 Update 3
  
• Symantec KB-DocID:2003093015493306
  
• Symantec Technical Support Web Controls
  
• Viewpoint Manager (Remove Only)
  
• Viewpoint Media Player
  

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

How is the machine running now?

•Symantec KB-DocID:2003093015493306 is not listed in the add/remoce list in the Contro0 lPanel.

The machine is running good. No slow downs or pop ups...thank you so much for all your help. I have cleaned out other systems but this was a particuarily nasty virus that was blocking everything that I knew how to do..

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.