Jayann
2011-03-18, 16:28
Here is a little back ground, I am running XP Pro and... I have been trying to recover from a potential rootkit. The only leftover I can see is this Click.GiftLoad file in Spybot. I actually posted the following on another forum last night but did not get any responses so I decided to try a more active forum. Here was my initial issue:
"While trying to search Google today, I suddenly found myself fending off some anti-virus warnings along with a firewall request from a remote .de address. I mainly use my PC for work only and usually consider myself pretty security conscious so I rarely run into issues if at all. Then it dawned on me that my daughter had "used the pc to print her paper" the night prior to these issues popping up. I wish I could say this is a rare thing for her too, but being that she’s 16, this wouldn't be the first time she has likely infected a PC. So... the first problem is, I have no idea where it possibly originated from. My anti-virus (ESET) was flagging and quarantining files as they came in however my initial scan with ESET showed no issues other than the files that were intercepted. I did a system restore because at this point, autoruns was showing two totally foreign logon entries that despite being disabled, repeated themselves upon a reboot. System restore took care of the foreign entries however, the most notable issues after the restore were; a setup file that was attempting to run that I was able to intercept and the biggest issue, a browser hijack. The hijack seemed to be mostly affected via Google searches. Right clicking any link to open in a new tab or window would hijack the page. Typing addresses in directly did not seem to be affected. Since this time, I have run Spybot S&D which cleaned 4 issues. Malewarebytes did a full scan which cleaned 2 files. It was also suggested that I uninstall ESET and try Microsoft Security Essentials which I did a quick scan on and 4 files were removed and then a full scan in which 1 file was removed. I have also run MBR which is where I am at with things now. My results indicated a possible TDL3 Rootkit Infection and all of this is starting to get a little out of my realm of knowledge. I must say, I have not turned off system restore to do a fresh clean as of yet but, I will end up doing that as my next step anyhow while I wait for some hopeful help from here. Also if it helps any, being that I work from home "virtually" I worried that some of my legitimate programs I require for work may mimic some of the "symptoms" of a virus for instance the Interactive Intelligence Interaction Client."
Since my post last night, I have run combofix and must give my sincerest apologies. I completed this step before even finiding this webite so I had no idea it was not suggested to run on your own. I must say however that combofix seems to have actually been extremely beneficial in cleaning up my issue. Since running it, the MBR log is now clean. The only thing I can find that is still an issue is this Spybot entry. The browser hijack has since been fixed and all other scans have been seemingly clean.
I think the most important thing to note is that while I am somewhat computer savvy, I am certaintly in no position to try to interperate all these logs to say in fact that the PC is now clean. In fact I cant even say that I have run all the necessary tools needed to even assure that it is. So... thats why I am here. I am hoping someone could help not only determine why I cant remove the Click.GiftLoad entry but hopefully help me determine if I have indeed cleaned all the issues.
I would be happy to post any before or after logs that I have available if needed. If I can provide any additional information that helps, please dont hesitate to ask!
Thanks in advance for any help it is greatly appreciated!
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jayann at 11:30:51.57 on Fri 03/18/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1133 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Interactive Intelligence\ICUserApps\inin_qos_service-w32r-1-1.exe
C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Citrix\Secure Access Client\nsload.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jayann\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer =
uRun: [!1_ProcessGuard_Startup] "c:\program files\processguard\procguard.exe" -minimize
mRun: [!1_pgaccount] "c:\program files\processguard\pgaccount.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\secure access client\nsload.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
IE: E&xport to Microsoft Excel
Trusted Zone: eddiebauer.com
Trusted Zone: epsilon.com
Trusted Zone: exodusvipdesk.com
Trusted Zone: java.com
Trusted Zone: microsoft.com
Trusted Zone: remoteaccess.eddiebauer.com
Trusted Zone: trendmicro.com
Trusted Zone: vipdesk.com
Trusted Zone: vipdeskconnect.com
Trusted Zone: webroom.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\jayann\applic~1\mozilla\firefox\profiles\nxz79m1z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\jayann\application data\mozilla\plugins\npagee.dll
FF - plugin: c:\documents and settings\jayann\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jayann\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\jayann\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\citrix\secure access client\npagee.dll
FF - plugin: c:\program files\ksolo\npAVX.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [2004-6-14 35270]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsla2db0d4e;MpKsla2db0d4e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f18629c-4889-4bb1-8f93-a9523ffcc814}\MpKsla2db0d4e.sys [2011-3-18 28752]
R2 cag;Citrix cag plugin for Access Gateway;c:\program files\common files\deterministic networks\common files\cag.sys [2010-3-8 81024]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;c:\program files\processguard\DCSUserProt.exe [2009-8-24 69632]
R2 ININ QoS;ININ QoS Service;c:\program files\interactive intelligence\icuserapps\inin_qos_service-w32r-1-1.exe [2010-4-16 53248]
R2 ININ Tracing;ININ Tracing Initialization;c:\program files\interactive intelligence\inin trace initialization\i3trace_initializer-w32r-1-1.exe [2010-3-19 36352]
R2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2010-5-10 153752]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [2009-8-24 24911]
R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-5-10 41624]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [2009-11-11 109440]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-29 38224]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 Interactive Update Client;Interactive Update Client;c:\program files\interactive intelligence\interactive update\ININ.UpdateClientService.exe [2010-1-25 298152]
.
=============== Created Last 30 ================
.
2011-03-18 14:34:02 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8f18629c-4889-4bb1-8f93-a9523ffcc814}\MpKsla2db0d4e.sys
2011-03-18 14:28:12 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8f18629c-4889-4bb1-8f93-a9523ffcc814}\mpengine.dll
2011-03-18 06:01:34 89088 ----a-w- C:\mbr.exe
2011-03-17 22:41:58 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-17 19:32:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-17 19:32:32 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-17 17:41:40 57856 ---ha-w- c:\windows\bootetup.dll
2011-03-17 17:41:33 150016 ----a-w- c:\windows\system32\null0.15919651749114339.exe
2011-03-17 17:16:06 0 ----a-w- c:\windows\Xsahofokeyib.bin
2011-03-13 21:36:53 -------- d-----w- c:\docume~1\jayann\locals~1\applic~1\Move Networks
2011-03-12 21:07:55 -------- d-----w- c:\program files\iPod
2011-03-05 18:39:57 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-05 18:39:57 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-05 16:46:17 -------- d-----w- c:\docume~1\jayann\applic~1\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-03-05 16:46:14 -------- d-----w- c:\program files\TweetDeck
2011-02-25 17:40:05 -------- d-----w- c:\docume~1\jayann\locals~1\applic~1\kSolo
2011-02-25 17:39:51 -------- d-----w- c:\program files\kSolo
.
==================== Find3M ====================
.
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 11:32:36.46 ===============
"While trying to search Google today, I suddenly found myself fending off some anti-virus warnings along with a firewall request from a remote .de address. I mainly use my PC for work only and usually consider myself pretty security conscious so I rarely run into issues if at all. Then it dawned on me that my daughter had "used the pc to print her paper" the night prior to these issues popping up. I wish I could say this is a rare thing for her too, but being that she’s 16, this wouldn't be the first time she has likely infected a PC. So... the first problem is, I have no idea where it possibly originated from. My anti-virus (ESET) was flagging and quarantining files as they came in however my initial scan with ESET showed no issues other than the files that were intercepted. I did a system restore because at this point, autoruns was showing two totally foreign logon entries that despite being disabled, repeated themselves upon a reboot. System restore took care of the foreign entries however, the most notable issues after the restore were; a setup file that was attempting to run that I was able to intercept and the biggest issue, a browser hijack. The hijack seemed to be mostly affected via Google searches. Right clicking any link to open in a new tab or window would hijack the page. Typing addresses in directly did not seem to be affected. Since this time, I have run Spybot S&D which cleaned 4 issues. Malewarebytes did a full scan which cleaned 2 files. It was also suggested that I uninstall ESET and try Microsoft Security Essentials which I did a quick scan on and 4 files were removed and then a full scan in which 1 file was removed. I have also run MBR which is where I am at with things now. My results indicated a possible TDL3 Rootkit Infection and all of this is starting to get a little out of my realm of knowledge. I must say, I have not turned off system restore to do a fresh clean as of yet but, I will end up doing that as my next step anyhow while I wait for some hopeful help from here. Also if it helps any, being that I work from home "virtually" I worried that some of my legitimate programs I require for work may mimic some of the "symptoms" of a virus for instance the Interactive Intelligence Interaction Client."
Since my post last night, I have run combofix and must give my sincerest apologies. I completed this step before even finiding this webite so I had no idea it was not suggested to run on your own. I must say however that combofix seems to have actually been extremely beneficial in cleaning up my issue. Since running it, the MBR log is now clean. The only thing I can find that is still an issue is this Spybot entry. The browser hijack has since been fixed and all other scans have been seemingly clean.
I think the most important thing to note is that while I am somewhat computer savvy, I am certaintly in no position to try to interperate all these logs to say in fact that the PC is now clean. In fact I cant even say that I have run all the necessary tools needed to even assure that it is. So... thats why I am here. I am hoping someone could help not only determine why I cant remove the Click.GiftLoad entry but hopefully help me determine if I have indeed cleaned all the issues.
I would be happy to post any before or after logs that I have available if needed. If I can provide any additional information that helps, please dont hesitate to ask!
Thanks in advance for any help it is greatly appreciated!
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jayann at 11:30:51.57 on Fri 03/18/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1133 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Interactive Intelligence\ICUserApps\inin_qos_service-w32r-1-1.exe
C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Citrix\Secure Access Client\nsload.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jayann\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer =
uRun: [!1_ProcessGuard_Startup] "c:\program files\processguard\procguard.exe" -minimize
mRun: [!1_pgaccount] "c:\program files\processguard\pgaccount.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\secure access client\nsload.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
IE: E&xport to Microsoft Excel
Trusted Zone: eddiebauer.com
Trusted Zone: epsilon.com
Trusted Zone: exodusvipdesk.com
Trusted Zone: java.com
Trusted Zone: microsoft.com
Trusted Zone: remoteaccess.eddiebauer.com
Trusted Zone: trendmicro.com
Trusted Zone: vipdesk.com
Trusted Zone: vipdeskconnect.com
Trusted Zone: webroom.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\jayann\applic~1\mozilla\firefox\profiles\nxz79m1z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\jayann\application data\mozilla\plugins\npagee.dll
FF - plugin: c:\documents and settings\jayann\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jayann\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\jayann\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\citrix\secure access client\npagee.dll
FF - plugin: c:\program files\ksolo\npAVX.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [2004-6-14 35270]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsla2db0d4e;MpKsla2db0d4e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f18629c-4889-4bb1-8f93-a9523ffcc814}\MpKsla2db0d4e.sys [2011-3-18 28752]
R2 cag;Citrix cag plugin for Access Gateway;c:\program files\common files\deterministic networks\common files\cag.sys [2010-3-8 81024]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;c:\program files\processguard\DCSUserProt.exe [2009-8-24 69632]
R2 ININ QoS;ININ QoS Service;c:\program files\interactive intelligence\icuserapps\inin_qos_service-w32r-1-1.exe [2010-4-16 53248]
R2 ININ Tracing;ININ Tracing Initialization;c:\program files\interactive intelligence\inin trace initialization\i3trace_initializer-w32r-1-1.exe [2010-3-19 36352]
R2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2010-5-10 153752]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [2009-8-24 24911]
R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-5-10 41624]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [2009-11-11 109440]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-29 38224]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 Interactive Update Client;Interactive Update Client;c:\program files\interactive intelligence\interactive update\ININ.UpdateClientService.exe [2010-1-25 298152]
.
=============== Created Last 30 ================
.
2011-03-18 14:34:02 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8f18629c-4889-4bb1-8f93-a9523ffcc814}\MpKsla2db0d4e.sys
2011-03-18 14:28:12 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8f18629c-4889-4bb1-8f93-a9523ffcc814}\mpengine.dll
2011-03-18 06:01:34 89088 ----a-w- C:\mbr.exe
2011-03-17 22:41:58 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-17 19:32:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-17 19:32:32 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-17 17:41:40 57856 ---ha-w- c:\windows\bootetup.dll
2011-03-17 17:41:33 150016 ----a-w- c:\windows\system32\null0.15919651749114339.exe
2011-03-17 17:16:06 0 ----a-w- c:\windows\Xsahofokeyib.bin
2011-03-13 21:36:53 -------- d-----w- c:\docume~1\jayann\locals~1\applic~1\Move Networks
2011-03-12 21:07:55 -------- d-----w- c:\program files\iPod
2011-03-05 18:39:57 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-05 18:39:57 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-05 16:46:17 -------- d-----w- c:\docume~1\jayann\applic~1\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-03-05 16:46:14 -------- d-----w- c:\program files\TweetDeck
2011-02-25 17:40:05 -------- d-----w- c:\docume~1\jayann\locals~1\applic~1\kSolo
2011-02-25 17:39:51 -------- d-----w- c:\program files\kSolo
.
==================== Find3M ====================
.
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 11:32:36.46 ===============