TratBHO

Viruses and worms
1

Can not remove this. Below is DSS notes:

Deckard’s System Scanner v20071014.68
Run by YRyan on 2008-01-17 14:06:07
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 4 Restore Point(s) –
4: 2008-01-17 19:06:45 UTC - RP950 - Deckard’s System Scanner Restore Point
3: 2008-01-17 12:06:18 UTC - RP949 - Software Distribution Service 3.0
2: 2008-01-16 08:00:54 UTC - RP948 - Software Distribution Service 3.0
1: 2008-01-15 14:43:54 UTC - RP947 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 224 MiB (512 MiB recommended).
System Drive C: has 0.65 GiB (less than 15%) free.

– HijackThis (run as YRyan.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:58 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iWon\Messenger\bin\i1IMPipe .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\KMaestro\KMaestro .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Support.com\bin\tgcmd .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd .exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\YRyan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\YRyan.exe

2

Part 2:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iwon.com/iwon-homepage/home.jhtml
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjj.exe
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\gebbcbx.dll
O2 - BHO: {aa889f5f-8726-7148-c094-32779f07b9cd} - {dc9b70f9-7723-490c-8417-6278f5f988aa} - C:\WINDOWS\system32\sytlpbak.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [iWon Messenger Pipe] C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [tgcmd] “C:\Program Files\Support.com\bin\tgcmd.exe” /server /nosystray /deaf
O4 - HKLM..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask .exe” -atboottime
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [mXB.exe] C:\windows\system32\mXB.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe
O4 - HKLM..\Run: [ZangoSA] “C:\Program Files\Zango\bin\10.1.181.0\ZangoSA.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [6cfe9fdd] rundll32.exe “C:\WINDOWS\system32\vyaenfmd.dll”,b
O4 - HKLM..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM..\Run: [cctray] “C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe”
O4 - HKLM..\Run: [QOELOADER] “C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\Run: [WeatherDPA] “C:\Program Files\Zango\bin\10.1.181.0\Weather.exe” -auto
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://aol.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0642e5bee8eb0ff6a106/netzip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-trial-mystery-pi-the-lottery-ticket/SpinTopGamesLauncher.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-text-express-2-deluxe/zylomplayer.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Christmasville\Images\armhelper.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O20 - Winlogon Notify: gebbcbx - C:\WINDOWS\SYSTEM32\gebbcbx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 12065 bytes

3

You got hit pretty good. That’s only part of the DSS log or did you mean HJT?

No matter, go forward.

Open HJT, run a system scan only, check mark these lines if present

F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjj.exe
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\gebbcbx.dll
O2 - BHO: {aa889f5f-8726-7148-c094-32779f07b9cd} - {dc9b70f9-7723-490c-8417-6278f5f988aa} - C:\WINDOWS\system32\sytlpbak.dll
O4 - HKLM..\Run: [6cfe9fdd] rundll32.exe “C:\WINDOWS\system32\vyaenfmd.dll”,b
O20 - Winlogon Notify: gebbcbx - C:\WINDOWS\SYSTEM32\gebbcbx.dll

Close all other browsers/windows, click fix, close HJT.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Fix the lines first, then run combofix and then do a hjt scan.

4

ComboFix 08-01-18.5 - YRyan 2008-01-18 17:47:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.31 [GMT -5:00]
Running from: C:\Documents and Settings\YRyan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gebbcbx.dll
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\poof
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
.
---- Previous Run -------
.
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrModule
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files.\hotbar.inf
C:\WINDOWS\system32_000004_.tmp.dll
C:\WINDOWS\system32_000005_.tmp.dll
C:\WINDOWS\system32_000006_.tmp.dll
C:\WINDOWS\system32_000007_.tmp.dll
C:\WINDOWS\system32_000008_.tmp.dll
C:\WINDOWS\system32_000009_.tmp.dll
C:\WINDOWS\system32_000010_.tmp.dll
C:\WINDOWS\system32_000011_.tmp.dll
C:\WINDOWS\system32_000012_.tmp.dll
C:\WINDOWS\system32_000013_.tmp.dll
C:\WINDOWS\system32_000014_.tmp.dll
C:\WINDOWS\system32_000015_.tmp.dll
C:\WINDOWS\system32\aauagjjb.dll
C:\WINDOWS\system32\acbpkffi.ini
C:\WINDOWS\system32\bjjgauaa.ini
C:\WINDOWS\system32\ceupspbu.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cuynjopg.dll
C:\WINDOWS\system32\debaohsf.dll
C:\WINDOWS\system32\dmfneayv.ini
C:\WINDOWS\system32\fshoabed.ini
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\iffkpbca.dll
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jkkjj.exe
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\lihxgyly.dll
C:\WINDOWS\system32\lqraavsj.dll
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sytlpbak.dll
C:\WINDOWS\system32\tlwgibbi.dll
C:\WINDOWS\system32\vmss
C:\WINDOWS\system32\vyaenfmd.dll
C:\WINDOWS\system32\xilhomwx.dll
C:\windows\xpupdate.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm

-------\nm

5

((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-18 17:41 . 2008-01-18 17:41 3,584 --a------ C:\WINDOWS\system32\jkkjj.exe
2008-01-18 15:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 06:34 . 2008-01-18 06:41 d-------- C:\Program Files\Jigsaw Puzzle Platinum
2008-01-18 03:09 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET136B.tmp
2008-01-18 03:09 . 2006-08-21 04:14 23,040 --------- C:\WINDOWS\system32\SET1369.tmp
2008-01-18 03:09 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET136C.tmp
2008-01-18 03:09 . 2006-08-21 07:21 16,896 --------- C:\WINDOWS\system32\SET136A.tmp
2008-01-18 03:09 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET136D.tmp
2008-01-18 02:06 . 2008-01-18 02:07 d-------- C:\Program Files\RealArcade
2008-01-17 17:40 . 2008-01-18 03:27 d-------- C:\Program Files\Mystery Case Files - Ravenhearst
2008-01-17 14:10 . 2008-01-17 14:10 d-------- C:\Program Files\Trend Micro
2008-01-17 13:56 . 2008-01-17 13:56 d-------- C:\Deckard
2008-01-17 08:06 . 2008-01-17 15:05 d-------- C:\Program Files\DreamDayFirstHome_at
2008-01-17 07:16 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET1259.tmp
2008-01-17 07:16 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET1257.tmp
2008-01-17 07:16 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET125A.tmp
2008-01-17 07:16 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET1258.tmp
2008-01-17 07:16 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET125B.tmp
2008-01-16 03:03 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET124B.tmp
2008-01-16 03:03 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET1249.tmp
2008-01-16 03:03 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET124C.tmp
2008-01-16 03:03 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET124A.tmp
2008-01-16 03:03 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET124D.tmp
2008-01-15 03:19 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET1242.tmp
2008-01-15 03:19 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET123E.tmp
2008-01-15 03:19 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET1243.tmp
2008-01-15 03:19 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET1241.tmp
2008-01-15 03:19 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET1244.tmp
2008-01-15 01:48 . 2008-01-15 01:48 1,409 --a------ C:\WINDOWS\system32\tmpDE6B5.FOT
2008-01-15 01:48 . 2008-01-15 01:48 1,409 --a------ C:\WINDOWS\system32\tmp9F7A5.FOT
2008-01-15 01:48 . 2008-01-15 01:48 1,409 --a------ C:\WINDOWS\system32\tmp99095.FOT
2008-01-15 01:48 . 2008-01-15 01:48 1,409 --a------ C:\WINDOWS\system32\tmp6ADA5.FOT
2008-01-15 01:48 . 2008-01-15 01:48 1,409 --a------ C:\WINDOWS\system32\tmp166B5.FOT
2008-01-15 01:48 . 2008-01-15 01:48 1,409 --a------ C:\WINDOWS\system32\tmp124A5.FOT
2008-01-15 01:42 . 2008-01-15 01:47 d-------- C:\Program Files\Mystery Case Files - Huntsville
2008-01-14 05:56 . 2008-01-14 05:56 1,409 --a------ C:\WINDOWS\system32\tmpD3867.FOT
2008-01-14 05:56 . 2008-01-14 05:56 1,409 --a------ C:\WINDOWS\system32\tmpAC867.FOT
2008-01-14 05:55 . 2008-01-14 05:55 1,409 --a------ C:\WINDOWS\system32\tmpEBE27.FOT
2008-01-14 05:55 . 2008-01-14 05:55 1,409 --a------ C:\WINDOWS\system32\tmpA0C47.FOT
2008-01-14 05:55 . 2008-01-14 05:55 1,409 --a------ C:\WINDOWS\system32\tmp91A37.FOT
2008-01-14 05:55 . 2008-01-14 05:55 1,409 --a------ C:\WINDOWS\system32\tmp15B37.FOT
2008-01-14 05:44 . 2008-01-14 05:44 1,409 --a------ C:\WINDOWS\system32\tmpA8A66.FOT
2008-01-14 05:33 . 2008-01-14 05:33 1,409 --a------ C:\WINDOWS\system32\tmp3F00C.FOT
2008-01-14 05:33 . 2008-01-14 05:33 1,409 --a------ C:\WINDOWS\system32\tmp1510C.FOT
2008-01-14 05:32 . 2008-01-14 05:32 1,409 --a------ C:\WINDOWS\system32\tmpE15EB.FOT
2008-01-14 05:32 . 2008-01-14 05:32 1,409 --a------ C:\WINDOWS\system32\tmp9ADEB.FOT
2008-01-14 05:32 . 2008-01-14 05:32 1,409 --a------ C:\WINDOWS\system32\tmp7D5FB.FOT
2008-01-14 03:20 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET122C.tmp
2008-01-14 03:20 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET122A.tmp
2008-01-14 03:20 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET122D.tmp
2008-01-14 03:20 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET122B.tmp
2008-01-14 03:20 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET122E.tmp
2008-01-13 07:09 . 2008-01-14 02:15 d-------- C:\Program Files\MonopolyHereNowEdition_at
2008-01-13 03:20 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET11F5.tmp
2008-01-13 03:20 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET11F1.tmp
2008-01-13 03:20 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET11F6.tmp
2008-01-13 03:20 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET11F4.tmp
2008-01-13 03:20 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET11F7.tmp
2008-01-12 14:40 . 2008-01-13 03:18 d-------- C:\Documents and Settings\YRyan\Application Data\BloodTies
2008-01-12 10:04 . 2008-01-12 10:04 d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-01-12 10:03 . 2008-01-12 10:16 d-------- C:\Program Files\CA
2008-01-12 08:53 . 2008-01-12 08:53 d-------- C:\Program Files\Common Files\SupportSoft
2008-01-12 08:52 . 2008-01-12 08:52 d-------- C:\Program Files\twc
2008-01-12 03:08 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET1C94.tmp
2008-01-12 03:08 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET1C92.tmp
2008-01-12 03:08 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET1C95.tmp
2008-01-12 03:08 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET1C93.tmp
2008-01-12 03:08 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET1C96.tmp
2008-01-11 03:09 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET11B6.tmp
2008-01-11 03:09 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET11AF.tmp
2008-01-11 03:09 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET11B7.tmp
2008-01-11 03:09 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET11B5.tmp
2008-01-11 03:09 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET11B8.tmp
2008-01-10 05:38 . 2008-01-10 07:35 d-------- C:\Program Files\HollyAChristmasStoryAT
2008-01-10 04:00 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET1173.tmp
2008-01-10 04:00 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET116C.tmp
2008-01-10 04:00 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET1174.tmp
2008-01-10 04:00 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET1172.tmp
2008-01-10 04:00 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET1175.tmp
2008-01-09 03:07 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET1152.tmp
2008-01-09 03:07 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET1150.tmp
2008-01-09 03:07 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET1153.tmp
2008-01-09 03:07 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET1151.tmp
2008-01-09 03:07 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET1154.tmp
2008-01-08 13:30 . 2008-01-08 13:30 193,880 -rah----- C:\WINDOWS\cpnprt2.cid
2008-01-08 08:03 . 2008-01-08 08:03 1,409 --a------ C:\WINDOWS\system32\tmpDA4BC.FOT
2008-01-08 08:03 . 2008-01-08 08:03 1,409 --a------ C:\WINDOWS\system32\tmpD22BC.FOT
2008-01-08 08:03 . 2008-01-08 08:03 1,409 --a------ C:\WINDOWS\system32\tmpAFFAC.FOT
2008-01-08 08:03 . 2008-01-08 08:03 1,409 --a------ C:\WINDOWS\system32\tmp7A5BC.FOT
2008-01-08 08:03 . 2008-01-08 08:03 1,409 --a------ C:\WINDOWS\system32\tmp5F5BC.FOT
2008-01-08 08:03 . 2008-01-08 08:03 1,409 --a------ C:\WINDOWS\system32\tmp4A3BC.FOT
2008-01-08 03:09 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET1132.tmp
2008-01-08 03:09 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET112F.tmp
2008-01-08 03:09 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET1134.tmp
2008-01-08 03:09 . 2006-08-21 07:21 16,896 --a------ C:\WINDOWS\system32\SET1131.tmp
2008-01-08 03:09 . 2006-08-21 07:21 16,896 -----c— C:\WINDOWS\system32\dllcache\SET1135.tmp
2008-01-08 01:27 . 2008-01-08 01:27 d-------- C:\Documents and Settings\YRyan\Application Data\Eyeblaster
2008-01-07 03:34 . 2006-08-21 04:14 128,896 -----c— C:\WINDOWS\system32\dllcache\SET1211.tmp
2008-01-07 03:34 . 2006-08-21 04:14 23,040 --a------ C:\WINDOWS\system32\SET120F.tmp
2008-01-07 03:34 . 2006-08-21 04:14 23,040 -----c— C:\WINDOWS\system32\dllcache\SET1212.tmp

6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 22:38 --------- d-----w C:\Program Files\QuickTime
2008-01-18 22:38 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-01-18 22:36 --------- d-----w C:\Program Files\KMaestro
2008-01-18 22:36 --------- d-----w C:\Program Files\iTunes
2008-01-18 20:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 20:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-18 08:54 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-15 06:38 --------- d-----w C:\Program Files\Yahoo! Games
2008-01-14 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-01-14 10:24 --------- d-----w C:\Program Files\AOL Games
2008-01-14 07:33 --------- d-----w C:\Program Files\MSN Games
2008-01-14 07:25 --------- d-----w C:\Program Files\Road Runner
2008-01-14 07:20 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-01-12 15:16 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-12 00:00 --------- d-----w C:\Program Files\Support.com
2008-01-11 23:56 --------- d-----w C:\Program Files\BroadJump
2008-01-10 16:02 --------- d-----w C:\Documents and Settings\YRyan\Application Data\PlayFirst
2008-01-10 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-04 20:43 --------- d-----w C:\Documents and Settings\YRyan\Application Data\iWin
2008-01-04 19:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2007-12-31 13:14 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-21 13:08 --------- d-----w C:\Program Files\Mortimer Beckett And The Secrets Of Spooky Manor
2007-12-17 08:58 --------- d-----w C:\Program Files\Hidden Expedition - Everest
2007-12-14 19:12 --------- d-----w C:\Program Files\Coupons
2007-12-08 12:06 --------- d-----w C:\Documents and Settings\YRyan\Application Data\Flood Light Games
2007-12-08 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2007-12-04 13:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTopV1004
2007-12-04 11:47 --------- d-----w C:\Program Files\Mystery Case Files Ravenhearst
2007-12-04 11:47 --------- d-----w C:\Program Files\Mystery Case Files Huntsville
2007-12-04 11:45 --------- d-----w C:\Program Files\Alawar
2007-12-03 07:37 --------- d-----w C:\Documents and Settings\YRyan\Application Data\SpinTop
2007-12-01 18:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Christmasville
2007-11-29 22:55 --------- d-----w C:\Documents and Settings\YRyan\Application Data\Big Fish Games
2003-11-26 23:07 28,546,503 -c–a-w C:\Program Files\Medic402.exe
.

<pre>
----a-w            63,712 2008-01-18 22:35:33  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w            39,792 2008-01-18 22:35:34  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            75,392 2008-01-18 22:35:31  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w           368,706 2008-01-03 07:52:22  C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w            14,088 2008-01-18 22:35:36  C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader .exe
----a-w           177,416 2008-01-18 22:35:37  C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe
----a-w           185,896 2008-01-18 22:35:32  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            68,856 2008-01-18 22:35:38  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           278,528 2008-01-18 22:35:29  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            16,384 2008-01-18 22:35:22  C:\Program Files\iWon\Messenger\bin\i1IMPipe .exe
----a-w           132,496 2008-01-18 22:35:25  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           159,744 2008-01-18 22:35:26  C:\Program Files\KMaestro\KMaestro .exe
----a-w           473,928 2008-01-18 22:35:32  C:\Program Files\Microsoft AntiSpyware\gcasServ .exe
----a-w           448,000 2008-01-16 23:24:03  C:\Program Files\QuickTime\qttask                       .exe
----a-w           448,000 2008-01-15 21:49:27  C:\Program Files\QuickTime\qttask                      .exe
----a-w           448,000 2008-01-14 16:18:22  C:\Program Files\QuickTime\qttask                     .exe
----a-w           448,000 2008-01-14 07:43:54  C:\Program Files\QuickTime\qttask                    .exe
----a-w           448,000 2008-01-14 06:26:33  C:\Program Files\QuickTime\qttask                   .exe
----a-w           112,128 2008-01-13 22:21:47  C:\Program Files\QuickTime\qttask                  .exe
----a-w           448,000 2008-01-12 20:27:41  C:\Program Files\QuickTime\qttask                 .exe
----a-w           448,000 2008-01-12 16:30:59  C:\Program Files\QuickTime\qttask                .exe
----a-w           448,000 2008-01-12 13:07:57  C:\Program Files\QuickTime\qttask               .exe
----a-w           448,000 2008-01-09 08:31:45  C:\Program Files\QuickTime\qttask              .exe
----a-w           448,000 2008-01-05 21:47:34  C:\Program Files\QuickTime\qttask             .exe
----a-w           448,000 2008-01-05 05:55:55  C:\Program Files\QuickTime\qttask            .exe
----a-w           448,000 2008-01-03 13:04:15  C:\Program Files\QuickTime\qttask           .exe
----a-w           448,000 2008-01-03 11:08:19  C:\Program Files\QuickTime\qttask          .exe
----a-w           448,000 2008-01-03 07:48:46  C:\Program Files\QuickTime\qttask         .exe
----a-w           448,000 2008-01-02 18:22:40  C:\Program Files\QuickTime\qttask        .exe
----a-w           448,000 2008-01-02 11:43:44  C:\Program Files\QuickTime\qttask       .exe
----a-w           448,000 2008-01-01 23:16:51  C:\Program Files\QuickTime\qttask      .exe
----a-w           448,000 2008-01-01 09:21:18  C:\Program Files\QuickTime\qttask     .exe
----a-w           448,000 2007-12-31 07:56:07  C:\Program Files\QuickTime\qttask    .exe
----a-w           448,000 2007-12-30 18:34:31  C:\Program Files\QuickTime\qttask   .exe
----a-w           448,000 2007-12-30 14:41:53  C:\Program Files\QuickTime\qttask  .exe
----a-w           448,000 2007-12-30 13:39:29  C:\Program Files\QuickTime\qttask .exe
----a-w         1,843,200 2008-01-18 22:35:40  C:\Program Files\Support.com\bin\tgcmd .exe
----a-w           198,184 2008-01-18 22:35:37  C:\Program Files\twc\medicsp2\bin\sprtcmd .exe
----a-w            15,360 2008-01-16 23:26:24  C:\WINDOWS\system32\ctfmon .exe
</pre>
7

– Snapshot reset to current date –
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-01-18 17:36 3584]
“Aim6”=“”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:56 15360]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe”
“WeatherDPA”=“C:\Program Files\Zango\bin\10.1.181.0\Weather.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“NvQTwk”
“nwiz”=“nwiz.exe” [2002-05-23 23:42 372736 C:\WINDOWS\system32\nwiz.exe]
“NVIDIA nForce APU1 Utilities”=“NVATray.exe” [2002-06-18 01:25 45056 C:\WINDOWS\system32\NVATray.exe]
“BJCFD”=“C:\Program Files\BroadJump\Client Foundation\CFD.exe”
“iWon Messenger Pipe”=“C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe” [2008-01-18 17:36 3584]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2008-01-18 17:36 3584]
“tgcmd”=“C:\Program Files\Support.com\bin\tgcmd.exe” [2008-01-18 17:36 3584]
“BtcMaestro”=“C:\Program Files\KMaestro\KMaestro.exe” [2008-01-18 17:36 3584]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe”
“QuickTime Task”=“C:\Program Files\QuickTime\qttask .exe”
“gcasServ”=“C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
“UserFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -u”
“mXB.exe”=“C:\windows\system32\mXB.exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-01-18 17:38 3584]
“ZangoOE”=“C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe”
“ZangoSA”=“C:\Program Files\Zango\bin\10.1.181.0\ZangoSA.exe”
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2008-01-18 17:39 3584]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
“medicsp2”=“C:\Program Files\twc\medicsp2\bin\sprtcmd.exe” [2008-01-18 17:40 3584]
“cctray”=“C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe” [2008-01-18 17:41 3584]
“QOELOADER”=“C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe” [2008-01-18 17:41 3584]

C:\Documents and Settings\YRyan\Start Menu\Programs\Startup
iWin Desktop Alerts.lnk - C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2008-01-04 14:51:33]

S2 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-18 20:21:03 C:\WINDOWS\Tasks\Norton Security Scan.job”

  • C:\Program Files\Norton Security Scan\Nss.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 19:56:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-18 20:04:47 - machine was rebooted [YRyan]
ComboFix-quarantined-files.txt 2008-01-19 01:04:08
.
2008-01-18 08:29:57 — E O F —

8

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:07 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\NVATray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iwon.com/iwon-homepage/home.jhtml
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [iWon Messenger Pipe] C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [tgcmd] “C:\Program Files\Support.com\bin\tgcmd.exe” /server /nosystray /deaf
O4 - HKLM..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask .exe” -atboottime
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [mXB.exe] C:\windows\system32\mXB.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe
O4 - HKLM..\Run: [ZangoSA] “C:\Program Files\Zango\bin\10.1.181.0\ZangoSA.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM..\Run: [cctray] “C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe”
O4 - HKLM..\Run: [QOELOADER] “C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\Run: [WeatherDPA] “C:\Program Files\Zango\bin\10.1.181.0\Weather.exe” -auto
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

9

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://aol.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0642e5bee8eb0ff6a106/netzip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-trial-mystery-pi-the-lottery-ticket/SpinTopGamesLauncher.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-text-express-2-deluxe/zylomplayer.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Christmasville\Images\armhelper.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 10166 bytes

10

Did you just install a service pack? Lots of files in the last couple of weeks.

Okay there is quite a bit to do, so let’s start. This should help until I can get back.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\jkkjj.exe

RENV::

----a-w            63,712 2008-01-18 22:35:33  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w            39,792 2008-01-18 22:35:34  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            75,392 2008-01-18 22:35:31  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w           368,706 2008-01-03 07:52:22  C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w            14,088 2008-01-18 22:35:36  C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader .exe
----a-w           177,416 2008-01-18 22:35:37  C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe
----a-w           185,896 2008-01-18 22:35:32  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            68,856 2008-01-18 22:35:38  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           278,528 2008-01-18 22:35:29  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            16,384 2008-01-18 22:35:22  C:\Program Files\iWon\Messenger\bin\i1IMPipe .exe
----a-w           132,496 2008-01-18 22:35:25  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           159,744 2008-01-18 22:35:26  C:\Program Files\KMaestro\KMaestro .exe
----a-w           473,928 2008-01-18 22:35:32  C:\Program Files\Microsoft AntiSpyware\gcasServ .exe
----a-w           448,000 2008-01-16 23:24:03  C:\Program Files\QuickTime\qttask                       .exe
----a-w           448,000 2008-01-15 21:49:27  C:\Program Files\QuickTime\qttask                      .exe
----a-w           448,000 2008-01-14 16:18:22  C:\Program Files\QuickTime\qttask                     .exe
----a-w           448,000 2008-01-14 07:43:54  C:\Program Files\QuickTime\qttask                    .exe
----a-w           448,000 2008-01-14 06:26:33  C:\Program Files\QuickTime\qttask                   .exe
----a-w           112,128 2008-01-13 22:21:47  C:\Program Files\QuickTime\qttask                  .exe
----a-w           448,000 2008-01-12 20:27:41  C:\Program Files\QuickTime\qttask                 .exe
----a-w           448,000 2008-01-12 16:30:59  C:\Program Files\QuickTime\qttask                .exe
----a-w           448,000 2008-01-12 13:07:57  C:\Program Files\QuickTime\qttask               .exe
----a-w           448,000 2008-01-09 08:31:45  C:\Program Files\QuickTime\qttask              .exe
----a-w           448,000 2008-01-05 21:47:34  C:\Program Files\QuickTime\qttask             .exe
----a-w           448,000 2008-01-05 05:55:55  C:\Program Files\QuickTime\qttask            .exe
----a-w           448,000 2008-01-03 13:04:15  C:\Program Files\QuickTime\qttask           .exe
----a-w           448,000 2008-01-03 11:08:19  C:\Program Files\QuickTime\qttask          .exe
----a-w           448,000 2008-01-03 07:48:46  C:\Program Files\QuickTime\qttask         .exe
----a-w           448,000 2008-01-02 18:22:40  C:\Program Files\QuickTime\qttask        .exe
----a-w           448,000 2008-01-02 11:43:44  C:\Program Files\QuickTime\qttask       .exe
----a-w           448,000 2008-01-01 23:16:51  C:\Program Files\QuickTime\qttask      .exe
----a-w           448,000 2008-01-01 09:21:18  C:\Program Files\QuickTime\qttask     .exe
----a-w           448,000 2007-12-31 07:56:07  C:\Program Files\QuickTime\qttask    .exe
----a-w           448,000 2007-12-30 18:34:31  C:\Program Files\QuickTime\qttask   .exe
----a-w           448,000 2007-12-30 14:41:53  C:\Program Files\QuickTime\qttask  .exe
----a-w           448,000 2007-12-30 13:39:29  C:\Program Files\QuickTime\qttask .exe
----a-w         1,843,200 2008-01-18 22:35:40  C:\Program Files\Support.com\bin\tgcmd .exe
----a-w           198,184 2008-01-18 22:35:37  C:\Program Files\twc\medicsp2\bin\sprtcmd .exe
----a-w            15,360 2008-01-16 23:26:24  C:\WINDOWS\system32\ctfmon .exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply and a HJT log.

Attaching logs are fine. Use the additional options button on the reply page.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Program Files\Medic402.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

11

Thank you so much for all your help!

12

You’re welcome. :slight_smile:

I’ll ask again, did you just install some updates or similar as your combofix log is full of entries I can’t identify, ???

Open HJT, run a system scan only, check mark these lines if present

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll (file missing)
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask .exe” -atboottime
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab

Close all other browsers/windows, click fix, close HJT.

You will have to uninstall and reinstall these programs :frowning:

quicktime
Real

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Program Files\Medic402.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

13

I will work on this today. I did instal CA Security recently through my Road Runner provider.

Can I also get rid of Zango and IWin games in this process? The pop ups are killing me.

I have been home on sick leave leave and I think the games are my down fall.

14

Go to add remove programs and uninstall

zango
iwin games

or similar.

Open HJT, click misc tools button, click uninstall manager, click save list. Post/attach the list, I’ll have a look at what else can be uninstalled.

How is everything else?

15

Virustotal results:

Bigger than max permited size / Mayor del tamaño máximo permitido

HJT List:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:35 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

16

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iwon.com/iwon-homepage/home.jhtml
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [iWon Messenger Pipe] C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [tgcmd] “C:\Program Files\Support.com\bin\tgcmd.exe” /server /nosystray /deaf
O4 - HKLM..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [mXB.exe] C:\windows\system32\mXB.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe
O4 - HKLM..\Run: [ZangoSA] “C:\Program Files\Zango\bin\10.1.181.0\ZangoSA.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM..\Run: [cctray] “C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe”
O4 - HKLM..\Run: [QOELOADER] “C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\Run: [WeatherDPA] “C:\Program Files\Zango\bin\10.1.181.0\Weather.exe” -auto
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Little Shop - Big City\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://aol.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0642e5bee8eb0ff6a106/netzip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-trial-mystery-pi-the-lottery-ticket/SpinTopGamesLauncher.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-text-express-2-deluxe/zylomplayer.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Christmasville\Images\armhelper.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 10220 bytes

17

That’s an HJT scan log.

I need this:

Open HJT, click misc tools button, click uninstall manager, click save list. Post/attach the list, I’ll have a look at what else can be uninstalled.

18

How you coming with that uninstall list? I’m still willing to look and advise. :slight_smile:

19

Here you go. I have had no virus warnings lately! That Zango still pops up at start up.

Yvonne

20

This is a list of games that you could uninstall, your choice. I see nothing wrong with them.

Azkend
Big City Adventure San Francisco
FamilyFeudOnlineParty (remove only)
Gold Miner: Vegas
Hidden Expedition - Everest
Jigsaw Puzzle Platinum

Now these should be uninstalled and the newest version installed. I will include instructions at the end.

Java™ 6 Update 2
Java™ 6 Update 3

Open HJT, run a system scan only, check mark these lines if present

O4-HKLM..\Run:[ZangoOE]C:\Programfileles\Zango\bin\10.1.181.0\OEAddOn.exe
O4-HKLM..\Run:[ZangoSA]“C:\ProgramFiles\Zango\bin\10.1.181.0\ZangoSA.exe”

Close all other browsers/windows, click fix, close HJT.

Go to C:\ProgramFiles and delete the entire folder Zango

Let me know if Zango still appears.

Now for your java

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Post back and if everything fine, we’ll clean up the tools we used.