0

Avast comes up with a blocked site and the following message

object 199.80.55.80/go.php?data=C%FnlhyxNh9nGqXr21HAWMXBM9Z2
URL:Mal
Action taken was "BLOCKED"
Process: C:\Windows\system32\svchost.exe

Also every once in a while a new tab will open with some awards site and Avast will pop up with a trojan alert. Full scans with Avast (boot scan) and ESET reveal no threats.

Edited by lm913: n/a

2
Contributors
32
Replies
34
Views
6 Years
Discussion Span
Last Post by jholland1964
0

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5189

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/25/2010 3:05:00 PM
mbam-log-2010-11-25 (15-05-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 299776
Time elapsed: 52 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-25 13:53:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6Y160P0 rev.YAR41BW0
Running: v6kp4br1.exe; Driver: C:\DOCUME~1\SARRAH~1\LOCALS~1\Temp\kwldrpod.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312499744 (+255): rootkit-like behavior;

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xED8C5BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xED8C59D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xED8C5B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 86F2D292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86F2D292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86F2D292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 86F2D292
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459314441484543202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

0

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-25 14:03:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6Y160P0 rev.YAR41BW0
Running: v6kp4br1.exe; Driver: C:\DOCUME~1\SARRAH~1\LOCALS~1\Temp\kwldrpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xED8B8CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xED8B8BAC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xED8B9160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xED8B908A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xED8B8782]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xED8B8C86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xED8B86C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xED8B8726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xED8B8DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xED8B922E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xED8B8D66]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xED8B8EE6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xED8C5BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xED8C59D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xED8C5B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 86F2D292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86F2D292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86F2D292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 86F2D292

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459314441484543202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312499744 (+255): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP212\snapshot\Repository\FS\INDEX.BTR 1507328 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP212\snapshot\Repository\FS\INDEX.MAP 808 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP212\snapshot\Repository\FS\MAPPING.VER 4 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP212\snapshot\Repository\FS\MAPPING1.MAP 10424 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP212\snapshot\Repository\FS\MAPPING2.MAP 10424 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP212\snapshot\Repository\FS\OBJECTS.DATA 19644416 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP212\snapshot\Repository\FS\OBJECTS.MAP 9652 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043561.vpx 4971560 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043579.dll 295336 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043543.lck 77 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043544.ini 3414 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043545.ini 178 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043546.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043547.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043548.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043549.ini 5740 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043550.ini 3414 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043551.ini 1455 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043553.data 58572 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043554.ini 935 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043555.vpx 541 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043556.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043557.vpx 1449 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043558.vpx 651 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043559.vpx 162570 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043560.vpx 34861619 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043562.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043563.ini 32 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043564.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043565.lck 77 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043566.ini 178 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043567.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043568.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043569.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043570.dll 723456 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043571.dll 37312 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043572.dll 139264 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043573.dll 1395376 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043574.dll 428736 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043575.dll 302016 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043576.dll 170688 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043577.dll 90696 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043578.dll 1151248 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043580.dll 73856 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043581.ini 4650 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043582.dll 11048 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043583.dll 38872 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043584.ini 5740 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043585.ini 3414 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043586.ini 1455 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043588.data 58572 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043589.ini 935 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043590.vpx 540 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043591.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043592.vpx 1452 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043593.vpx 663 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043594.vpx 163879 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043595.vpx 34881598 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043596.vpx 4971560 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043597.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043598.ini 32 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043599.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\A0043600.lck 77 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\change.log.1 3724 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\change.log.2 24456 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\change.log.3 29806 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\drivetable.txt 134 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\RestorePointSize 8 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\rp.log 536 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\S0043552.Acl 131112 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\S0043587.Acl 131112 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot 0 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\ComDb.Dat 25892 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\domain.txt 50 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\IISDB 223070 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository 0 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository\$WinMgmt.CFG 20 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository\FS 0 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository\FS\INDEX.BTR 1507328 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository\FS\INDEX.MAP 808 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository\FS\MAPPING.VER 4 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository\FS\MAPPING1.MAP 10424 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository\FS\MAPPING2.MAP 10424 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository\FS\OBJECTS.DATA 19644416 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\Repository\FS\OBJECTS.MAP 9652 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_MACHINE_SAM 32768 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_MACHINE_SECURITY 49152 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_MACHINE_SOFTWARE 37576704 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_MACHINE_SYSTEM 6074368 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_USER_.DEFAULT 286720 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 262144 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 233472 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 233472 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1060284298-1035525444-682003330-1003 5300224 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 8192 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 8192 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP213\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1060284298-1035525444-682003330-1003 266240 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043601.ini 3414 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043603.data 58572 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043604.lck 77 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043605.ini 178 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043606.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043607.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043608.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043609.dll 723456 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043610.dll 37312 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043611.dll 139264 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043612.dll 1395376 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043613.dll 428736 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043614.dll 302016 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043615.dll 170688 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043616.dll 90696 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043617.dll 1151248 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043618.dll 295336 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043620.ini 4650 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043621.dll 11048 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043622.dll 38872 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043623.ini 5740 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043624.ini 3414 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043625.ini 1455 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043627.data 58572 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043628.ini 935 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043629.vpx 540 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043630.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043631.vpx 1450 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043632.vpx 678 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043633.vpx 164782 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043634.vpx 34996616 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043635.vpx 4971560 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043636.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043637.ini 32 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043639.dll 740352 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043640.dll 37312 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043641.dll 139264 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043642.dll 1395376 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043643.dll 428736 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043644.dll 302016 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043645.dll 170688 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043646.dll 90696 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043647.dll 1151248 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043648.dll 295336 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043649.dll 73856 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043650.ini 4650 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043651.dll 11048 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043652.dll 38872 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043653.dll 17880 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043654.ini 2129 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043655.dll 23512 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043657.exe 120792 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043658.exe 908760 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043659.dll 249856 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043660.dll 921048 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043661.dll 714200 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043662.dll 202200 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043663.dll 644568 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043664.dll 341464 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043665.dll 98304 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043666.dll 87512 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043667.ini 142 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043668.dll 20440 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043669.dll 17368 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043670.dll 64984 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043671.dll 103896 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043672.dll 155648 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043673.dll 457688 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043675.exe 552184 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043676.exe 245208 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043677.dll 17880 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043678.dll 10809304 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043679.ini 657 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043680.mfl 1031823 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043681.ini 188 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043682.ini 583 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043683.ini 3801 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043684.properties 11422 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043685.properties 9551 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043686.properties 5649 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043687.properties 5490 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043688.properties 2080 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043689.properties 56411 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043690.properties 3902 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043691.properties 5493 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043692.properties 3033 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043693.properties 3954 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043694.properties 6719 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043695.properties 3690 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043696.properties 2396 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043697.properties 4090 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043698.properties 1967 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043699.properties 30004 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043700.properties 39989 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043701.manifest 728 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043702.manifest 818 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043703.manifest 144 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043704.manifest 69 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043705.manifest 439 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043706.manifest 517 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043707.properties 232 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043708.properties 112 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043709.ini 707 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043710.manifest 1251 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043711.lnk 1614 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043619.dll 73856 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043638.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043656.dll 137176 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043674.dll 140760 bytes executable
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043712.lnk 1636 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043731.vpx 681 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\change.log.1 7604 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\change.log.2 151996 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\change.log.3 28094 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\drivetable.txt 134 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\RestorePointSize 8 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\rp.log 536 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\S0043602.Acl 131112 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\S0043626.Acl 131112 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\S0043725.Acl 131112 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot 0 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\ComDb.Dat 25892 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\domain.txt 50 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\IISDB 223070 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository 0 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository\$WinMgmt.CFG 20 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository\FS 0 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository\FS\INDEX.BTR 1507328 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository\FS\INDEX.MAP 808 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository\FS\MAPPING.VER 4 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository\FS\MAPPING1.MAP 10424 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository\FS\MAPPING2.MAP 10424 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository\FS\OBJECTS.DATA 19644416 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\Repository\FS\OBJECTS.MAP 9652 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_MACHINE_SAM 32768 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_MACHINE_SECURITY 49152 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_MACHINE_SOFTWARE 37576704 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_MACHINE_SYSTEM 6074368 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_USER_.DEFAULT 286720 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 262144 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 233472 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 233472 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1060284298-1035525444-682003330-1003 5300224 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 8192 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 8192 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1060284298-1035525444-682003330-1003 266240 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043713.lnk 1602 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043714.lnk 1620 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043715.ini 657 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043716.mfl 2276242 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043717.lck 77 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043718.ini 178 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043719.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043720.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043721.ini 62 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043722.ini 5740 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043723.ini 3414 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043724.ini 1455 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043726.data 58572 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043727.ini 935 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043728.vpx 541 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043729.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043730.vpx 1454 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043732.vpx 165649 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043733.mfl 1017869 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043734.vpx 35030793 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043735.vpx 4986144 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043736.mfl 2387634 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043737.ini 62658 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043738.ini 32 bytes
File C:\System Volume Information\_restore{B0B644DD-E912-4EE5-A0CF-372FD38D2C77}\RP214\A0043739.ini 62658 bytes

---- EOF - GMER 1.0.15 ----

0

DDS (Ver_10-11-10.01) - NTFSx86
Run by Sarrah Vesselov at 15:09:50.95 on Thu 11/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.652 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sarrah Vesselov\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Sarrah Vesselov\Desktop\Anti-Virus Stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\sarrah vesselov\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\sarrah~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\colorv~1.lnk - c:\program files\colorvision\utility\ColorVisionStartup.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://extranet.edmc.edu/dana-cached/sc/JuniperSetupClient.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sarrah~1\applic~1\mozilla\firefox\profiles\gm68wsjd.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-30 165584]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2002-6-25 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-30 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-12-27 2789672]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-12-27 15656]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2007-2-13 12288]

=============== Created Last 30 ================

2010-11-25 18:21:35 -------- d-----w- c:\docume~1\sarrah~1\applic~1\Malwarebytes
2010-11-25 18:21:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-25 18:21:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-25 18:21:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-25 18:21:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-25 18:14:21 388096 ----a-r- c:\docume~1\sarrah~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-25 18:14:20 -------- d-----w- c:\program files\Trend Micro
2010-11-25 16:55:56 -------- d-----w- c:\program files\ESET
2010-11-25 16:12:28 -------- d-----w- c:\docume~1\sarrah~1\locals~1\applic~1\Mozilla
2010-11-25 16:11:02 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2010-11-25 16:11:01 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-11-25 16:11:01 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-11-25 16:11:00 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2010-11-25 15:20:25 -------- d-----w- c:\windows\pss
2010-11-01 00:37:33 90112 ----a-w- c:\windows\unvise32.exe
2010-11-01 00:37:16 -------- d-----w- c:\program files\ColorVision

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F2C446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f32504]; MOV EAX, [0x86f32580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86FCEAB8]
3 CLASSPNP[0xF76CFFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86942900]
\Driver\atapi[0x86F71C50] -> IRP_MJ_CREATE -> 0x86F2C446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459314441484543202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F2C292
user != kernel MBR !!!
sectors 312499998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 15:11:27.00 ===============

0

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/23/2009 6:12:04 PM
System Uptime: 11/25/2010 3:07:59 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0F1262
Processor: Intel(R) Xeon(TM) CPU 2.40GHz | Microprocessor | 2392/533mhz
Processor: Intel(R) Xeon(TM) CPU 2.40GHz | Microprocessor | 2392/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 87.482 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_012C1028&REV_01\3&172E68DD&0&EF
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_012C1028&REV_01\3&172E68DD&0&EF
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1102&DEV_0002&SUBSYS_80661102&REV_0A\4&3B1CAF2B&0&70F0
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1102&DEV_0002&SUBSYS_80661102&REV_0A\4&3B1CAF2B&0&70F0
Service:

==== System Restore Points ===================

RP180: 8/24/2010 6:35:22 PM - System Checkpoint
RP181: 8/26/2010 9:10:12 PM - System Checkpoint
RP182: 8/29/2010 5:50:30 PM - Installed Opera 10.61.
RP183: 8/31/2010 8:19:20 PM - System Checkpoint
RP184: 9/2/2010 9:13:16 PM - System Checkpoint
RP185: 9/5/2010 9:30:56 PM - Software Distribution Service 3.0
RP186: 9/7/2010 8:13:09 PM - System Checkpoint
RP187: 9/11/2010 11:22:58 AM - System Checkpoint
RP188: 9/12/2010 9:31:35 PM - System Checkpoint
RP189: 9/13/2010 10:06:08 PM - System Checkpoint
RP190: 9/13/2010 10:06:43 PM - Software Distribution Service 3.0
RP191: 9/14/2010 10:23:57 PM - Software Distribution Service 3.0
RP192: 9/16/2010 8:55:19 PM - System Checkpoint
RP193: 9/17/2010 9:18:02 PM - System Checkpoint
RP194: 9/18/2010 11:25:40 PM - System Checkpoint
RP195: 9/20/2010 7:50:12 PM - System Checkpoint
RP196: 9/21/2010 8:40:44 PM - System Checkpoint
RP197: 9/22/2010 9:35:52 PM - System Checkpoint
RP198: 9/23/2010 10:34:45 PM - System Checkpoint
RP199: 9/27/2010 7:22:39 PM - System Checkpoint
RP200: 9/28/2010 8:26:38 PM - System Checkpoint
RP201: 9/28/2010 11:19:52 PM - Software Distribution Service 3.0
RP202: 9/30/2010 6:40:01 PM - System Checkpoint
RP203: 10/3/2010 7:12:55 PM - System Checkpoint
RP204: 10/6/2010 9:28:10 PM - System Checkpoint
RP205: 10/6/2010 10:19:21 PM - Software Distribution Service 3.0
RP206: 10/9/2010 1:43:12 PM - System Checkpoint
RP207: 10/11/2010 7:15:33 PM - System Checkpoint
RP208: 10/12/2010 8:25:53 PM - System Checkpoint
RP209: 10/14/2010 8:23:26 PM - Software Distribution Service 3.0
RP210: 10/23/2010 2:55:51 PM - System Checkpoint
RP211: 10/24/2010 7:23:25 PM - System Checkpoint
RP212: 10/25/2010 8:41:10 PM - System Checkpoint
RP213: 10/26/2010 9:12:03 PM - System Checkpoint
RP214: 10/28/2010 9:11:42 PM - System Checkpoint
RP215: 10/31/2010 8:32:38 PM - System Checkpoint
RP216: 11/2/2010 7:29:01 PM - System Checkpoint
RP217: 11/7/2010 3:55:57 PM - System Checkpoint
RP218: 11/8/2010 9:05:12 PM - System Checkpoint
RP219: 11/9/2010 9:17:48 PM - System Checkpoint
RP220: 11/9/2010 9:49:24 PM - Software Distribution Service 3.0
RP221: 11/14/2010 5:23:45 PM - System Checkpoint
RP222: 11/15/2010 8:40:05 PM - System Checkpoint
RP223: 11/16/2010 10:29:45 PM - System Checkpoint

==== Installed Programs ======================

Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat Connect Add-in
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Bonjour
Carbonite Online Backup Setup
ESET Online Scanner v3
Facebook Plug-In
FileZilla Client 3.3.3
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) PRO Ethernet Adapter and Software
iTunes
Java Auto Updater
Java(TM) 6 Update 16
Java(TM) 6 Update 20
Java(TM) 6 Update 3
LEGO Universe
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Color Control Panel Applet for Windows XP
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MobileMe Control Panel
Mozilla Firefox (3.6.12)
Napster
Napster Burn Engine
Napster Download Manager
NVIDIA Drivers
NVIDIA Performance Drivers
OGA Notifier 2.0.0048.0
OpenOffice.org 3.1
Opera 10.61
PDF Settings
PowerISO
Pure Networks Platform
QuickGamma 2.0.0.3
QuickTime
Roblox for Sarrah Vesselov
Safari
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976323)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
Spyder2PRO
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Wacom Tablet
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! BrowserPlus 2.8.1

==== Event Viewer Messages From Past Week ========

11/25/2010 3:08:51 PM, error: System Error [1003] - Error code 100000d4, parameter1 ed979038, parameter2 0000001c, parameter3 00000001, parameter4 804e164e.
11/25/2010 2:03:20 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'change.log' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/25/2010 10:25:06 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
11/21/2010 12:56:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/21/2010 12:56:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/20/2010 4:11:38 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/20/2010 1:58:04 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

==== End Of File ===========================

0

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:12:36 PM, on 11/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sarrah Vesselov\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sarrah Vesselov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://extranet.edmc.edu/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 10278 bytes

0

Sorry this response has been so long in coming. Holidays.
Follow these instructions for running the TDSSKiller from Kaspersky
http://support.kaspersky.com/viruses/solutions?qid=208280684
* Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.

* Execute the file TDSSKiller.exe.
    * Wait for the scan and disinfection process to be over. [B]It is necessary to reboot the PC after the disinfection is over.[/B]
# The utility can detect two object types:

    * malicious (the malware has been identified);
    * suspicious (the malware cannot be identified).

# When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).

# Select the action Quarantine to quarantine detected objects.
The default quarantine folder is in the system disk root folder, e.g.:
C:\TDSSKiller_Quarantine\23.07.2010_15.31.43

Post back here with the results.

Edited by jholland1964: n/a

0

Thank you very much for getting back to me :)


Rootkit.Win32.TDSS.tdl4

\HardDisk0 - copied to quarantine
\HardDisk0\TDLFS\cfg.ini - copied to quarantine
\HardDisk0\TDLFS\mbr - copied to quarantine
\HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
\HardDisk0\TDLFS\cmd.dll - copied to quarantine
\HardDisk0\TDLFS\ldr16 - copied to quarantine
\HardDisk0\TDLFS\ldr32 - copied to quarantine
\HardDisk0\TDLFS\ldr64 - copied to quarantine
\HardDisk0\TDLFS\drv64 - copied to quarantine
\HardDisk0\TDLFS\cmd64.dll - copied to quarantine
\HardDisk0\TDLFS\drv32 - copied to quarantine

Edited by lm913: n/a

0

You need to update MBA-M and run another Full Scan with it. Have it remove anything found and reboot. Post back here with that log.

0

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5199

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/27/2010 11:10:11 AM
mbam-log-2010-11-27 (11-10-11).txt

Scan type: Full scan (C:\|)
Objects scanned: 303490
Time elapsed: 57 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\TDSSKiller_Quarantine\27.11.2010_01.31.14\tdlfs0000\tsk0005.dta (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\27.11.2010_01.31.14\tdlfs0000\tsk0008.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\27.11.2010_01.31.14\tdlfs0001\tsk0005.dta (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\27.11.2010_01.31.14\tdlfs0001\tsk0008.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.

0

Good, now do this:
Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

0

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=0
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=05ffbef6bed2d241a9277dcf6b2458fe
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-25 08:13:35
# local_time=2010-11-25 03:13:35 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 24895875 24895875 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=05ffbef6bed2d241a9277dcf6b2458fe
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-27 05:36:40
# local_time=2010-11-27 12:36:40 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 25056053 25056053 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 0 847433 0 0
# scanned=152121
# found=2
# cleaned=2
# scan_time=3207
C:\TDSSKiller_Quarantine\27.11.2010_01.31.14\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\27.11.2010_01.31.14\tdlfs0001\tsk0006.dta Win64/Olmarik.D trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

0

Really looks pretty good. Are you still having problems? You need to update your Java program as it is out of date.
Go here to download the Offline Install file, save it to your desktop for easy access.

http://www.java.com/en/download/manual.jsp

After you have downloaded that install file then close all browsers and go to Add/Remove and Uninstall all Java you find there, these were in the Uninstall list previously posted:
Java Auto Updater
Java(TM) 6 Update 16
Java(TM) 6 Update 20
Java(TM) 6 Update 3

After those are uninstalled then double click the install file on your desktop to install the newest version.
Once it is complete go back to the download page above, click Verify Now on the right side to go to the verification page to assure your install was complete.
Once you have finished that run one more HJT scan and post back here with that log.
Judy

0

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:10:29 PM, on 11/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sarrah Vesselov\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sarrah Vesselov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://extranet.edmc.edu/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11513 bytes

0

Looks good. I would advise that you also add SpywareBlaster from Javacool;
It is FREE.

SpywareBlaster doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites

I would not run my computer without it. Download, install, update, enable all protection and close the program. That's it. It doesn't run in the background so it is compatible with all other security programs and doesn't use resources. Just manually check for updates every week and if there is an update install it, enable all and close the program. Really provides a lot of security to your computer.

http://download.cnet.com/SpywareBlaster/3000-8022_4-10196637.html

0

Hey Judy, it's back again. Same virus same message

0

This is unreal. Either all of this was not removed or something you have done since yesterday has brought it in again. How are you connected to the internet? Are you on a network with other computers? Have you used a flash drive, iPod or something else that you would have plugged into the computer via usb? Have you downloaded any music, videos, games or played any games?

0

Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

You must download it to and run it from your Desktop
• Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Edited by jholland1964: n/a

0

Nothing external has been connected to the infected machine since the infection was first noticed, nothing has been downloaded either.

The only link I've noticed is that it seems to have only affected IE and Firefox (which has been used since the cleaning). I can tell that it affects those browsers in that when I searched for tdsskiller it redirects the search. Also it blocks Windows updates in IE.

I'm currently running Combofix

0

I have 3 others lol, I'm using my linux machine to communicate

0

This is the only way it would let me post.

Attachments
ComboFix 10-11-28.01 - Sarrah Vesselov 11/28/2010  16:27:56.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.639 [GMT -5:00]
Running from: c:\documents and settings\Sarrah Vesselov\Desktop\Anti-Virus Stuff\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\version.txt

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
(((((((((((((((((((((((((   Files Created from 2010-10-28 to 2010-11-28  )))))))))))))))))))))))))))))))
.

2010-11-28 13:53 . 2010-11-28 13:53	--------	d-----w-	c:\documents and settings\All Users\Application Data\TEMP
2010-11-28 13:53 . 2010-11-28 13:53	--------	d-----w-	c:\program files\SpywareBlaster
2010-11-27 23:30 . 2010-11-27 23:30	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-11-27 19:09 . 2010-11-27 19:09	--------	d-----w-	c:\program files\Common Files\Java
2010-11-27 19:07 . 2010-11-27 19:06	73728	----a-w-	c:\windows\system32\javacpl.cpl
2010-11-27 16:30 . 2010-11-27 16:30	--------	d-----w-	c:\documents and settings\Sarrah Vesselov\Application Data\CheckPoint
2010-11-27 16:21 . 2010-11-28 21:36	--------	d-----w-	c:\windows\Internet Logs
2010-11-27 06:31 . 2010-11-27 06:31	--------	d-----w-	C:\TDSSKiller_Quarantine
2010-11-25 18:21 . 2010-11-25 18:21	--------	d-----w-	c:\documents and settings\Sarrah Vesselov\Application Data\Malwarebytes
2010-11-25 18:21 . 2010-04-29 20:39	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-25 18:21 . 2010-11-25 18:21	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-25 18:21 . 2010-11-25 18:21	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-11-25 18:21 . 2010-04-29 20:39	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-11-25 18:14 . 2010-11-25 18:14	388096	----a-r-	c:\documents and settings\Sarrah Vesselov\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-25 18:14 . 2010-11-25 18:14	--------	d-----w-	c:\program files\Trend Micro
2010-11-25 17:04 . 2010-11-25 17:04	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-11-25 17:04 . 2010-11-25 17:04	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Apple Computer
2010-11-25 16:55 . 2010-11-25 16:55	--------	d-----w-	c:\program files\ESET
2010-11-25 16:12 . 2010-11-25 16:12	--------	d-----w-	c:\documents and settings\Sarrah Vesselov\Local Settings\Application Data\Mozilla
2010-11-25 15:11 . 2010-11-27 16:55	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-21 17:54 . 2010-11-21 17:57	--------	d-----w-	c:\documents and settings\Administrator
2010-11-20 19:08 . 2010-11-20 19:08	--------	d-sh--w-	c:\documents and settings\LocalService\IETldCache
2010-11-01 00:37 . 2004-03-29 20:23	90112	----a-w-	c:\windows\unvise32.exe
2010-11-01 00:37 . 2010-11-01 00:37	--------	d-----w-	c:\program files\ColorVision

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-27 19:06 . 2010-07-11 19:58	472808	----a-w-	c:\windows\system32\deployJava1.dll
2010-09-18 16:23 . 2002-06-25 19:13	974848	----a-w-	c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-06-25 19:13	974848	----a-w-	c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-06-25 19:13	953856	------w-	c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2002-06-25 19:13	954368	----a-w-	c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2002-03-05 12:56	916480	----a-w-	c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-06-25 19:11	43520	----a-w-	c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2002-06-25 19:08	1469440	------w-	c:\windows\system32\inetcpl.cpl
2010-09-07 15:12 . 2010-08-29 14:33	38848	----a-w-	c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-01-31 01:42	167592	----a-w-	c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-01-31 01:42	46672	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-01-31 01:42	165584	----a-w-	c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-01-31 01:42	23376	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-01-31 01:42	100176	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-01-31 01:42	94544	----a-w-	c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-01-31 01:42	17744	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-01-31 01:42	28880	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2010-09-01 11:51 . 2002-06-25 18:59	285824	----a-w-	c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-06-25 19:32	1852800	----a-w-	c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((   SnapShot@2009-11-24_01.09.40   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-26 23:44 . 2008-04-14 00:12	57344              c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	51008              c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19	54272              c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	59728              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	42832              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	43344              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	61264              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	62800              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	61760              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	61776              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	53568              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	63296              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	36688              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02	35648              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	62976              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	46080              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	46592              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	64512              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	66048              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	65024              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	65024              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	56832              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	66560              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	39936              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05	38912              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05	59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05	59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07	59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07	59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-10-26 23:44 . 2008-04-14 00:12	74802              c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
+ 2006-03-28 11:23 . 2006-03-28 11:23	20992              c:\windows\twain_32\CNQ4802\USDRESUS.DLL
+ 2006-06-06 08:57 . 2006-06-06 08:57	21504              c:\windows\twain_32\CNQ4802\USDRESRU.DLL
+ 2006-06-06 08:57 . 2006-06-06 08:57	21504              c:\windows\twai
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:53:16 PM, on 11/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Sarrah Vesselov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Sarrah Vesselov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sarrah Vesselov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://extranet.edmc.edu/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:
0

Running from: c:\documents and settings\Sarrah Vesselov\Desktop\Anti-Virus Stuff\ComboFix.exe
Is this Anti-Virus Stuff a folder? Combofix must be run FROM the desktop itself, not from within a folder on the desktop. Move it onto the desktop if it is inside this folder.

Edited by jholland1964: n/a

0

ComboFix 10-11-28.01 - Sarrah Vesselov 11/28/2010 18:49:44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.579 [GMT -5:00]
Running from: c:\documents and settings\Sarrah Vesselov\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 13:53 . 2010-11-28 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-11-28 13:53 . 2010-11-28 13:53 -------- d-----w- c:\program files\SpywareBlaster
2010-11-27 23:30 . 2010-11-27 23:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-11-27 19:09 . 2010-11-27 19:09 -------- d-----w- c:\program files\Common Files\Java
2010-11-27 19:07 . 2010-11-27 19:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-27 16:30 . 2010-11-27 16:30 -------- d-----w- c:\documents and settings\Sarrah Vesselov\Application Data\CheckPoint
2010-11-27 16:21 . 2010-11-28 23:20 -------- d-----w- c:\windows\Internet Logs
2010-11-27 06:31 . 2010-11-27 06:31 -------- d-----w- C:\TDSSKiller_Quarantine
2010-11-25 18:21 . 2010-11-25 18:21 -------- d-----w- c:\documents and settings\Sarrah Vesselov\Application Data\Malwarebytes
2010-11-25 18:21 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-25 18:21 . 2010-11-25 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-25 18:21 . 2010-11-25 18:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-25 18:21 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-25 18:14 . 2010-11-25 18:14 388096 ----a-r- c:\documents and settings\Sarrah Vesselov\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-25 18:14 . 2010-11-25 18:14 -------- d-----w- c:\program files\Trend Micro
2010-11-25 17:04 . 2010-11-25 17:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-11-25 17:04 . 2010-11-25 17:04 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2010-11-25 16:55 . 2010-11-25 16:55 -------- d-----w- c:\program files\ESET
2010-11-25 16:12 . 2010-11-25 16:12 -------- d-----w- c:\documents and settings\Sarrah Vesselov\Local Settings\Application Data\Mozilla
2010-11-25 15:11 . 2010-11-27 16:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-21 17:54 . 2010-11-21 17:57 -------- d-----w- c:\documents and settings\Administrator
2010-11-20 19:08 . 2010-11-20 19:08 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-11-01 00:37 . 2004-03-29 20:23 90112 ----a-w- c:\windows\unvise32.exe
2010-11-01 00:37 . 2010-11-01 00:37 -------- d-----w- c:\program files\ColorVision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-27 19:06 . 2010-07-11 19:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 16:23 . 2002-06-25 19:13 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-06-25 19:13 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-06-25 19:13 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2002-06-25 19:13 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2002-03-05 12:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-06-25 19:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2002-06-25 19:08 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12 . 2010-08-29 14:33 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-01-31 01:42 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-01-31 01:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-01-31 01:42 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-01-31 01:42 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-01-31 01:42 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-01-31 01:42 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-01-31 01:42 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-01-31 01:42 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-01 11:51 . 2002-06-25 18:59 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-06-25 19:32 1852800 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-11-28_21.46.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-28 22:15 . 2010-11-28 22:15 16384 c:\windows\Temp\Perflib_Perfdata_878.dat
+ 2010-11-28 22:15 . 2010-11-28 22:15 16384 c:\windows\Temp\Perflib_Perfdata_664.dat
+ 2009-10-23 22:29 . 2010-11-28 22:19 223069 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-06-14 00:10 2734688 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Sarrah Vesselov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-26 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-26 8523776]
"nwiz"="nwiz.exe" [2008-05-26 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-26 81920]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-11-05 738808]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Sarrah Vesselov\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2007-2-13 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 02:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2009-10-05 21:24 323280 ----a-w- c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 09:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Napster\\napster.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"1038:TCP"= 1038:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/30/2010 8:42 PM 165584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [6/25/2002 2:27 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/30/2010 8:42 PM 17744]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/5/2010 6:41 AM 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/5/2010 6:41 AM 488952]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [12/27/2009 10:49 PM 2789672]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [12/27/2009 10:49 PM 15656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 7:38 PM 135664]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2/13/2007 4:16 PM 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 00:38]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 00:38]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1035525444-682003330-1003Core.job
- c:\documents and settings\Sarrah Vesselov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-26 23:47]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1035525444-682003330-1003UA.job
- c:\documents and settings\Sarrah Vesselov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-26 23:47]

2010-11-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://extranet.edmc.edu/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Sarrah Vesselov\Application Data\Mozilla\Firefox\Profiles\gm68wsjd.default\
FF - component: c:\documents and settings\Sarrah Vesselov\Application Data\Mozilla\Firefox\Profiles\gm68wsjd.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Sarrah Vesselov\Application Data\Mozilla\Firefox\Profiles\gm68wsjd.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCore.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Firebug: firebug@software.joehewitt.com - c:\documents and settings\Sarrah Vesselov\Application Data\Mozilla\Firefox\Profiles\gm68wsjd.default\extensions\firebug@software.joehewitt.com
FF - Extension: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\documents and settings\Sarrah Vesselov\Application Data\Mozilla\Firefox\Profiles\gm68wsjd.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}
FF - Extension: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(876)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(168)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-28 19:00:28
ComboFix-quarantined-files.txt 2010-11-29 00:00
ComboFix2.txt 2010-11-28 21:50
ComboFix3.txt 2009-11-24 01:13

Pre-Run: 93,278,019,584 bytes free
Post-Run: 93,291,028,480 bytes free

- - End Of File - - 2187153E109B3961C2DD99616AF29AA7

0

You know, you really need to read the instructions I originally gave you concerning the running of Combofix:
The first line of instructions say, in bold
• You must download it to and run it from your Desktop
Yet, when you originally ran this and attached the log approximately one hour ago your log showed that you ran it from within a folder. I pointed this out to you in the reply following your attaching of the logs and only told you to move it to the desktop, I did NOT tell you to run it again. Please take a good look at my post to you, you will not see anywhere that I told you to run it again. Move it onto the desktop if it is inside this folder., that is all I said.
Now you copy/paste another combofix log, obviously run again 2 hours and 20 minutes later. Again I site the original Combofix instructions and it's very last line in bold which very clearly states:
Run Combofix ONCE only!!
So you have run it twice today. There also appears to be an old log on the machine from approximately one year ago so at that time the program was not removed correctly because if it had been than log would no longer be on the machine. That would not affect today's running but I am just pointing that out to you. Running it twice this time without being told to do so though could make a difference.

Edited by jholland1964: n/a

0

Sigh, okay... Sorry it's been a very long weekend... now what? Am I totally screwed on this?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.