Hi John,
While I'm waiting for reply I already did this:
* Run VirtumundoBeGone app again -> It will automatically Reboot (It's successfully stripping and deactivate vundo variant. Here is the log from app:
[02/17/2007, 0:30:08] - VirtumundoBeGone v1.5 ( "C:\VirtumundoBeGone.exe" )
[02/17/2007, 0:30:13] - Detected System Information:
[02/17/2007, 0:30:13] - Windows Version: 5.1.2600, Service Pack 2
[02/17/2007, 0:30:13] - Current Username: Anton (Admin)
[02/17/2007, 0:30:13] - Windows is in NORMAL mode.
[02/17/2007, 0:30:13] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:13] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:13] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:13] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:13] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:13] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:13] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:13] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:13] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:13] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:13] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:13] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:13] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:13] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:13] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:13] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:13] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:13] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:13] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:13] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:13] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:13] - *** Detected MSEvents Object
[02/17/2007, 0:30:13] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:14] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:14] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:14] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:14] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:14] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:14] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:14] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:14] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:14] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:14] - ! File rename was unsucessful.
[02/17/2007, 0:30:14] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:15] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:15] - processed file: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:15] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:15] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:15] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:15] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:15] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:15] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:15] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:15] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:15] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:15] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:15] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:15] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:15] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:15] - *** Detected MSEvents Object
[02/17/2007, 0:30:15] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:16] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:16] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:16] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:18] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:18] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:18] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:18] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:18] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:18] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:18] - ! File rename was unsucessful.
[02/17/2007, 0:30:18] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:19] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:19] - processed file: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:19] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:19] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:19] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:19] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:20] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:20] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:20] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:20] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:20] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:20] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:20] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:20] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:21] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:21] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:21] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:21] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:21] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:21] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:21] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:21] - Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[02/17/2007, 0:30:21] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:21] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:21] - *** Detected MSEvents Object
[02/17/2007, 0:30:21] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:22] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:22] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:22] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:22] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:22] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:22] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:22] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:22] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:22] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:23] - ! File rename was unsucessful.
[02/17/2007, 0:30:23] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:23] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:23] - processed file: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:23] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:23] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:23] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:23] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:23] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:23] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:23] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:23] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:23] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:23] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:23] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:23] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:23] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:23] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:23] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:23] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:23] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:24] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:24] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:24] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:24] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:24] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:24] - *** Detected MSEvents Object
[02/17/2007, 0:30:24] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:25] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:25] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:25] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:26] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:26] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:26] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:26] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:26] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:26] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:26] - ! File rename was unsucessful.
[02/17/2007, 0:30:26] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:27] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:27] - processed file: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:27] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:27] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:27] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:27] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:27] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:27] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:30] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:30] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:30] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:30] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:30] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:30] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:30] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:31] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:31] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:31] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:31] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:31] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:31] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:31] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:31] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:31] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:31] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:31] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:31] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:31] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:31] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:31] - *** Detected MSEvents Object
[02/17/2007, 0:30:31] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:32] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:32] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:32] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:32] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:32] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:32] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:32] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:32] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:32] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:32] - ! File rename was unsucessful.
[02/17/2007, 0:30:32] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:32] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:32] - processed file: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:32] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:32] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:32] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:32] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:32] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:32] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:32] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:32] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:32] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:32] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:32] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:32] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:32] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:32] - *** Detected MSEvents Object
[02/17/2007, 0:30:32] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:33] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:33] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:33] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:35] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:35] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:35] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:35] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:36] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:36] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:36] - ! File rename was unsucessful.
[02/17/2007, 0:30:36] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:36] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:36] - processed file: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:36] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:36] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:36] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:36] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:36] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:36] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:36] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:36] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:36] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:36] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:36] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:38] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:38] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:38] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:38] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:38] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:38] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:38] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:38] - *** Detected MSEvents Object
[02/17/2007, 0:30:38] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:39] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:39] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:39] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:39] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:39] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:39] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:39] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:39] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:39] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:39] - ! File rename was unsucessful.
[02/17/2007, 0:30:39] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:40] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:40] - processed file: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:40] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:40] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:40] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:40] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:40] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:40] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:40] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:40] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:40] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:40] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:40] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:40] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:40] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:40] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:40] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:42] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:42] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:42] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:42] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:43] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:43] - *** Detected MSEvents Object
[02/17/2007, 0:30:43] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:44] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:44] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:44] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:45] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:45] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:45] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:45] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:45] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:45] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:45] - ! File rename was unsucessful.
[02/17/2007, 0:30:45] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:45] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:45] - processed file: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:45] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:45] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:45] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:45] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:45] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:45] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:45] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:45] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:45] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:45] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:45] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:45] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:45] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:45] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:45] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:45] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:45] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:46] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:46] - No filename found. Continuing.
[02/17/2007, 0:30:46] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:46] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:46] - *** Detected MSEvents Object
[02/17/2007, 0:30:46] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:47] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:47] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:47] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:47] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:47] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:47] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:47] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:47] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:47] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:48] - ! File rename was unsucessful.
[02/17/2007, 0:30:48] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:49] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:49] - processed file: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:49] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:49] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:49] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:49] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:49] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:49] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:49] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:49] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:49] - No filename found. Continuing.
[02/17/2007, 0:30:49] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:49] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:49] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:49] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:49] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:49] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:49] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:49] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:49] - Key not found: HKLM\...\Winlogon\Notify\khfefca, continuing.
[02/17/2007, 0:30:49] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:49] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:49] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:49] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:49] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:49] - *** Detected MSEvents Object
[02/17/2007, 0:30:49] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:50] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:50] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:52] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:52] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:52] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:52] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:52] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:53] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:53] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:53] - ! File rename was unsucessful.
[02/17/2007, 0:30:53] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:53] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:53] - processed file: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:53] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:53] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:54] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:54] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:54] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:54] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:54] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:54] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:54] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:54] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:54] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:54] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:54] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:54] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:54] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:54] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:54] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:54] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:54] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:54] - *** Detected MSEvents Object
[02/17/2007, 0:30:54] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:55] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:55] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:55] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:56] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:56] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:56] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:57] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:57] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:57] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:57] - ! File rename was unsucessful.
[02/17/2007, 0:30:57] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:57] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:57] - processed file: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:57] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:57] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:57] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:57] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:57] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:57] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:57] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:57] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:57] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:57] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:57] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:57] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:57] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:57] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:57] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:58] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:58] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:58] - Key not found: HKLM\...\Winlogon\Notify\khfefca, continuing.
[02/17/2007, 0:30:58] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:58] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:58] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:58] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:58] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:58] - *** Detected MSEvents Object
[02/17/2007, 0:30:58] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:59] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:59] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:59] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:59] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:59] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:59] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:59] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:59] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:31:00] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:31:00] - ! File rename was unsucessful.
[02/17/2007, 0:31:00] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:31:00] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:31:00] - processed file: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:31:00] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:31:00] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:31:00] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:31:01] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:31:01] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:31:01] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:31:01] - Searching for Browser Helper Objects:
[02/17/2007, 0:31:01] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:31:01] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:31:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:31:01] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:31:01] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:31:01] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:31:01] - BHO list has been changed! Starting over...
[02/17/2007, 0:31:01] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:31:01] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:31:01] - ALERT: Found MSEvents Object!
[02/17/2007, 0:31:01] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:31:01] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:31:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:31:01] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:31:02] - Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[02/17/2007, 0:31:02] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:31:02] - Finished Searching Browser Helper Objects
[02/17/2007, 0:31:02] - *** Detected MSEvents Object
[02/17/2007, 0:31:02] - Trying to remove MSEvents Object...
[02/17/2007, 0:31:03] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:31:03] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:31:03] - Disabling Automatic Shell Restart
[02/17/2007, 0:31:03] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:31:03] - Suspending the NT Session Manager System Service
[02/17/2007, 0:31:03] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:31:08] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:31:08] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:31:08] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:31:08] - ! File rename was unsucessful.
[02/17/2007, 0:31:08] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:31:08] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:31:08] - processed file: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:31:08] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:31:08] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:31:08] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:31:08] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:31:08] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:31:08] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:31:08] - Searching for Browser Helper Objects:
[02/17/2007, 0:31:08] - Finished Searching Browser Helper Objects
[02/17/2007, 0:31:08] - Finishing up...
[02/17/2007, 0:31:08] - A restart is needed.
[02/17/2007, 0:31:08] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
* After restart the PC, I go to SAFE MODE and DISABLING the WSMSPSVC Service which I found that this service calling C:\WINDOWS\MSNGR.EXE (This was actually the step that I don't do before, that's why VUNDO variant file come back again).
* I modify my registry for showing superhidden file in the windows explorer.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000
* With my explorer plus UnLocker (a Free tool to kill/delete file by analyze first for a hooking process), I successfully delete MSNGR.EXE, and all vundo variant traces that's left behind. khfefce.dll, ssqpo.dll.
* After I restart again my PC into the normal mode, then I realize that after successfully disabling the MSNGR.EXE, the all the random DLL files is not appear again.
* Then using HijackThis tool I delete WSMSPSVC using Uninstall Service NT.
Now this was my latest HijackThis log from my PC:
Logfile of HijackThis v1.99.1
Scan saved at 2:57:04 AM, on 17/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Rollback\RollbackTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Rollback\RollbackClnt.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\Rollback\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=172.16.16.1:8080;http=127.0.0.1:4444;https=172.16.16.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Rollback] "C:\Program Files\Rollback\RollbackTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O8 - Extra context menu item: Convert link target to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -
res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -
res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -
res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF -
res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupda ... 2196325433
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 2196421417
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: Domain = 1sbs.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: NameServer = 172.16.16.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Beyond Remote Server - Data Apples Corporation - C:\PROGRA~1\DATAAP~1\BEYOND~1\BRServer.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RollbackClientService - Unknown owner - C:\Program Files\Rollback\RollbackClnt.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SHDSERV - Horizon Datasys, Inc. - C:\Program Files\Rollback\shdserv.exe
* And finally my UnInstall list log:
µTorrent
5star Game Copy
Adobe Acrobat 7.0.8 Professional
Adobe Flash Player 9 ActiveX
AdSubtract PRO
Age Of Pirates - Caribbean Tales 1.41
Apollo DVD Copy 4.6.17
A-Ray Scanner 2.0.2.3
At the Doctor's
Australian City Streets Ver 3
Barbie(R) Pet Rescue
BayGenie eBay Auction Sniper Pro Edition 2.8.0.0
Beyond Remote Console and Host
ConvertXtoDVD 2.1.5.173
CureROM Pro 2.0.3
Disney Pixar 2nd and 3rd Grade
Disney's The Jungle Book Year 3
DynAdvance Notifier
EPSON PhotoQuicker3.5
EPSON Printer Software
FinePrint
Fractions & Decimals
GTR 2 1.0.0.0
Harry Potter II
Heroes of Might and Magic V
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
In Search of the Lost Words
Jungle Games
K-Lite Mega Codec Pack 1.59
Learn to Play Chess with Fritz and Chesster
Learn to Play Chess with Fritz and Chesster 2
Magic ISO Maker v5.2 (build 0190)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Virtual PC 2004
Mini Car Racing
Motorola SM56 Speakerphone Modem
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
Multi-Mail Notifier Professional Edition
Music MasterWorks v3.82
Neo Max
NEO Power Kit
Nero 7 Premium
NOD32 antivirus system
NOD32 FiX v2.1
NVIDIA Drivers
Opera 9.02
Origami Craft Studio
Paws Explore - Fractions
PicaView
Project64 1.6
Realtek AC'97 Audio
Remote Administrator v2.2
Rollback Rx
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
ShadowFlare
Shrek 2
Sid Meier's Pirates!
Sony Ericsson File Manager
SpongeBob SquarePants - Lights, Camera, Pants!
TerraSip Phoner 1.16
Tom and Jerry in Fists of Furry
Unlocker 1.8.5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
WildSnake Pinball: Christmas Tree 1.34
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WWW File Share Pro 5.0
Yahoo!7 Messenger
Sorry if I already trying something to fix my own PC before you ask. Thanks.