PDA

View Full Version : Click.GiftLoad after Possible TDL3 Rootkit Infection


Jayann
2011-03-18, 21:02
Per Tashi's instructions, here is my original thread

http://forums.spybot.info/showthread.php?t=61889
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jayann at 11:30:51.57 on Fri 03/18/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1133 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Interactive Intelligence\ICUserApps\inin_qos_service-w32r-1-1.exe
C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Citrix\Secure Access Client\nsload.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jayann\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer =
uRun: [!1_ProcessGuard_Startup] "c:\program files\processguard\procguard.exe" -minimize
mRun: [!1_pgaccount] "c:\program files\processguard\pgaccount.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\secure access client\nsload.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
IE: E&xport to Microsoft Excel
Trusted Zone: eddiebauer.com
Trusted Zone: epsilon.com
Trusted Zone: exodusvipdesk.com
Trusted Zone: java.com
Trusted Zone: microsoft.com
Trusted Zone: remoteaccess.eddiebauer.com
Trusted Zone: trendmicro.com
Trusted Zone: vipdesk.com
Trusted Zone: vipdeskconnect.com
Trusted Zone: webroom.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\jayann\applic~1\mozilla\firefox\profiles\nxz79m1z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\jayann\application data\mozilla\plugins\npagee.dll
FF - plugin: c:\documents and settings\jayann\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jayann\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\jayann\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\citrix\secure access client\npagee.dll
FF - plugin: c:\program files\ksolo\npAVX.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [2004-6-14 35270]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsla2db0d4e;MpKsla2db0d4e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f18629c-4889-4bb1-8f93-a9523ffcc814}\MpKsla2db0d4e.sys [2011-3-18 28752]
R2 cag;Citrix cag plugin for Access Gateway;c:\program files\common files\deterministic networks\common files\cag.sys [2010-3-8 81024]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;c:\program files\processguard\DCSUserProt.exe [2009-8-24 69632]
R2 ININ QoS;ININ QoS Service;c:\program files\interactive intelligence\icuserapps\inin_qos_service-w32r-1-1.exe [2010-4-16 53248]
R2 ININ Tracing;ININ Tracing Initialization;c:\program files\interactive intelligence\inin trace initialization\i3trace_initializer-w32r-1-1.exe [2010-3-19 36352]
R2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2010-5-10 153752]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [2009-8-24 24911]
R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-5-10 41624]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [2009-11-11 109440]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-29 38224]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 Interactive Update Client;Interactive Update Client;c:\program files\interactive intelligence\interactive update\ININ.UpdateClientService.exe [2010-1-25 298152]
.
=============== Created Last 30 ================
.
2011-03-18 14:34:02 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8f18629c-4889-4bb1-8f93-a9523ffcc814}\MpKsla2db0d4e.sys
2011-03-18 14:28:12 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8f18629c-4889-4bb1-8f93-a9523ffcc814}\mpengine.dll
2011-03-18 06:01:34 89088 ----a-w- C:\mbr.exe
2011-03-17 22:41:58 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-17 19:32:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-17 19:32:32 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-17 17:41:40 57856 ---ha-w- c:\windows\bootetup.dll
2011-03-17 17:41:33 150016 ----a-w- c:\windows\system32\null0.15919651749114339.exe
2011-03-17 17:16:06 0 ----a-w- c:\windows\Xsahofokeyib.bin
2011-03-13 21:36:53 -------- d-----w- c:\docume~1\jayann\locals~1\applic~1\Move Networks
2011-03-12 21:07:55 -------- d-----w- c:\program files\iPod
2011-03-05 18:39:57 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-05 18:39:57 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-05 16:46:17 -------- d-----w- c:\docume~1\jayann\applic~1\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-03-05 16:46:14 -------- d-----w- c:\program files\TweetDeck
2011-02-25 17:40:05 -------- d-----w- c:\docume~1\jayann\locals~1\applic~1\kSolo
2011-02-25 17:39:51 -------- d-----w- c:\program files\kSolo
.
==================== Find3M ====================
.
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 11:32:36.46 ===============
oldman960
2011-03-19, 04:29
Hi Jayann, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


Please post the combofix log. It can be found at C:\Combofix.txt

Next

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check.
In the window under Custom Scans/Fixes copy and paste the following


netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lîk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Deskuop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
/md5stop


Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Please pos back with
combofix log
both OTL logs
Thanks
Jayann
2011-03-19, 07:24
Hi Oldman!

Thanks for the warm welcome and for taking the time to help me :)

I am having an issue with part of the instructions so I wanted to address that before continuing on with my logs. I have attempted to run OTL three times now because the scan is not producing an Extras.Txt log for me. I have changed the output to minimal and have checked the boxes beside LOP Check and Purity Check. I also copy/pasted the text into the custom scan area as requested. Neither scan has produced the Extras.Txt file.

I thought perhaps I had missed it since the result was to be minimized however a search of the entire C drive brings up nothing. I understand the file is supposed to save to the same location as OTL is saved so I redownloaded the file to a folder on the desktop hoping the file would show up there when completed and my only result still seems to be just the OTL.Txt.

Is it possible a setting was inadvertantly changed or any other reason that you can think of that would prevent the log from being created?

Thanks again for all of your time, effort and assistance! :thanks:
oldman960
2011-03-20, 02:11
Hi Jayann,

An Extra.txt will only be produced the first time OTL is ran. Don't worry about it for now we'll get one later.

Please post the OTL.txt log and the combofix log.

Thanks
Jayann
2011-03-20, 06:44
I seem to be running into yet another issue with the combofix log. I was not sure if you wanted me to copy and paste it into posts in the same manner as you requested of the OTL log file? The reason for my confusion and concern is that you stated it may take a couple posts to include the logs. The max character limit seems to be 64000 and my combofix log is 338833 characters. This means it will take me 6 posts just to include the combofix log alone and then another post for the OTL log (I am able to fit that one into just one post). I started to think maybe I was supposed to attach the combofix log but wouldn't be unable to do that either since the max file size for attachments was 48.8kb and my file is 330kb.

I apologize for the delay in getting the logs to you and for all my questions. However, because you had asked that I address any problems or questions I had with the instructions before continuing, I wanted to check with you first on which is the appropriate way to get the combofix log to you. I certaintly do not want to make things any more difficult for you by getting ahead of myself or replying with only half of the instructions completed.

Thanks for your response to my previous issue and your continued patience with me.
oldman960
2011-03-20, 10:26
Hi Jayann,

No problem. Please copy and paste the OTL log if possible into your next reply.

Can you zip the conbofix log and attach it?

Thanks
Jayann
2011-03-20, 12:04
I was able to zip the combofix log and attach it. TYVM for the suggestion.

OTL logfile created on: 3/19/2011 12:56:56 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jayann\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 63.89 Gb Free Space | 27.44% Space Free | Partition Type: NTFS
Drive D: | 534.43 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: JULIE | User Name: Jayann | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Jayann\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Citrix\Secure Access Client\nsload.exe (Citrix Systems, Inc)
PRC - C:\Program Files\Citrix\Secure Access Client\nsverctl.exe (Citrix Systems, Inc)
PRC - C:\Program Files\Interactive Intelligence\ICUserApps\inin_qos_service-w32r-1-1.exe (Interactive Intelligence, Inc.)
PRC - C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe (Interactive Intelligence, Inc.)
PRC - C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
PRC - C:\Program Files\Citrix\ICA Client\wfcrun32.exe (Citrix Systems, Inc.)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\MMTaskbar\MultiMon.exe ()
PRC - C:\Program Files\ProcessGuard\DCSUserProt.exe (DiamondCS)
PRC - C:\Program Files\ProcessGuard\procguard.exe (DiamondCS)
PRC - C:\Program Files\ProcessGuard\pgaccount.exe (DiamondCS)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Jayann\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\MMTaskbar\shellhook.dll ()


========== Win32 Services (SafeList) ==========

SRV - (Interactive Update Client) -- File not found
SRV - (gupdate) Google Update Service (gupdate) -- File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (nsverctl) -- C:\Program Files\Citrix\Secure Access Client\nsverctl.exe (Citrix Systems, Inc)
SRV - (ININ QoS) -- C:\Program Files\Interactive Intelligence\ICUserApps\inin_qos_service-w32r-1-1.exe (Interactive Intelligence, Inc.)
SRV - (ININ Tracing) -- C:\Program Files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe (Interactive Intelligence, Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (ZuneWlanCfgSvc) -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneBusEnum) -- C:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (DCSPGSRV) -- C:\Program Files\ProcessGuard\dcsuserprot.exe (DiamondCS)


========== Driver Services (SafeList) ==========

DRV - (MpKsla2db0d4e) -- File not found
DRV - (MpKsl7141f109) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{18A4AC9D-4AD7-4030-ADBB-D5AB9BE4C4E8}\MpKsl7141f109.sys (Microsoft Corporation)
DRV - (ctxva51) -- C:\WINDOWS\system32\drivers\ctxva51.sys (Citrix Systems, Inc.)
DRV - (cag) -- C:\Program Files\Common Files\Deterministic Networks\Common files\cag.sys (Citrix Systems, Inc.)
DRV - (kbdcap) -- C:\WINDOWS\System32\drivers\KbdCap.sys ()
DRV - (ctxusbm) -- C:\WINDOWS\system32\drivers\ctxusbm.sys (Citrix Systems, Inc.)
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC)
DRV - (UsbDiag) -- C:\WINDOWS\system32\drivers\lgusbdiag.sys (LG Electronics Inc.)
DRV - (USBModem) -- C:\WINDOWS\system32\drivers\lgusbmodem.sys (LG Electronics Inc.)
DRV - (usbbus) -- C:\WINDOWS\system32\drivers\lgusbbus.sys (LG Electronics Inc.)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (P17) -- C:\WINDOWS\system32\drivers\P17.sys (Creative Technology Ltd.)
DRV - (procguard) -- C:\WINDOWS\system32\drivers\procguard.sys (DiamondCS)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (senfilt) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (ATMDLC) -- C:\WINDOWS\system32\drivers\atmdlc.sys (Attachmate Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/17 18:53:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/05 14:39:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird

[2009/08/24 01:38:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jayann\Application Data\Mozilla\Extensions
[2011/03/13 19:21:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jayann\Application Data\Mozilla\Firefox\Profiles\nxz79m1z.default\extensions
[2009/08/24 06:33:17 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jayann\Application Data\Mozilla\Firefox\Profiles\nxz79m1z.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/11 23:08:33 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Jayann\Application Data\Mozilla\Firefox\Profiles\nxz79m1z.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/03/13 19:21:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/05 19:09:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}
[2009/11/05 00:49:34 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/09/12 23:05:42 | 000,124,240 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CCMSDK.dll
[2009/09/12 23:06:22 | 000,070,488 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2009/09/12 23:06:32 | 000,091,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2009/09/12 23:06:28 | 000,022,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2009/09/12 23:08:36 | 000,406,864 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2009/09/12 23:06:24 | 000,023,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll

O1 HOSTS File: ([2011/03/18 10:39:02 | 000,430,415 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14841 more lines...
O4 - HKLM..\Run: [!1_pgaccount] C:\Program Files\ProcessGuard\pgaccount.exe (DiamondCS)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKCU..\Run: [!1_ProcessGuard_Startup] C:\Program Files\ProcessGuard\procguard.exe (DiamondCS)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Citrix Access Gateway.lnk = C:\Program Files\Citrix\Secure Access Client\nsload.exe (Citrix Systems, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: eddiebauer.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: epsilon.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: exodusvipdesk.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: java.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: remoteaccess.eddiebauer.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: trendmicro.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: vipdesk.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: vipdeskconnect.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: webroom.com ([]* in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.77.134 68.87.72.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Jayann\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jayann\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/23 22:42:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/05/18 19:59:05 | 000,000,228 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2005/07/05 19:05:52 | 001,019,904 | R--- | M] (Microsoft Corporation) - D:\autorun.exe -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2011/03/18 16:43:52 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jayann\Desktop\TDSSKiller.exe
[2011/03/18 16:43:39 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jayann\Desktop\OTL.exe
[2011/03/18 10:54:18 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Jayann\Desktop\aswMBR.exe
[2011/03/18 10:27:35 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/18 01:54:02 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Jayann\Desktop\RootRepeal.exe
[2011/03/17 18:41:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/03/17 18:18:05 | 007,866,472 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Jayann\Desktop\mseinstall.exe
[2011/03/17 13:44:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2011/03/17 13:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/03/17 13:41:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/03/17 13:39:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/03/17 13:39:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/03/17 13:25:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/17 13:25:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/03/17 13:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/17 13:25:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/03/14 16:39:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jayann\Desktop\March
[2011/03/13 17:36:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jayann\Local Settings\Application Data\Move Networks
[2011/03/13 17:36:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jayann\Application Data\Move Networks
[2011/03/12 17:09:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/03/12 17:07:55 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/03/05 12:46:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jayann\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011/03/05 12:46:14 | 000,000,000 | ---D | C] -- C:\Program Files\TweetDeck
[2011/03/05 02:54:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/02/25 13:40:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jayann\Local Settings\Application Data\kSolo
[2011/02/25 13:39:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\kSolo Recorder
[2011/02/25 13:39:51 | 000,000,000 | ---D | C] -- C:\Program Files\kSolo
[2002/04/11 01:41:06 | 000,065,536 | R--- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/19 00:54:46 | 000,000,308 | ---- | M] () -- C:\WINDOWS\System32\pguard.dat
[2011/03/19 00:54:39 | 000,035,908 | ---- | M] () -- C:\WINDOWS\System32\pghash.dat
[2011/03/19 00:53:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jayann\Desktop\OTL.exe
[2011/03/18 23:37:52 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/03/18 21:51:57 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/18 21:49:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/18 16:43:01 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Jayann\Desktop\tdsskiller.zip
[2011/03/18 11:33:50 | 000,004,971 | ---- | M] () -- C:\Documents and Settings\Jayann\Desktop\Attach.zip
[2011/03/18 11:30:27 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Jayann\Desktop\dds.com
[2011/03/18 10:55:30 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Jayann\Desktop\MBR.dat
[2011/03/18 10:54:33 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Jayann\Desktop\aswMBR.exe
[2011/03/18 10:39:02 | 000,430,415 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/18 10:22:25 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110318-103902.backup
[2011/03/18 09:59:45 | 004,289,870 | R--- | M] () -- C:\Documents and Settings\Jayann\Desktop\ComboFix.exe
[2011/03/18 02:12:01 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Jayann\Desktop\gmer.zip
[2011/03/18 02:01:35 | 000,089,088 | ---- | M] () -- C:\mbr.exe
[2011/03/18 01:56:44 | 000,000,015 | ---- | M] () -- C:\Documents and Settings\Jayann\Desktop\settings.dat
[2011/03/18 01:54:09 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Jayann\Desktop\RootRepeal.exe
[2011/03/18 00:39:56 | 000,001,984 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/17 18:42:32 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/03/17 18:18:10 | 007,866,472 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Jayann\Desktop\mseinstall.exe
[2011/03/17 15:50:29 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/17 15:50:29 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/17 15:15:16 | 000,431,622 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110317-185850.backup
[2011/03/17 13:41:40 | 000,057,856 | -H-- | M] () -- C:\WINDOWS\bootetup.dll
[2011/03/17 13:41:35 | 000,150,016 | ---- | M] () -- C:\WINDOWS\System32\null0.15919651749114339.exe
[2011/03/17 13:16:06 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Uyuwevipejid.dat
[2011/03/17 13:16:06 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Xsahofokeyib.bin
[2011/03/12 17:09:01 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jayann\Desktop\TDSSKiller.exe
[2011/03/09 04:04:28 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/05 14:40:02 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Jayann\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/03/05 14:40:02 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/03/05 12:59:03 | 000,431,116 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110317-151515.backup
[2011/03/05 12:46:15 | 000,000,640 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TweetDeck.lnk
[2011/03/05 02:55:48 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/03/02 17:23:57 | 000,033,253 | ---- | M] () -- C:\Documents and Settings\Jayann\Desktop\dream-quotes.jpg
[2011/02/18 17:36:58 | 004,184,352 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2011/02/18 17:34:25 | 000,331,272 | ---- | M] () -- C:\Documents and Settings\Jayann\Desktop\52446.jpg
[2011/02/17 17:36:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1078145449-1801674531-1003Core.job
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/18 16:42:54 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Jayann\Desktop\tdsskiller.zip
[2011/03/18 11:33:50 | 000,004,971 | ---- | C] () -- C:\Documents and Settings\Jayann\Desktop\Attach.zip
[2011/03/18 11:30:19 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Jayann\Desktop\dds.com
[2011/03/18 10:55:30 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Jayann\Desktop\MBR.dat
[2011/03/18 02:22:44 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Jayann\Desktop\gmer.exe
[2011/03/18 02:16:32 | 004,289,870 | R--- | C] () -- C:\Documents and Settings\Jayann\Desktop\ComboFix.exe
[2011/03/18 02:11:58 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Jayann\Desktop\gmer.zip
[2011/03/18 02:01:34 | 000,089,088 | ---- | C] () -- C:\mbr.exe
[2011/03/18 01:54:30 | 000,000,015 | ---- | C] () -- C:\Documents and Settings\Jayann\Desktop\settings.dat
[2011/03/17 18:47:18 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/03/17 18:42:32 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/03/17 18:42:06 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/03/17 13:41:40 | 000,057,856 | -H-- | C] () -- C:\WINDOWS\bootetup.dll
[2011/03/17 13:41:33 | 000,150,016 | ---- | C] () -- C:\WINDOWS\System32\null0.15919651749114339.exe
[2011/03/17 13:16:06 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Uyuwevipejid.dat
[2011/03/17 13:16:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Xsahofokeyib.bin
[2011/03/12 17:09:01 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/03/05 14:40:02 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/03/05 12:46:15 | 000,000,646 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\TweetDeck.lnk
[2011/03/05 12:46:15 | 000,000,640 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TweetDeck.lnk
[2011/03/05 02:55:48 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/03/02 17:23:55 | 000,033,253 | ---- | C] () -- C:\Documents and Settings\Jayann\Desktop\dream-quotes.jpg
[2011/02/18 17:41:30 | 000,331,272 | ---- | C] () -- C:\Documents and Settings\Jayann\Desktop\52446.jpg
[2010/11/28 03:02:07 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/10/18 18:10:49 | 000,000,035 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2010/08/09 04:46:05 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\virport.dll
[2010/08/06 22:11:34 | 000,238,222 | ---- | C] () -- C:\WINDOWS\hpoins21.dat.temp
[2010/08/06 22:11:34 | 000,008,138 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat.temp
[2010/08/06 22:05:48 | 000,130,893 | ---- | C] () -- C:\WINDOWS\hpoins21.dat
[2010/08/06 22:05:48 | 000,008,252 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat
[2010/03/29 04:12:25 | 000,001,984 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/15 02:36:39 | 000,000,060 | ---- | C] () -- C:\WINDOWS\mbros.dat
[2009/11/12 05:38:17 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/12 05:38:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/12 05:38:17 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/12 05:38:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/12 05:38:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/11 01:57:10 | 000,109,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\KbdCap.sys
[2009/10/14 23:27:23 | 000,043,692 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/10/06 13:28:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WB.ini
[2009/09/21 14:01:21 | 000,012,996 | ---- | C] () -- C:\Documents and Settings\Jayann\Application Data\Tab Separated Values (Windows).CAL
[2009/09/21 14:00:07 | 000,012,989 | ---- | C] () -- C:\Documents and Settings\Jayann\Application Data\Microsoft Excel 97-2003.CAL
[2009/09/21 13:59:51 | 000,012,990 | ---- | C] () -- C:\Documents and Settings\Jayann\Application Data\Microsoft Access 97-2003.CAL
[2009/09/21 13:59:48 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/21 13:59:12 | 000,012,993 | ---- | C] () -- C:\Documents and Settings\Jayann\Application Data\Comma Separated Values (Windows).CAL
[2009/09/15 01:49:13 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Jayann\Application Data\F4A948
[2009/09/15 01:49:12 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Jayann\Application Data\mcs.rma
[2009/09/13 18:37:54 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/09/09 23:19:29 | 000,667,914 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2009/08/31 23:30:38 | 000,006,307 | ---- | C] () -- C:\WINDOWS\System32\Ludap17.ini
[2009/08/31 23:30:38 | 000,000,039 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/08/25 11:01:40 | 000,135,680 | ---- | C] () -- C:\Documents and Settings\Jayann\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/24 03:53:21 | 000,299,492 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2009/08/24 02:50:30 | 000,035,908 | ---- | C] () -- C:\WINDOWS\System32\pghash.dat
[2009/08/24 02:50:30 | 000,000,308 | ---- | C] () -- C:\WINDOWS\System32\pguard.dat
[2009/08/24 02:49:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/08/24 01:54:40 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\procguard.dll
[2009/08/24 01:38:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/08/24 01:37:04 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009/08/23 22:44:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/08/23 22:40:05 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/08/23 18:34:49 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/23 18:33:52 | 000,228,800 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/02/25 16:58:44 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2009/02/25 16:58:44 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/01/26 13:55:37 | 000,182,995 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2008/08/29 13:58:26 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/08/29 13:58:16 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 08:00:00 | 000,435,260 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 08:00:00 | 000,068,156 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\NSREG.DLL
[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/05/03 19:38:42 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\P17.dll
[2003/10/02 18:48:18 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\P17CPI.dll

========== LOP Check ==========

[2010/01/19 20:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
[2009/08/24 02:29:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Attachmate
[2010/09/08 08:46:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2009/11/17 01:03:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2009/11/11 18:08:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grasssoft
[2009/09/26 00:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2009/11/02 05:34:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RFA_Backups
[2009/10/06 13:47:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/25 15:15:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/06/05 03:10:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/14 22:26:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/01/19 20:58:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\acccore
[2011/02/09 04:13:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\Auslogics
[2011/02/12 01:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\BitTorrent
[2010/05/02 15:55:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/12/24 19:15:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\Crayon Physics Deluxe
[2009/11/17 01:04:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\ESET
[2009/09/16 09:39:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\ICAClient
[2010/04/19 05:48:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\Imersatz GmbH
[2009/11/12 06:11:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\Interactive Intelligence
[2009/08/31 21:59:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\IObit
[2009/09/27 05:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
[2010/10/21 15:55:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\RightNow_Technologies
[2010/06/30 16:47:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\runic games
[2010/04/08 07:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\SIP Soft Station
[2010/07/14 07:23:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\SmartDraw
[2011/03/05 11:25:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
[2011/03/05 12:46:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2010/09/08 09:02:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\VIPdesk
[2010/04/14 19:26:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\webex
[2009/09/28 04:43:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\Windows Search
[2010/03/29 01:16:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jayann\Application Data\Xilisoft Corporation
[2011/03/18 23:37:52 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/12/07 22:13:37 | 000,005,820 | ---- | M] () -- C:\aaw7boot.log
[2009/08/23 22:42:39 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/08/27 14:25:04 | 000,000,212 | ---- | M] () -- C:\Boot.bak
[2009/11/12 05:39:13 | 000,000,282 | RHS- | M] () -- C:\boot.ini
[2010/11/03 05:44:00 | 000,048,312 | ---- | M] () -- C:\cc.reg
[2004/08/04 00:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2011/03/18 10:25:35 | 000,338,835 | ---- | M] () -- C:\ComboFix.txt
[2009/08/23 22:42:39 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/04/13 19:10:08 | 000,000,081 | ---- | M] () -- C:\CTX.DAT
[2010/03/15 02:52:46 | 000,094,737 | ---- | M] () -- C:\Cucu_Video_log.txt
[2008/04/11 10:07:18 | 000,003,820 | ---- | M] () -- C:\eula.1028.txt
[2008/04/11 10:07:18 | 000,015,428 | ---- | M] () -- C:\eula.1031.txt
[2008/04/11 10:07:18 | 000,010,058 | ---- | M] () -- C:\eula.1033.txt
[2008/04/11 10:07:18 | 000,012,246 | ---- | M] () -- C:\eula.1036.txt
[2008/04/11 10:07:18 | 000,013,912 | ---- | M] () -- C:\eula.1040.txt
[2008/04/11 10:07:18 | 000,005,868 | ---- | M] () -- C:\eula.1041.txt
[2008/04/11 10:07:18 | 000,005,970 | ---- | M] () -- C:\eula.1042.txt
[2008/04/11 10:07:18 | 000,010,134 | ---- | M] () -- C:\eula.1049.txt
[2008/04/11 10:07:18 | 000,003,814 | ---- | M] () -- C:\eula.2052.txt
[2008/04/11 10:07:18 | 000,012,936 | ---- | M] () -- C:\eula.3082.txt
[2008/04/11 10:07:18 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2008/04/11 10:07:18 | 000,000,843 | ---- | M] () -- C:\install.ini
[2008/04/11 08:03:48 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2008/04/11 08:03:48 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2008/04/11 08:03:48 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2008/04/11 08:03:48 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2008/04/11 08:03:48 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2008/04/11 08:03:48 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2008/04/11 08:03:48 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2008/04/11 10:09:24 | 000,093,200 | ---- | M] (Microsoft Corporation) -- C:\install.res.1049.dll
[2008/04/11 08:03:48 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2008/04/11 08:03:48 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2009/08/23 22:42:39 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/01/19 20:58:14 | 000,000,458 | -H-- | M] () -- C:\IPH.PH
[2011/03/18 02:01:35 | 000,089,088 | ---- | M] () -- C:\mbr.exe
[2011/03/18 10:48:31 | 000,000,575 | ---- | M] () -- C:\mbr.log
[2011/03/18 02:05:10 | 000,000,919 | ---- | M] () -- C:\mbr1.log
[2009/08/23 22:42:39 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 08:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/03/18 21:49:45 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2011/03/18 09:55:42 | 000,000,016 | ---- | M] () -- C:\RootRepeal report 03-18-11 (09-55-42).txt
[2011/03/18 09:55:55 | 000,000,030 | ---- | M] () -- C:\RootRepeal report 03-18-11 (09-55-55).txt
[2011/03/18 09:56:02 | 000,000,044 | ---- | M] () -- C:\RootRepeal report 03-18-11 (09-56-02).txt
[2009/11/12 06:56:28 | 000,009,366 | ---- | M] () -- C:\RootRepeal report 11-12-09 (05-56-27).txt
[2009/09/01 09:36:10 | 000,000,001 | ---- | M] () -- C:\Runtime.hta
[2011/03/18 16:44:41 | 000,042,856 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_18.03.2011_16.44.04_log.txt
[2011/03/18 10:41:25 | 000,003,072 | -HS- | M] () -- C:\Thumbs.db
[2008/04/11 10:07:18 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2008/04/11 10:09:38 | 003,797,292 | ---- | M] () -- C:\VC_RED.cab
[2008/04/11 10:11:40 | 000,233,472 | ---- | M] () -- C:\VC_RED.MSI

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/08/23 22:42:13 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/03/15 15:32:10 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5ha.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2009/08/23 18:33:19 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/23 18:33:19 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/23 18:33:19 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lîk /x >
[2009/08/23 22:42:45 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini
[2009/08/23 22:42:45 | 000,001,607 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
[2009/08/23 22:42:45 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Catalog.lnk
[2009/08/24 01:50:34 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Deskuop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-03-18 08:14:20


< MD5 for: EXPLORER.EXE >
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: EXPLORER.EXE-082F38A9.PF >
[2009/08/24 07:43:26 | 000,073,476 | ---- | M] () MD5=225AFA564C439F7409E325C0470F79D8 -- C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

< MD5 for: EXPLORER.SCF >
[2008/04/14 08:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: IEXPLORE.CHM >
[2008/04/14 08:00:00 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ie7\iexplore.chm
[2006/09/01 08:43:50 | 000,503,758 | ---- | M] () MD5=652E46500C149D1DC948BF9CEA8C4933 -- C:\WINDOWS\Help\iexplore.chm

< MD5 for: IEXPLORE.EXE >
[2009/06/29 03:25:31 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=02E2754D3E566C11A4934825920C47DD -- C:\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[2010/12/20 07:25:27 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=091D358EFC9D22901BD879EF37F0DAC4 -- C:\Program Files\Internet Explorer\iexplore.exe
[2010/12/20 07:25:27 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=091D358EFC9D22901BD879EF37F0DAC4 -- C:\WINDOWS\ERDNT\cache\iexplore.exe
[2010/12/20 07:25:27 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=091D358EFC9D22901BD879EF37F0DAC4 -- C:\WINDOWS\system32\dllcache\iexplore.exe
[2010/06/17 11:12:57 | 000,634,656 | ---- | M] (Microsoft Corporation) MD5=203E897F843D56496E2CC101DFF6CE34 -- C:\WINDOWS\ie7updates\KB2360131-IE7\iexplore.exe
[2009/08/27 01:18:42 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=332EC7562F3AA7364F2D4231C56DA986 -- C:\WINDOWS\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[2009/06/29 04:35:10 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=3CFC56F73D494FC1AA2B6E981DF15ACD -- C:\WINDOWS\ie7updates\KB974455-IE7\iexplore.exe
[2009/10/28 02:54:16 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=4F9B04D546C23A295F3F0AE015BE51DB -- C:\WINDOWS\ie7updates\KB978207-IE7\iexplore.exe
[2009/12/18 09:05:43 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=53C291F3B01EECECBD7FD358EA3ACC94 -- C:\WINDOWS\ie7updates\KB980182-IE7\iexplore.exe
[2008/04/14 08:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ie7\iexplore.exe
[2010/10/18 07:07:43 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=72D1F43C4146D312B0DB6AB98C21340E -- C:\WINDOWS\ie7updates\KB2482017-IE7\iexplore.exe
[2009/10/28 02:54:21 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=80675329E0FD54F016C4F8A83C616349 -- C:\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[2010/06/17 10:45:15 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B0BC6DC9C9277250C5C8F7B7A48A02CC -- C:\WINDOWS\$hf_mig$\KB2183461-IE7\SP3QFE\iexplore.exe
[2010/04/16 07:08:29 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B24A4E23A2FEDB6976EB04D334AD82B2 -- C:\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[2010/02/23 01:20:02 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B5116340B84824DDD0A641E36B126194 -- C:\WINDOWS\ie7updates\KB982381-IE7\iexplore.exe
[2010/12/20 06:49:55 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B74CBEBA34E3CAA2CCACC87FEE8A16C0 -- C:\WINDOWS\$hf_mig$\KB2482017-IE7\SP3QFE\iexplore.exe
[2010/04/16 07:43:25 | 000,634,656 | ---- | M] (Microsoft Corporation) MD5=C4BA5E36FB57F547117305BF1E0FE454 -- C:\WINDOWS\ie7updates\KB2183461-IE7\iexplore.exe
[2010/02/23 01:19:59 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=C8DDA4028065D5CE39CBE7A156B72AB9 -- C:\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
[2009/12/18 03:00:27 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=D19E56D5930C37CF211867DF450C372A -- C:\WINDOWS\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[2010/10/18 06:36:30 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=DA6E1F0F1932B62DD2F6ED05541C555C -- C:\WINDOWS\$hf_mig$\KB2416400-IE7\SP3QFE\iexplore.exe
[2007/08/13 18:43:56 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=DE49B348A18369B4626FBA1D49B07FB4 -- C:\WINDOWS\ie7updates\KB972260-IE7\iexplore.exe
[2010/08/25 07:30:33 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=E5412ED9E07C42C20C48D3FF71E6B1E8 -- C:\WINDOWS\ie7updates\KB2416400-IE7\iexplore.exe
[2010/08/25 07:07:58 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=F047BEB9771E45A05F425499A30F9BBA -- C:\WINDOWS\$hf_mig$\KB2360131-IE7\SP3QFE\iexplore.exe
[2009/08/27 01:18:44 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=F232BA9F39BC0F722672C7E79E68EBEA -- C:\WINDOWS\ie7updates\KB976325-IE7\iexplore.exe

< MD5 for: IEXPLORE.EXE.MUI >
[2007/08/13 18:43:36 | 000,573,440 | ---- | M] (Microsoft Corporation) MD5=B58D8A1C7EE0E922EC7D2616DA136FC3 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui

< MD5 for: IEXPLORE.EXE-27122324.PF >
[2009/08/24 06:21:56 | 000,093,172 | ---- | M] () MD5=13D6EC2A1FDC4169F0AA8D0924FEE53E -- C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf

< MD5 for: IEXPLORE.HLP >
[2008/04/14 08:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- C:\WINDOWS\Help\iexplore.hlp

< MD5 for: WINLOGON.EXE >
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF778051

< End of report >
oldman960
2011-03-20, 21:39
Hi Jayann,

BitTorrent
You have BitTorrent, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it. It's not the program itself that is the problem but what can be downloaded with it usually from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx (http://www.microsoft.com/windows/ie/community/columns/protection.mspx)

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm (http://www.internetworldstats.com/articles/art053.htm)

I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


I see you have used a few tools prior to getting help. I'm now in the position of playing catchup so I'll need to see the logs from
TDSSKiller - this can be found at in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt"
aswMBR- I'm not sure where you saved the log to
first run of combofix- this will be located in C:\Qoobox and named combofix2.txt



Your java is out of date. Click your start button, open Control panel.
Locate the Java icon (it looks like a coffee cup)
double click it to open it
click the Update tab
Click update now



Next, Double click on OTL.exe
Under the Custom Scans/Fixes box at the bottom, paste in the following
Do Not copy the word CODE
please note the fix starts with the :


:Services

:OTL
[2011/03/17 13:41:35 | 000,150,016 | ---- | M] () -- C:\WINDOWS\System32\null0.15919651749114339.exe
[2011/03/17 13:16:06 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Uyuwevipejid.dat
[2011/03/17 13:16:06 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Xsahofokeyib.bin
[2011/03/17 13:41:40 | 000,057,856 | -H-- | C] () -- C:\WINDOWS\bootetup.dll

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[createrestorepoint]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered
Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.


Please post back with
TDSKiller log
aswMBR log if found
combofix2.txt , attached if neccessary
OTL fix log
Please let me know how the computer is.

Thanks
Jayann
2011-03-21, 06:49
Hi Oldman!

Not sure if this is helpful but... I used one program called MBR prior to the clean which I am posting as well since it was the initial scan that showed the possible rootkit. My understanding is it has the same scan function as aswMBR which I was able to locate the log for and was run after the combofix cleanup. I was also able to locate the log generated during my initial run of OTL and am posting that as well in case its helpful. Im guessing my search must have been case sensative because I found it while looking for the aswMBR log.

As far as how the PC is running, I have not had any browser redirect activity nor any other "symptoms" since the combofix clean up. Which is why I was VERY suprised that Microsoft Security Essentials cleaned out a virus during its daily scan yesterday. It was not something that appeared in any of the initial full or quick scans so that leaves me to wonder if there isnt still some suspicious activity going on. It could possibly be a leftover but I find it hard to believe it was missed 3 times on prior scans. I should also note, click.giftload is still detected by Spybot. The detected item was TrojanSpy:Win32/Ursnif and was located in the null0.15919651749114339.exe file that was in the OTL fix code.


TDSSKiller
2011/03/18 16:44:04.0250 1704 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/18 16:44:04.0500 1704 ================================================================================
2011/03/18 16:44:04.0500 1704 SystemInfo:
2011/03/18 16:44:04.0500 1704
2011/03/18 16:44:04.0500 1704 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/18 16:44:04.0500 1704 Product type: Workstation
2011/03/18 16:44:04.0500 1704 ComputerName: JULIE
2011/03/18 16:44:04.0500 1704 UserName: Jayann
2011/03/18 16:44:04.0500 1704 Windows directory: C:\WINDOWS
2011/03/18 16:44:04.0500 1704 System windows directory: C:\WINDOWS
2011/03/18 16:44:04.0500 1704 Processor architecture: Intel x86
2011/03/18 16:44:04.0500 1704 Number of processors: 1
2011/03/18 16:44:04.0500 1704 Page size: 0x1000
2011/03/18 16:44:04.0500 1704 Boot type: Normal boot
2011/03/18 16:44:04.0500 1704 ================================================================================
2011/03/18 16:44:05.0359 1704 Initialize success
2011/03/18 16:44:11.0812 3832 ================================================================================
2011/03/18 16:44:11.0812 3832 Scan started
2011/03/18 16:44:11.0812 3832 Mode: Manual;
2011/03/18 16:44:11.0812 3832 ================================================================================
2011/03/18 16:44:13.0171 3832 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/18 16:44:13.0234 3832 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/18 16:44:13.0328 3832 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/18 16:44:13.0406 3832 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/18 16:44:13.0640 3832 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/18 16:44:13.0687 3832 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/18 16:44:14.0390 3832 ati2mtag (8763ede3e0cd40f5c3450571ac57f205) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/18 16:44:14.0578 3832 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/18 16:44:14.0640 3832 ATMDLC (7db8f75c18d5bf31ddfba350d70d154d) C:\WINDOWS\system32\DRIVERS\atmdlc.sys
2011/03/18 16:44:14.0734 3832 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/18 16:44:14.0781 3832 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/03/18 16:44:14.0859 3832 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/18 16:44:14.0984 3832 cag (a7bb5db78cbc2c1d6942ce82bbc7137c) C:\Program Files\Common Files\Deterministic Networks\Common Files\cag.sys
2011/03/18 16:44:15.0218 3832 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/18 16:44:15.0281 3832 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/18 16:44:15.0343 3832 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/18 16:44:15.0390 3832 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/18 16:44:15.0484 3832 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/18 16:44:15.0656 3832 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/03/18 16:44:15.0734 3832 ctxusbm (cb6ff7012bb5d59d7c12350db795ce1f) C:\WINDOWS\system32\DRIVERS\ctxusbm.sys
2011/03/18 16:44:15.0796 3832 ctxva51 (1fb5bb480d5cbcc29b62a64da1f41de8) C:\WINDOWS\system32\DRIVERS\ctxva51.sys
2011/03/18 16:44:15.0859 3832 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/03/18 16:44:16.0000 3832 CVPNDRVA (720482888c3778f26eeb83d286a6cdc3) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2011/03/18 16:44:16.0093 3832 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/18 16:44:16.0171 3832 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/18 16:44:16.0296 3832 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/18 16:44:16.0328 3832 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/18 16:44:16.0390 3832 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/18 16:44:16.0468 3832 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/03/18 16:44:16.0531 3832 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/18 16:44:16.0593 3832 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/18 16:44:16.0640 3832 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/18 16:44:16.0687 3832 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/18 16:44:16.0734 3832 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/18 16:44:16.0828 3832 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/18 16:44:16.0875 3832 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/18 16:44:16.0968 3832 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/18 16:44:17.0031 3832 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/03/18 16:44:17.0093 3832 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/18 16:44:17.0187 3832 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/03/18 16:44:17.0281 3832 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/18 16:44:17.0375 3832 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/03/18 16:44:17.0421 3832 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/03/18 16:44:17.0484 3832 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/03/18 16:44:17.0546 3832 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/18 16:44:17.0718 3832 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/18 16:44:17.0781 3832 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/18 16:44:17.0906 3832 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/18 16:44:18.0000 3832 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/18 16:44:18.0046 3832 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/18 16:44:18.0125 3832 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/18 16:44:18.0140 3832 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/18 16:44:18.0203 3832 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/18 16:44:18.0296 3832 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/18 16:44:18.0343 3832 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/18 16:44:18.0421 3832 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/18 16:44:18.0468 3832 kbdcap (d96ad2e7e91b994f81779144f56bed73) C:\WINDOWS\system32\drivers\kbdcap.sys
2011/03/18 16:44:18.0531 3832 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/18 16:44:18.0562 3832 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/18 16:44:18.0625 3832 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/18 16:44:18.0750 3832 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/18 16:44:18.0828 3832 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/18 16:44:18.0890 3832 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/18 16:44:18.0921 3832 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/18 16:44:18.0968 3832 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/18 16:44:19.0015 3832 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/18 16:44:19.0062 3832 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/03/18 16:44:19.0265 3832 MpKsla2db0d4e (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F18629C-4889-4BB1-8F93-A9523FFCC814}\MpKsla2db0d4e.sys
2011/03/18 16:44:19.0375 3832 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/18 16:44:19.0515 3832 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/18 16:44:19.0625 3832 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/18 16:44:19.0703 3832 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/18 16:44:19.0718 3832 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/18 16:44:19.0734 3832 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/18 16:44:19.0843 3832 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/18 16:44:19.0921 3832 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/18 16:44:19.0968 3832 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/18 16:44:20.0031 3832 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/18 16:44:20.0109 3832 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/18 16:44:20.0156 3832 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/18 16:44:20.0218 3832 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/18 16:44:20.0250 3832 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/18 16:44:20.0265 3832 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/18 16:44:20.0328 3832 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/18 16:44:20.0390 3832 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/18 16:44:20.0468 3832 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/18 16:44:20.0578 3832 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/18 16:44:20.0687 3832 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/18 16:44:20.0765 3832 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/18 16:44:20.0812 3832 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/18 16:44:20.0859 3832 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/18 16:44:20.0937 3832 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/03/18 16:44:21.0031 3832 P17 (1db419cb76493f6292ccfbdc3466f5ff) C:\WINDOWS\system32\drivers\P17.sys
2011/03/18 16:44:21.0187 3832 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/18 16:44:21.0203 3832 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/18 16:44:21.0265 3832 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/18 16:44:21.0359 3832 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/18 16:44:21.0437 3832 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/18 16:44:21.0484 3832 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/18 16:44:21.0671 3832 Point32 (60a044879c4fa76314494f5fddc43b93) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/03/18 16:44:21.0734 3832 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/18 16:44:21.0781 3832 procguard (d05aeb165d0a7b909820debf5102578a) C:\WINDOWS\system32\drivers\procguard.sys
2011/03/18 16:44:21.0781 3832 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\procguard.sys. md5: d05aeb165d0a7b909820debf5102578a
2011/03/18 16:44:21.0781 3832 procguard - detected Locked file (1)
2011/03/18 16:44:21.0812 3832 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/18 16:44:21.0843 3832 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/18 16:44:21.0859 3832 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/18 16:44:22.0000 3832 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/18 16:44:22.0046 3832 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/18 16:44:22.0078 3832 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/18 16:44:22.0125 3832 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/18 16:44:22.0187 3832 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/18 16:44:22.0234 3832 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/18 16:44:22.0281 3832 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/18 16:44:22.0359 3832 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/18 16:44:22.0437 3832 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/18 16:44:22.0546 3832 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/18 16:44:22.0703 3832 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/03/18 16:44:22.0859 3832 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/18 16:44:22.0921 3832 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/18 16:44:23.0000 3832 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/18 16:44:23.0109 3832 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/18 16:44:23.0187 3832 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/03/18 16:44:23.0296 3832 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/18 16:44:23.0390 3832 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/18 16:44:23.0453 3832 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/18 16:44:23.0531 3832 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/18 16:44:23.0609 3832 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/18 16:44:23.0640 3832 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/18 16:44:23.0859 3832 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/18 16:44:23.0968 3832 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/18 16:44:24.0015 3832 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/18 16:44:24.0046 3832 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/18 16:44:24.0093 3832 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/18 16:44:24.0187 3832 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/18 16:44:24.0281 3832 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/18 16:44:24.0390 3832 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/03/18 16:44:24.0468 3832 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/18 16:44:24.0531 3832 usbbus (d9f3bb7c292f194f3b053ce295754eb8) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/03/18 16:44:24.0625 3832 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/18 16:44:24.0687 3832 UsbDiag (c4f77da649f99fad116ea585376fc164) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/03/18 16:44:24.0765 3832 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/18 16:44:24.0796 3832 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/18 16:44:24.0843 3832 USBModem (c0613ce45e617bc671de8ebb1b30d175) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/03/18 16:44:24.0890 3832 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/18 16:44:24.0937 3832 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/18 16:44:25.0000 3832 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/18 16:44:25.0062 3832 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/18 16:44:25.0140 3832 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/03/18 16:44:25.0203 3832 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/18 16:44:25.0281 3832 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/18 16:44:25.0343 3832 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys
2011/03/18 16:44:25.0437 3832 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/18 16:44:25.0531 3832 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/03/18 16:44:25.0640 3832 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/18 16:44:25.0703 3832 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/03/18 16:44:25.0796 3832 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/03/18 16:44:25.0859 3832 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/18 16:44:25.0937 3832 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/18 16:44:26.0000 3832 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/18 16:44:26.0078 3832 zumbus (9b2c9d322e3fbb1814d7c17a980c1286) C:\WINDOWS\system32\DRIVERS\zumbus.sys
2011/03/18 16:44:26.0265 3832 ================================================================================
2011/03/18 16:44:26.0265 3832 Scan finished
2011/03/18 16:44:26.0265 3832 ================================================================================
2011/03/18 16:44:26.0296 2968 Detected object count: 1
2011/03/18 16:44:36.0500 2968 Locked file(procguard) - User select action: Skip
2011/03/18 16:44:41.0046 0780 Deinitialize success


aswMBR
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-18 10:54:53
-----------------------------
10:54:53.234 OS Version: Windows 5.1.2600 Service Pack 3
10:54:53.234 Number of processors: 1 586 0x304
10:54:53.234 ComputerName: JULIE UserName:
10:55:03.515 Initialize success
10:55:05.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:55:05.484 Disk 0 Vendor: WDC_WD2500JD-75HBB0 08.02D08 Size: 238418MB BusType: 3
10:55:07.531 Disk 0 MBR read successfully
10:55:07.531 Disk 0 MBR scan
10:55:09.578 Disk 0 scanning sectors +488263545
10:55:09.656 Disk 0 scanning C:\WINDOWS\system32\drivers
10:55:21.187 Service scanning
10:55:23.203 Disk 0 trace - called modules:
10:55:23.250 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
10:55:23.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5e3ab8]
10:55:23.250 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a641d98]
10:55:23.250 Scan finished successfully


OTL Fix
All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
File C:\WINDOWS\System32\null0.15919651749114339.exe not found.
C:\WINDOWS\Uyuwevipejid.dat moved successfully.
C:\WINDOWS\Xsahofokeyib.bin moved successfully.
C:\WINDOWS\bootetup.dll moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Jayann\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jayann\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41044 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes

User: Jayann
->Temp folder emptied: 62485708 bytes
->Temporary Internet Files folder emptied: 50536628 bytes
->Java cache emptied: 86788798 bytes
->FireFox cache emptied: 205656114 bytes
->Flash cache emptied: 8776 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 9435 bytes
->Flash cache emptied: 1673 bytes

User: My Documents

User: NetworkService
->Temp folder emptied: 16462 bytes
->Temporary Internet Files folder emptied: 33237 bytes
->Java cache emptied: 9435 bytes
->Flash cache emptied: 14558 bytes

User: NO Install&Download
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 931118 bytes
->FireFox cache emptied: 105925020 bytes
->Flash cache emptied: 15866929 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4290361 bytes
%systemroot%\System32 .tmp files removed: 102417 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 118733 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 3852574722 bytes

Total Files Cleaned = 4,182.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 03212011_000850

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temp\fla37B.tmp not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temp\fla37C.tmp not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temp\fla38A.tmp not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temp\~DF1852.tmp not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temp\~DF185F.tmp not found!
C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\W2RH3O16\mail[1].htm moved successfully.
C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\W2RH3O16\mail[2].htm moved successfully.
C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\W2RH3O16\mail[3].htm moved successfully.
C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\W2RH3O16\mail[5].htm moved successfully.
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\W2RH3O16\sandbox[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\W2RH3O16\xd_proxy[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\getAds[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\likeCAMGWB70.htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\likeCAYSNAG4.htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[10].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[11].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[2].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[3].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[4].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[5].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[6].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[7].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[8].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\like[9].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\mBu1j7LUUac[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\OHULCD29\showthread[2].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\FRWUIVNO\getAds[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\FRWUIVNO\iframe_v89_cim_10_3_13[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\FRWUIVNO\watch[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\FRWUIVNO\watch[2].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\FRWUIVNO\xd_proxy[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\9ZOBWJVP\deliver2[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\9ZOBWJVP\queue[1].htm not found!
File\Folder C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\Content.IE5\9ZOBWJVP\results[1].htm not found!
C:\Documents and Settings\Jayann\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...


MBR by Gmer
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JD-75HBB0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A5A5439]<<
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A5BFAB8]
3 CLASSPNP[0xF7647FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8A5D2A68]
\Driver\atapi[0x8A5C4950] -> IRP_MJ_CREATE -> 0x8A5A5439
kernel: MBR read successfully
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD2500JD-75HBB0_____________________08.02D08#4457572d414d374c383139323436_038_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5A527F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !


OTL Extras
OTL Extras logfile created on: 3/18/2011 4:45:59 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jayann\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 45.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 64.00 Gb Free Space | 27.49% Space Free | Partition Type: NTFS
Drive D: | 534.43 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 5.90 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: JULIE | User Name: Jayann | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1960408961-1078145449-1801674531-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Citrix\Secure Access Client\nsepa.exe" = C:\Program Files\Citrix\Secure Access Client\nsepa.exe:*:Enabled:Citrix Access Gateway Endpoint Analysis -- (Citrix Systems, Inc)
"C:\Program Files\Citrix\Secure Access Client\nsload.exe" = C:\Program Files\Citrix\Secure Access Client\nsload.exe:*:Enabled:Citrix Access Gateway Plug-in -- (Citrix Systems, Inc)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{00F93853-D9D3-4795-A89E-84CCBA0205C9}" = Microsoft IntelliPoint 8.0
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0BCA9EFD-F2D6-4638-B053-8693BA0404BE}" = Citrix online plug-in (Web)
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
"{1B343C8C-F170-4829-8481-E163317C5830}" = iTunes
"{1EA23C78-FC08-475A-B42F-FEB21E88943B}" = Citrix Access Gateway Plug-in
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E8DD348-4174-4fe8-8FDC-238AAFBD2488}" = HP Photosmart All-In-One Driver Software 9.0.A Corporate Edition
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}" = Cisco Systems VPN Client 5.0.04.0300
"{55392E52-1AAD-44C4-BE49-258FFE72434F}" = Citrix online plug-in (USB)
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{68872E18-36DC-4BAC-8A17-8755E1CC8896}" = Learn.com WebRoomViewer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{812424AC-A8B5-44E6-8D48-07E939D1AD9A}" = Citrix online plug-in (HDX)
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8AB8D458-939E-403F-0097-9BA1C1F013D5}" = The Sims 2
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C268131-98C2-4D12-8F10-5A8C33517372}" = Attachmate EXTRA! X-treme 8
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A03848C5-77D2-457a-8404-A1D5A769C87F}" = ps_aio_02_corporate
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"{C3F24528-7D7A-4515-B757-205C87B3DB6D}_is1" = VIPdesk IM 3.5
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF53CF7C-D996-43EB-9904-DBED57C25625}" = Citrix online plug-in (DV)
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EAEFE1C0-EB56-8963-9EC5-A0EB5FBA358D}" = TweetDeck
"{EB731227-8AC5-4889-ACE9-7D87864A9F19}" = Logitech GamePanel Software 3.02.173
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{EF0D2E55-6FE2-4e35-BE22-A742E85D84E3}" = PS_AIO_02_Software_min
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F5236011-C8FB-4F06-BFF7-E1A30D33BCAF}" = Interaction Center User Applications
"{F843C6A3-224D-4615-94F8-3C461BD9AEA0}" = Jasc Paint Shop Pro 9
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_7" = AIM 7
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner (remove only)
"CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
"CrossLoop_is1" = CrossLoop 2.44
"Device Control" = Device Control
"DiamondCS ProcessGuard_is1" = DiamondCS ProcessGuard v3.150
"Digital Editions" = Adobe Digital Editions
"EAX" = Creative EAX Console
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HijackThis" = HijackThis 2.0.2
"hon" = Heroes of Newerth
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"InstallShield_{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"kSolo" = kSolo Recorder
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MultiMon TaskBar_is1" = MultiMon TaskBar 2.1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OJOsoft Total Video Converter2.5.1.1121" = OJOsoft Total Video Converter
"Revo Uninstaller" = Revo Uninstaller 1.89
"SPEAKER" = Creative Speaker Settings
"Steam App 10" = Counter-Strike
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Steam App 12900" = Audiosurf
"Steam App 240" = Counter-Strike: Source
"Steam App 26900" = Crayon Physics Deluxe
"Steam App 400" = Portal
"Steam App 440" = Team Fortress 2
"Steam App 73050" = Magicka - Demo
"TagScanner_is1" = TagScanner 5.1 build 551
"TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1" = TweetDeck
"VLC media player" = VLC media player 1.1.0
"Warkeys" = Warkeys 1.14.1.0b
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Zune" = Zune

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1960408961-1078145449-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"d06fdace4f64c131" = RightNow
"Warcraft III" = Warcraft III: All Products
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/18/2011 12:24:01 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/18/2011 12:24:01 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/18/2011 1:55:25 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/18/2011 1:55:25 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/18/2011 2:20:01 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/18/2011 2:20:01 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/18/2011 3:27:25 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/18/2011 3:27:25 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/18/2011 4:03:01 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/18/2011 4:03:01 PM | Computer Name = JULIE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

[ OSession Events ]
Error - 3/29/2010 11:29:19 AM | Computer Name = JULIE | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 346
seconds with 180 seconds of active time. This session ended with a crash.

Error - 10/29/2010 12:45:07 PM | Computer Name = JULIE | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2637
seconds with 60 seconds of active time. This session ended with a crash.

Error - 11/10/2010 12:49:10 AM | Computer Name = JULIE | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 42323
seconds with 420 seconds of active time. This session ended with a crash.

Error - 11/16/2010 12:32:01 PM | Computer Name = JULIE | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 85642
seconds with 60 seconds of active time. This session ended with a crash.

Error - 12/2/2010 11:20:27 AM | Computer Name = JULIE | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 83350
seconds with 60 seconds of active time. This session ended with a crash.

Error - 1/11/2011 11:33:57 AM | Computer Name = JULIE | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5951
seconds with 60 seconds of active time. This session ended with a crash.

Error - 3/7/2011 4:07:08 PM | Computer Name = JULIE | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 18648
seconds with 1020 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/18/2011 9:48:59 AM | Computer Name = JULIE | Source = DCOM | ID = 10005
Description = DCOM got error "%6" attempting to start the service iPod Service with
arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 3/18/2011 9:48:59 AM | Computer Name = JULIE | Source = Service Control Manager | ID = 7000
Description = The iPod Service service failed to start due to the following error:
%%6

Error - 3/18/2011 9:50:40 AM | Computer Name = JULIE | Source = Service Control Manager | ID = 7034
Description = The Citrix Secure Access Client Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/18/2011 9:50:43 AM | Computer Name = JULIE | Source = Service Control Manager | ID = 7034
Description = The ININ Tracing Initialization service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/18/2011 9:50:46 AM | Computer Name = JULIE | Source = Service Control Manager | ID = 7034
Description = The ININ QoS Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/18/2011 9:50:50 AM | Computer Name = JULIE | Source = Service Control Manager | ID = 7034
Description = The Cisco Systems, Inc. VPN Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/18/2011 10:08:33 AM | Computer Name = JULIE | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1058

Error - 3/18/2011 10:08:33 AM | Computer Name = JULIE | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 3/18/2011 10:34:16 AM | Computer Name = JULIE | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1058

Error - 3/18/2011 10:34:16 AM | Computer Name = JULIE | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2


< End of report >
Jayann
2011-03-21, 06:51
Original ComboFix
ComboFix 09-11-11.02 - Jayann 11/12/2009 4:40.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1597 [GMT -5:00]
Running from: c:\documents and settings\Jayann\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data
c:\windows\system32\drivers\etc\lmhosts

.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-11 06:00 . 2009-11-11 06:00 -------- d-----w- c:\program files\Recorder2
2009-11-11 05:58 . 2009-11-11 06:00 249856 ------w- c:\windows\Setup1.exe
2009-11-11 05:58 . 2009-11-11 06:00 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-11-11 05:58 . 2009-11-11 05:58 -------- d-----w- c:\documents and settings\Jayann\Application Data\Grasssoft
2009-11-11 05:57 . 2009-11-11 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Grasssoft
2009-11-11 05:57 . 2009-11-11 22:08 -------- d-----w- c:\program files\GrassSoft
2009-11-11 05:57 . 2009-11-11 05:57 109440 ----a-w- c:\windows\system32\drivers\KbdCap.sys
2009-11-11 05:37 . 2009-11-11 05:37 -------- d-----w- c:\program files\Workspace Macro 4.6
2009-11-05 04:49 . 2009-11-05 04:49 152576 ----a-w- c:\documents and settings\Jayann\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 08:13 . 2009-11-03 08:13 -------- d-----w- C:\ad02e3245d93f28dcc1e2195082e
2009-11-02 11:41 . 2009-11-02 11:42 -------- d-----w- C:\6061ee9b1b81b616f7
2009-11-02 09:32 . 2009-11-11 22:20 89996 ----a-w- C:\cc.reg
2009-11-02 07:40 . 2009-11-02 09:34 -------- d-----w- c:\documents and settings\All Users\Application Data\RFA_Backups
2009-11-02 07:40 . 2009-11-02 07:40 -------- d-----w- c:\program files\RFA
2009-11-01 12:52 . 2009-11-01 13:37 -------- d-----w- c:\program files\TidySongs
2009-11-01 11:59 . 2009-11-01 12:00 -------- d-----w- C:\3db177b542c0867498b141321c39
2009-10-31 11:07 . 2009-10-31 11:08 -------- d-----w- C:\51742aa631b76987d696
2009-10-29 14:11 . 2009-10-29 14:11 -------- d-----w- C:\711f0e38e914229928aa
2009-10-28 05:06 . 2009-10-28 05:07 -------- d-----w- C:\123414428ee70671c2bb96
2009-10-21 13:54 . 2009-10-21 13:54 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-10-16 00:41 . 2008-04-14 04:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-10-16 00:41 . 2008-04-14 04:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-10-16 00:38 . 2009-11-01 10:46 -------- d-----w- c:\documents and settings\Jayann\Application Data\Skype
2009-10-16 00:38 . 2009-10-16 00:38 -------- d-----w- c:\program files\Common Files\Skype
2009-10-16 00:38 . 2009-10-16 00:38 -------- d-----r- c:\program files\Skype
2009-10-15 03:27 . 2009-10-15 03:27 41184 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 02:43 . 2009-10-14 02:43 -------- d-----w- c:\program files\TagScanner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 06:11 . 2009-08-24 06:50 308 ----a-w- c:\windows\system32\pguard.dat
2009-11-12 06:10 . 2009-08-24 06:50 65704 ----a-w- c:\windows\system32\pghash.dat
2009-11-11 00:39 . 2009-08-24 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-07 22:21 . 2009-09-26 04:55 -------- d-----w- c:\program files\Heroes of Newerth
2009-11-06 00:33 . 2009-08-27 20:06 -------- d-----w- c:\documents and settings\Jayann\Application Data\BitTorrent
2009-11-04 00:24 . 2009-08-24 04:57 -------- d-----w- c:\documents and settings\Jayann\Application Data\U3
2009-11-03 01:42 . 2009-10-03 18:30 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 09:07 . 2009-09-01 00:04 152576 ----a-w- c:\documents and settings\Jayann\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-11-02 08:39 . 2009-09-01 00:04 -------- d-----w- c:\program files\Java
2009-11-02 08:08 . 2009-08-24 17:48 49384 ----a-w- c:\documents and settings\NO Install&Download\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 07:41 . 2009-08-24 07:13 -------- d-----w- c:\program files\VS Revo Group
2009-11-01 12:51 . 2009-08-25 16:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-01 12:50 . 2009-08-25 16:40 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-01 11:43 . 2009-08-24 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-01 04:05 . 2009-09-13 22:37 -------- d-----w- c:\documents and settings\Jayann\Application Data\skypePM
2009-10-31 06:48 . 2009-08-24 07:48 -------- d-----w- c:\program files\Warcraft III
2009-10-29 22:02 . 2009-08-24 06:28 -------- d-----w- c:\program files\CrossLoop
2009-10-25 19:15 . 2009-08-24 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-21 02:27 . 2009-08-25 18:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-20 13:56 . 2009-08-24 05:47 49384 ----a-w- c:\documents and settings\Jayann\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 20:46 . 2009-08-24 05:46 -------- d-----w- c:\program files\AVG
2009-10-19 20:09 . 2009-08-24 06:18 -------- d-----w- c:\program files\Microsoft Works
2009-10-16 00:38 . 2009-09-13 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-09 05:06 . 2009-08-24 05:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-07 19:32 . 2009-08-24 07:53 299492 ----a-w- c:\windows\War3Unin.dat
2009-10-07 06:24 . 2009-10-07 06:24 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-07 05:46 . 2009-09-21 22:24 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-07 05:45 . 2009-08-24 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-07 04:58 . 2009-09-01 02:00 -------- d-----w- c:\program files\Auslogics
2009-10-07 03:29 . 2009-09-21 22:33 -------- d-----w- c:\documents and settings\Jayann\Application Data\Download Manager
2009-10-07 00:10 . 2009-09-15 05:31 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2009-10-06 17:47 . 2009-09-01 02:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-06 17:46 . 2009-09-01 00:05 -------- d-----w- c:\documents and settings\Jayann\Application Data\Juniper Networks
2009-10-06 17:40 . 2009-09-21 15:40 -------- d-----w- c:\program files\Google
2009-10-03 18:28 . 2009-10-03 18:27 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-10-01 02:04 . 2009-10-01 02:04 -------- d-----w- c:\program files\TweetDeck
2009-09-28 08:43 . 2009-09-28 08:43 -------- d-----w- c:\documents and settings\Jayann\Application Data\Windows Search
2009-09-27 19:53 . 2009-09-27 19:53 -------- d-----w- c:\program files\CCleaner
2009-09-27 09:34 . 2009-09-27 09:34 -------- d-----w- c:\documents and settings\Jayann\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-09-26 04:48 . 2009-09-01 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2009-09-25 22:04 . 2009-09-01 22:48 81920 ----a-w- c:\documents and settings\Jayann\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connecthook.dll
2009-09-25 22:04 . 2009-09-01 22:48 190976 ----a-w- c:\documents and settings\Jayann\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectsprd.dll
2009-09-25 10:00 . 2009-08-24 05:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-21 15:46 . 2009-09-21 15:46 -------- d-----w- c:\program files\Microsoft.NET
2009-09-21 15:37 . 2009-09-21 15:37 -------- d-----w- c:\program files\BitPim
2009-09-21 15:34 . 2009-09-21 15:34 -------- d-----w- c:\documents and settings\Jayann\Application Data\tidysongs15.27F6A35B76E5883BF9E6FEE514586561E60595CA.1
2009-09-16 13:39 . 2009-09-16 12:08 -------- d-----w- c:\documents and settings\Jayann\Application Data\ICAClient
2009-09-16 12:23 . 2009-09-16 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-15 12:12 . 2009-09-15 12:12 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-15 06:14 . 2009-09-15 06:14 -------- d-----w- c:\program files\LG Electronics
2009-09-15 05:35 . 2009-09-15 05:34 -------- d-----w- c:\program files\Common Files\Real
2009-09-15 02:28 . 2009-09-15 02:27 -------- d-----w- c:\documents and settings\Jayann\Application Data\Apple Computer
2009-09-15 02:26 . 2009-09-15 02:26 -------- d-----w- c:\program files\iTunes
2009-09-15 02:26 . 2009-09-15 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 02:26 . 2009-09-15 02:26 -------- d-----w- c:\program files\iPod
2009-09-15 02:26 . 2009-09-15 02:22 -------- d-----w- c:\program files\Common Files\Apple
2009-09-15 02:26 . 2009-09-15 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-15 02:24 . 2009-09-15 02:24 -------- d-----w- c:\program files\QuickTime
2009-09-15 02:23 . 2009-09-15 02:23 -------- d-----w- c:\program files\Apple Software Update
2009-09-15 02:22 . 2009-09-15 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-13 23:43 . 2009-09-13 23:42 -------- d-----w- c:\program files\Common Files\Jasc Software Inc
2009-09-13 23:42 . 2009-08-24 04:59 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-13 23:42 . 2009-09-13 23:42 -------- d-----w- c:\program files\Jasc Software Inc
2009-09-13 23:42 . 2009-09-13 23:42 -------- d-----w- c:\documents and settings\Jayann\Application Data\Jasc Software Inc
2009-09-13 22:37 . 2009-09-13 22:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:19 . 2009-09-10 03:19 667914 ----a-w- c:\windows\unins000.exe
2009-09-09 01:43 . 2009-09-09 01:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 15:11 . 2009-09-01 15:11 33220 ----a-w- c:\documents and settings\Jayann\Application Data\Juniper Networks\Setup\uninstall.exe
2009-08-29 07:36 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-08-24 07:54 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 23:42 . 2009-09-15 02:23 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-09-15 02:23 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-27 22:08 . 2009-08-27 22:08 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-08-27 17:46 . 2009-08-27 17:46 3676128 ----a-w- c:\documents and settings\Jayann\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe
2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:24 . 2009-08-25 18:24 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-25 02:27 . 2009-08-25 02:27 15839536 ----a-w- c:\documents and settings\NO Install&Download\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller1x0\airinstaller1x0.exe
2009-08-24 22:19 . 2009-08-24 22:19 152576 ----a-w- c:\documents and settings\NO Install&Download\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-24 10:20 . 2009-08-24 02:41 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-24 08:13 . 2009-08-24 07:53 2829 ----a-w- c:\windows\War3Unin.pif
2009-08-24 08:13 . 2009-08-24 07:53 139264 ----a-w- c:\windows\War3Unin.exe
2009-08-24 06:49 . 2009-08-24 06:49 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-24 05:38 . 2009-08-24 05:38 0 ----a-w- c:\windows\nsreg.dat
2009-08-24 02:40 . 2009-08-24 02:40 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 13:21 . 2008-04-14 12:00 1850624 ----a-w- c:\windows\system32\win32k.sys
2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!1_ProcessGuard_Startup"="c:\program files\ProcessGuard\procguard.exe" [2005-01-20 280064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"!1_pgaccount"="c:\program files\ProcessGuard\pgaccount.exe" [2005-01-20 184320]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-05 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2009-8-24 294912]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-8-24 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VIPdesk IM\\VIPdesk IM.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Interactive Intelligence\\ICUserApps\\InteractionClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Jayann\\taw\\winvnc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\BitPim\\bitpimw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [6/14/2004 7:00 AM 35270]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;c:\program files\ProcessGuard\DCSUserProt.exe [8/24/2009 12:54 AM 69632]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [8/24/2009 12:54 AM 24911]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [11/11/2009 12:57 AM 109440]
S3 ININ Tracing;ININ Tracing Initialization;c:\program files\Interactive Intelligence\ININ Trace Initialization\i3trace_initializer-w32r-1-1.exe [6/8/2009 7:38 AM 45056]
S3 Interactive Update Client;Interactive Update Client;c:\program files\Interactive Intelligence\Interactive Update\ININ.UpdateClientService.exe [6/16/2009 12:09 AM 278824]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DOT3SVC
*NewlyCreated* - MBR
*NewlyCreated* - NETLOGON
*NewlyCreated* - NTLMSSP
*NewlyCreated* - RSVP
*NewlyCreated* - SCARDSVR
*NewlyCreated* - SWPRV
*NewlyCreated* - VSS
*NewlyCreated* - WMDMPMSN
*NewlyCreated* - WMIAPSRV
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 21:36]

2009-09-01 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-09-01 13:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel
Trusted Zone: arise.com
Trusted Zone: eddiebauer.com
Trusted Zone: epsilon.com
Trusted Zone: exodusvipdesk.com
Trusted Zone: java.com
Trusted Zone: microsoft.com
Trusted Zone: remoteaccess.eddiebauer.com
Trusted Zone: trendmicro.com
Trusted Zone: vipdesk.com
Trusted Zone: vipdeskconnect.com
Trusted Zone: webroom.com
DPF: {72820DC6-3AB9-49E8-9E58-9C462731C275} - hxxp://prodconf01.webroom.com:8080/WebRoomComponents/WebRoomLoader.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
FF - ProfilePath - c:\documents and settings\Jayann\Application Data\Mozilla\Firefox\Profiles\nxz79m1z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Notify-WBSrv - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 04:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\wbem\wbemprox.dll
.
Completion time: 2009-11-12 4:45
ComboFix-quarantined-files.txt 2009-11-12 09:45

Pre-Run: 146,908,651,520 bytes free
Post-Run: 148,043,476,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

- - End Of File - - 7D15AFAEA5560C7324A6AC9D645A91D1
oldman960
2011-03-21, 17:18
Hi Jayann,


I was VERY suprised that Microsoft Security Essentials cleaned out a virus during its daily scan yesterday. It was not something that appeared in any of the initial full or quick scans so that leaves me to wonder if there isnt still some suspicious activity going on. It could possibly be a leftover but I find it hard to believe it was missed 3 times on prior scans.Antivirus programs are constantly updated. This may have been a new addition to MSE's database.


The detected item was TrojanSpy:Win32/Ursnif and was located in the null0.15919651749114339.exe file that was in the OTL fix code.
Spybot must have removed it when it detected it because OTL reports the file not found.

Thanks for the logs, I think I've pieced together the chain of events. The last combofix log you posted was from over a year ago.

Did you at one time install Internet Explorer 8 then uninstall it?


You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
UNCheck the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt

Please post back with
MBAM log
OTL.txt
Thanks
oldman960
2011-03-25, 00:22
Hi Jayann,

Still with us?
oldman960
2011-03-26, 20:51
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.