Inactive Backdoor.tidserv blocking access to task manager and Internet connection

Status
Not open for further replies.
Bobbye said:
Additional comments:
  1. Look here for the list: C:\TDSSKiller_Quarantine
Click to expand...


  1. I don't see a list in that folder

    Bobbye said:
    Do you need to have Boingo Wi-Fi start on boot and run in the background? Why do you have the ZinioReader starting on boot and running in the background?
    Click to expand...

    I'm not sure why either of those things were running. I thought I had selected Diagnostic Mode in the System Configuration options. I rebooted in Diagnostic Mode, so those programs shouldn't be running in the background anymore.

    Bobbye said:
    The Hosts I asked you about in Luxenburg are they involved in your work connections?
    Hosts: 212.117.178.25 www.google.com
    Hosts: 212.117.163.43 search.yahoo.com
    But the 2 IPs are for:
    netname: SERVER-NETWORK
    descr: root SA
    country: LU > Luxemburg.
    Click to expand...

    I confirmed with an IT person at my work and those hosts do not have anything to do with my work connections.

    Bobbye said:
    Please submit these files to VirScan for identificcation. If you get message they have already been identified, request a repeat:
    Click to expand...

    Sadly, it looks like I'm back to almost square one because all of my services are disabled and I cannot get online. When I rebooted my computer again, I was not able to view my network connections. When I opened services.msc, everything was disabled. I started from step one again. I ran Malwarebytes and it came back clean. I did the DNS flush, restarted the DNS client (and network connections and windows zero configuration), reset my router, and restarted my modem.

    At that point, I was able to view the network connections screen, but when I selected "View Available Wireless Networks," my computer didn't find any networks. I confirmed on my smartphone that there are at least 5 networks within range and that my router was functioning properly.

    I started in safe mode to see if that would help, because it had helped at one point in the past. It was strange because even though both my local and wireless connection icons had red Xs over them in the system tray, when I moused over the wireless connection, it said it was trying to connect to my home network. I selected view wireless networks, but it did not find anything.

    I'm sorry this is such a pain! If you could suggest next steps, I would be VERY appreciative!!

    Thank you!!
 
The system is still infected. Did you put the 3 files I left in Reply #22 through the VirScan?

FYI:
I'm not sure why either of those things were running. I thought I had selected Diagnostic Mode in the System Configuration options. I rebooted in Diagnostic Mode, so those programs shouldn't be running in the background anymore.
Click to expand...
When you change startup entries using msconfig, you choose Selective Startup, then make the changes. After doing this, when you reboot the first time, you will get a nag message that you can ignore and close after checking 'don't show this message again.' You have to STAY in Selective Startup to keep the changes. My computers are put in Selective Startup on the 2nd day I use them and kept there.

it said it was trying to connect to my home network.
Click to expand...

Connecting to your home network and your wireless network are not the same, although you may have computers set up networked, if you have a wireless router, the connection is going to be through it. Make sure the machine that has the router hard wired to it is turned on. the network won't connect if it isn't.

If the Services are disabled, it's not going to connect. Let's try this please:

Please download VEW and save it to your Desktop:

Setting up the program

Double-click VEW.exe to run.

  • Select log to query, select
  • Application
  • System

    Under Select type to list, select:
  • Critical (Vista only)
  • Error

    Click the radio button for Number of events
  • Type 20 in the 1 to 20 box
  • Then click the Run button.
  • Notepad will open with the output log.

    Load the log
  • In Notepad, click Edit> Select all
  • Then press Edit > Copy
  • Press Ctrl+V on your keyboard to paste the log to your next reply.

(Courtesy rev-Olie)
 
Bobbye said:
The system is still infected. Did you put the 3 files I left in Reply #22 through the VirScan?
Click to expand...

I didn't, because I'm not able to get online to run the program. I am only able to download programs from another computer onto a USB drive and transfer to my infected computer.

When you change startup entries using msconfig, you choose Selective Startup, then make the changes. After doing this, when you reboot the first time, you will get a nag message that you can ignore and close after checking 'don't show this message again.'
Click to expand...

I restarted in Diagnostic Mode. I will restart in Selective Startup. Will you please tell me what changes I should make?

Connecting to your home network and your wireless network are not the same, although you may have computers set up networked, if you have a wireless router, the connection is going to be through it. Make sure the machine that has the router hard wired to it is turned on. the network won't connect if it isn't.
Click to expand...

Sorry, that was my lack of technical knowledge speaking. I don't have a home network set up. I was referring just to my wireless network. Also, in case it's important, I don't have a machine that the router is hard wired to. I only have the cable running to a modem, which is connected to my wireless router. When I open network connections and select view wireless networks, it is unable to locate any networks.

If the Services are disabled, it's not going to connect. Let's try this please:
Please download VEW and save it to your Desktop: . . . paste the log to your next reply.
Click to expand...

The VEW report:

Vino's Event Viewer v01c run on windows XP in English
Report run at 18/10/2010 10:05:17 PM

Note: All dates below are in the format dd/mm/yyy
~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~


Thank you!
 
Also, in case it's important, I don't have a machine that the router is hard wired to. I only have the cable running to a modem, which is connected to my wireless router.
Click to expand...

Whatever machine the cable/modem/router is connected to is the one it's 'hard wired' to> think of it as plugged in.(very untechnical)

Questions:
1. Did the VEW scan run? If it did, there should be a log with the Errors
2. Are the Services still getting disabled when you reboot?
3. Do you still have Combofix on the desktop?
4. Have we established what is telling you that you have the TDSSServer infection?
 
First, happy birthday!! :D

Whatever machine the cable/modem/router is connected to is the one it's 'hard wired' to> think of it as plugged in.(very untechnical)
Click to expand...

Got it. I thought you were referring to a desktop machine that was actually plugged into the modem. Sorry about that.

1. Did the VEW scan run? If it did, there should be a log with the Errors
Click to expand...

I guess not. I just tried it again, selecting the options you told me to select, and I received the same minimal log that I pasted in my last reply.

2. Are the Services still getting disabled when you reboot?
Click to expand...
Yes. I just rebooted and all of my services except DCOM Server Process Launcher are disabled. Some still have "Started" in the status, but the startup type is back to disabled.

3. Do you still have Combofix on the desktop?
Click to expand...
Yes

4. Have we established what is telling you that you have the TDSSServer infection?
Click to expand...
No. Ever since we had some success clearing infections, I haven't had any TDSSServer infections come up on my scans.
 
Thank you for the greeting! And your patience.

I'd like a new scan with Combofix (already downloaded to desktop) followed by scan with HijackThis.

If you have HJT and it's version 2.0.2, please remove it and download and run this current version:(v2.0.4)

Download the HijackThis Installer and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Thanks Bobbye! hope you had a nice b'day.

Bobbye said:
I'd like a new scan with Combofix
Click to expand...

Here is the ComboFix log:

ComboFix 10-10-21.02 - Admin 10/21/2010 22:22:36.2.2 - x86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

2010-10-18 05:42 . 2010-10-18 05:42 -------- d-----w- c:\documents and settings\admin 2
2010-10-15 02:54 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 02:54 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 02:54 . 2010-10-15 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-10 16:00 . 2010-10-10 16:00 -------- dc----w- C:\TDSSKiller_Quarantine
2010-10-10 15:57 . 2010-10-10 15:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-10 15:47 . 2010-10-10 15:47 -------- dc----w- C:\_OTM
2010-10-10 02:28 . 2004-08-04 10:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-10-10 02:01 . 2010-10-10 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-10 00:36 . 2010-10-10 00:36 -------- d-----w- c:\program files\ESET
2010-10-09 17:38 . 2010-10-09 17:38 -------- d-----w- c:\program files\Intel
2010-10-09 17:35 . 2009-10-07 19:01 457 ----a-w- c:\windows\system32\vcredist_x86.bat
2010-10-09 17:35 . 2009-10-07 19:01 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-10-09 17:35 . 2009-10-07 19:01 155648 ----a-w- c:\windows\system32\bcmwlapi.dll
2010-10-09 16:35 . 2010-10-10 02:33 -------- d-----w- c:\documents and settings\Admin
2010-10-06 01:29 . 2010-10-06 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-05 17:48 . 2010-10-05 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage
2010-10-05 15:17 . 2010-10-05 15:17 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-05 02:20 . 2010-10-05 13:17 0 ----a-w- c:\windows\Mxaqup.bin
2010-10-05 02:17 . 2010-10-05 02:17 67072 --sha-r- c:\windows\system32\nlsfuncg.dll
2010-10-05 02:16 . 2010-10-05 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2010-10-12_02.15.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-18 04:46 . 2009-10-07 19:01 2649216 c:\windows\system32\ReinstallBackups\0018\DriverFiles\BCMWL5.SYS
- 2010-10-10 02:17 . 2009-10-07 19:01 2649216 c:\windows\system32\ReinstallBackups\0018\DriverFiles\BCMWL5.SYS
+ 2009-07-10 00:57 . 2010-10-15 13:05 35385288 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-04-11 03:38 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-09-09 05:18 57344 ----a-w- c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 12:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Fi]
2010-10-06 04:57 2179 -c--a-w- c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2009-10-07 19:01 2498560 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-07-20 00:26 52896 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-01-19 14:14 7401472 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2006-01-19 14:14 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-01-19 14:14 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 22:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-01 04:05 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-28 01:33 125168 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PlugPlay"=2 (0x2)
"Netman"=2 (0x2)
"CryptSvc"=3 (0x3)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ALG"=3 (0x3)
"ADVService"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"ACDaemon"=3 (0x3)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"wltrysvc"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=2 (0x2)
"TlntSvr"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SNDSrvc"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RemoteAccess"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"odserv"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=2 (0x2)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"helpsvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"DefWatch"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"Alerter"=3 (0x3)
"TrkWks"=2 (0x2)
"SavRoam"=2 (0x2)
"MSDTC"=3 (0x3)
"HTTPFilter"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/17/2009 3:13 AM 64160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/1/2010 8:06 PM 102448]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3/18/2009 12:19 PM 73368]
S0 FixTDSS;FixTDSS; [x]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 12:13 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 12:12 PM 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S4 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [3/18/2009 12:19 PM 139264]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/11/2009 3:33 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:38]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} - hxxps://remote.bingham.com/epa/vista/nsepa.ocx
DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxps://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1900)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-10-21 22:29:37
ComboFix-quarantined-files.txt 2010-10-22 02:29
ComboFix2.txt 2010-10-12 02:17

Pre-Run: 26,011,332,608 bytes free
Post-Run: 26,013,143,040 bytes free

- - End Of File - - E272F922B86DC345D408CF3FF0993A35


followed by scan with HijackThis.
Click to expand...

Here is the HiJack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:11 PM, on 10/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3F777025-3835-4117-B9FA-5E5230669310} (Dataflight FYI Reviewer Control) - https://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {971127BB-259F-48C2-BD75-5F97A3331551} (Microsoft RDP Client Control (redist)) - http://connect.ontrackinview.com/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 3917 bytes


Thank you!
 
Please do the following in the order I have them listed:
1.Download and run LSP-Fix

  • [1][Download LSP-Fix and Save to its own directory on the desktop..
    [2] Double-click on the file to open.
    [3] In the left hand column, you should see the nwprovau.dll files listed.
    [o[Click on it to highlight
    [o] Click the arrow in the middle of the screen that points to the right
    [4]This will move the filename to the right-hand column labeled Remove
    [o]NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
    [5] Once the file has been transferred to the Remove column, click Finish at the bottom of the screen.
    [6]You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
    [7] Close the LSPFix .
=============================================
2. Run a new scan with HijackThis> uninstall the version 2.0.2 you ran and click on the link I left for the current version v2.0.4 in Reply #31. The LSP nwprovau.dll entries should be gone.
============================================
3. Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
c:\windows\Mxaqup.bin
Folder::
C:\TDSSKiller_Quarantine
Extra::
File::
c:\program files\viewpoint\common\ViewpointService.exe
Firefox::
Firefox-:- Profile - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\d1gk3n47.default\

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

DirLook::
c:\documents and settings\Admin
c:\documents and settings\admin 2
Driver::
FixTDSS
Viewpoint Manager Service
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Check this Seevice: Start> Run> type in services.msc> Double click on Cryptography Services> should be set to Automatic Startup Type and Started. If it is not, set it that way. Then check Remote Procedure Call> should also be set to Automatic/Start.

I am still concerned about the status of the Services and the way they are loading- having Broni take a look. Are they still being disabled?
 
Bobbye said:
I am still concerned about the status of the Services and the way they are loading- having Broni take a look. Are they still being disabled?
Click to expand...

I will follow your instructions and paste the logs as soon as I get home from work. In the meantime, I wanted to reply to your question. Yes, when I restart, everything is disabled except DCOM Server Process Launcher. I will test again when I get home to verify this is still happening but it was the case last time I restarted.

Also, when you get a chance, will you send me the link you were referring to that lists all of the proper services.msc settings?

Thank you!!
 
I printed out a list of the Service setting from the log. It looks like they aren't set right. Services have Dependencies. If a Service needs another Service to run and it isn't running, then that Service won't start. I'm going to try to reset them for you using script in Combofix but I'm not sure how to do that. You setting shows how many dependency the Service has but not what they are so I have to open each.

The best site I know of on the internet for settings is Black Viper- I'll get the right page for you. They shouldn't be listed out under msconfig in the Combofix log.
 
I removed the old HiJack and downloaded the new one. I ran a scan and the new log is below. (not sure if you need it, but thought I'd include it just in case.)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:43:49 PM, on 10/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3F777025-3835-4117-B9FA-5E5230669310} (Dataflight FYI Reviewer Control) - https://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {971127BB-259F-48C2-BD75-5F97A3331551} (Microsoft RDP Client Control (redist)) - http://connect.ontrackinview.com/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 4511 bytes
 
Please run this Custom CFScript . . . When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply
Click to expand...

ComboFix 10-10-21.02 - Admin 10/25/2010 23:49:57.3.2 - x86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\program files\viewpoint\common\ViewpointService.exe"
"c:\program files\viewpoint\viewpoint media player\npViewpoint.dll"
"c:\windows\Mxaqup.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\viewpoint\common\ViewpointService.exe
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
C:\TDSSKiller_Quarantine
c:\tdsskiller_quarantine\10.10.2010_11.58.47\susp0000\object.ini
c:\tdsskiller_quarantine\10.10.2010_11.58.47\susp0000\svc0000\object.ini
c:\tdsskiller_quarantine\10.10.2010_11.58.47\susp0000\svc0000\tsk0000.ini
c:\windows\Mxaqup.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FIXTDSS
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_FixTDSS
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2010-09-26 to 2010-10-26 )))))))))))))))))))))))))))))))
.

2010-10-22 02:36 . 2010-10-22 02:36 -------- d-----w- c:\program files\Trend Micro
2010-10-18 05:42 . 2010-10-18 05:42 -------- d-----w- c:\documents and settings\admin 2
2010-10-15 02:54 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 02:54 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 02:54 . 2010-10-15 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-10 15:57 . 2010-10-10 15:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-10 15:47 . 2010-10-10 15:47 -------- dc----w- C:\_OTM
2010-10-10 02:28 . 2004-08-04 10:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-10-10 02:01 . 2010-10-10 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-10 00:36 . 2010-10-10 00:36 -------- d-----w- c:\program files\ESET
2010-10-09 17:38 . 2010-10-09 17:38 -------- d-----w- c:\program files\Intel
2010-10-09 17:35 . 2009-10-07 19:01 457 ----a-w- c:\windows\system32\vcredist_x86.bat
2010-10-09 17:35 . 2009-10-07 19:01 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-10-09 17:35 . 2009-10-07 19:01 155648 ----a-w- c:\windows\system32\bcmwlapi.dll
2010-10-09 16:35 . 2010-10-10 02:33 -------- d-----w- c:\documents and settings\Admin
2010-10-06 01:29 . 2010-10-06 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-05 17:48 . 2010-10-05 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage
2010-10-05 15:17 . 2010-10-05 15:17 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-05 02:17 . 2010-10-05 02:17 67072 --sha-r- c:\windows\system32\nlsfuncg.dll
2010-10-05 02:16 . 2010-10-05 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\admin 2 ----

2010-10-18 05:45 . 2010-10-18 05:45 3764508 ---ha-w- c:\documents and settings\admin 2\Local Settings\Application Data\IconCache.db
2010-10-18 05:42 . 2010-10-18 05:42 144 ----a-w- c:\documents and settings\admin 2\Application Data\Microsoft\Office\Groove12.pip
2010-10-18 05:42 . 2010-10-18 05:42 7919 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.bak
2010-10-18 05:42 . 2010-10-18 05:42 0 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds Cache\8URA0DNA\fwlink[1]
2010-10-18 05:42 . 2010-10-18 05:42 28672 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
2010-10-18 05:42 . 2010-10-18 05:42 226 ----a-w- c:\documents and settings\admin 2\Favorites\Links\Web Slice Gallery.url
2010-10-18 05:42 . 2010-10-18 05:42 0 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds Cache\WB8Z825C\fwlink[1]
2010-10-18 05:42 . 2010-10-18 05:42 28672 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms
2010-10-18 05:42 . 2010-10-18 05:42 0 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds Cache\7VWQ2FH3\fwlink[1]
2010-10-18 05:42 . 2010-10-18 05:42 6144 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms
2010-10-18 05:42 . 2010-10-18 05:42 28672 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
2010-10-18 05:42 . 2010-10-18 05:42 67 --sh--w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds Cache\79UIUAG5\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 67 --sh--w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds Cache\8URA0DNA\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 67 --sh--w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds Cache\WB8Z825C\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 67 --sh--w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds Cache\7VWQ2FH3\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 67 --sh--w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 32768 --sha-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2010-10-18 05:42 . 2010-10-18 05:42 84 --sha-w- c:\documents and settings\admin 2\Favorites\Links\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 133 ----a-w- c:\documents and settings\admin 2\Favorites\Microsoft Websites\Microsoft At Work.url
2010-10-18 05:42 . 2010-10-18 05:42 134 ----a-w- c:\documents and settings\admin 2\Favorites\Microsoft Websites\Microsoft Store.url
2010-10-18 05:42 . 2010-10-18 05:42 133 ----a-w- c:\documents and settings\admin 2\Favorites\Microsoft Websites\Microsoft At Home.url
2010-10-18 05:42 . 2010-10-18 05:42 133 ----a-w- c:\documents and settings\admin 2\Favorites\Microsoft Websites\IE Add-on site.url
2010-10-18 05:42 . 2010-10-18 05:42 133 ----a-w- c:\documents and settings\admin 2\Favorites\Microsoft Websites\IE site on Microsoft.com.url
2010-10-18 05:42 . 2010-10-18 05:42 7803 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt
2010-10-18 05:42 . 2010-10-18 05:42 815 ----a-w- c:\documents and settings\admin 2\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
2010-10-18 05:42 . 2010-10-18 05:42 803 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Internet Explorer.lnk
2010-10-18 05:42 . 2010-10-18 05:42 833 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
2010-10-18 05:42 . 2010-10-18 05:42 122 --sha-w- c:\documents and settings\admin 2\Favorites\Desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 60 --sh--w- c:\documents and settings\admin 2\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 150 --sha-w- c:\documents and settings\admin 2\Recent\Desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 79 ----a-w- c:\documents and settings\admin 2\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
2010-10-18 05:42 . 2010-10-18 05:42 774 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Address Book.lnk
2010-10-18 05:42 . 2010-10-18 05:42 738 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Outlook Express.lnk
2010-10-18 05:42 . 2010-10-18 05:42 2572 --sha-w- c:\documents and settings\admin 2\Application Data\Microsoft\Internet Explorer\Desktop.htt
2010-10-18 05:42 . 2010-10-18 05:42 0 ----a-w- c:\documents and settings\admin 2\SendTo\My Documents.mydocs
2010-10-18 05:42 . 2010-10-18 05:42 638 ----a-w- c:\documents and settings\admin 2\My Documents\My Music\Sample Music.lnk
2010-10-18 05:42 . 2010-10-18 05:42 183 --sha-w- c:\documents and settings\admin 2\My Documents\My Music\Desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 668 ----a-w- c:\documents and settings\admin 2\My Documents\My Pictures\Sample Pictures.lnk
2010-10-18 05:42 . 2010-10-18 05:42 185 --sha-w- c:\documents and settings\admin 2\My Documents\My Pictures\Desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 78 --sha-w- c:\documents and settings\admin 2\My Documents\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 245760 --sha-w- c:\documents and settings\admin 2\IETldCache\index.dat
2010-10-18 05:42 . 2010-10-18 05:42 16384 --sha-w- c:\documents and settings\admin 2\Cookies\index.dat
2010-10-18 05:42 . 2010-10-18 05:45 178 --sha-w- c:\documents and settings\admin 2\ntuser.ini
2010-10-18 05:42 . 2010-10-18 05:45 262144 ---ha-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2010-10-18 05:42 . 2010-10-18 05:42 1024 ---ha-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2010-10-18 05:42 . 2009-03-16 22:51 62 --sha-w- c:\documents and settings\admin 2\Application Data\desktop.ini
2010-10-18 05:42 . 2009-03-17 05:46 113 ----a-w- c:\documents and settings\admin 2\Application Data\Microsoft\Internet Explorer\brndlog.bak
2010-10-18 05:42 . 2009-03-17 05:46 141 ----a-w- c:\documents and settings\admin 2\Application Data\Microsoft\Internet Explorer\brndlog.txt
2010-10-18 05:42 . 2009-03-17 05:46 720896 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb
2010-10-18 05:42 . 2009-03-17 05:46 498 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD
2010-10-18 05:42 . 2009-03-17 05:46 12784 ----a-w- c:\documents and settings\admin 2\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
2010-10-18 05:42 . 2010-10-18 05:42 62 --sha-w- c:\documents and settings\admin 2\Local Settings\desktop.ini
2010-10-18 05:42 . 2009-03-17 05:50 113 --sha-w- c:\documents and settings\admin 2\Local Settings\History\desktop.ini
2010-10-18 05:42 . 2009-03-17 05:50 113 --sha-w- c:\documents and settings\admin 2\Local Settings\History\History.IE5\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 16384 ----a-w- c:\documents and settings\admin 2\Local Settings\History\History.IE5\index.dat
2010-10-18 05:42 . 2009-03-17 05:45 0 ----a-w- c:\documents and settings\admin 2\SendTo\Compressed (zipped) Folder.ZFSendToTarget
2010-10-18 05:42 . 2009-03-17 05:45 0 ----a-w- c:\documents and settings\admin 2\SendTo\Desktop (create shortcut).DeskLink
2010-10-18 05:42 . 2009-03-17 05:45 181 --sha-w- c:\documents and settings\admin 2\SendTo\desktop.ini
2010-10-18 05:42 . 2009-03-17 05:45 0 ----a-w- c:\documents and settings\admin 2\SendTo\Mail Recipient.MAPIMail
2010-10-18 05:42 . 2009-03-16 22:51 62 --sha-w- c:\documents and settings\admin 2\Start Menu\desktop.ini
2010-10-18 05:42 . 2009-03-17 05:46 348 --sha-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Accessibility\desktop.ini
2010-10-18 05:42 . 2009-03-17 05:46 1525 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk
2010-10-18 05:42 . 2009-03-17 05:46 1532 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
2010-10-18 05:42 . 2009-03-17 05:46 1501 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
2010-10-18 05:42 . 2009-03-17 05:46 1555 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Command Prompt.lnk
2010-10-18 05:42 . 2009-03-17 05:46 1539 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk
2010-10-18 05:42 . 2010-10-18 05:42 542 --sha-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\desktop.ini
2010-10-18 05:42 . 2009-03-17 05:46 84 --sha-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Entertainment\desktop.ini
2010-10-18 05:42 . 2010-10-18 05:42 804 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk
2010-10-18 05:42 . 2009-03-17 05:46 1519 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Notepad.lnk
2010-10-18 05:42 . 2009-03-17 05:46 386 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk
2010-10-18 05:42 . 2009-03-17 05:46 1519 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Synchronize.lnk
2010-10-18 05:42 . 2009-03-17 05:46 1527 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Tour Windows XP.lnk
2010-10-18 05:42 . 2010-10-18 05:42 190 --sha-w- c:\documents and settings\admin 2\Start Menu\Programs\desktop.ini
2010-10-18 05:42 . 2009-03-17 05:46 1599 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Remote Assistance.lnk
2010-10-18 05:42 . 2009-03-17 05:45 1487 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Accessories\Windows Explorer.lnk
2010-10-18 05:42 . 2010-10-18 05:42 792 ----a-w- c:\documents and settings\admin 2\Start Menu\Programs\Windows Media Player.lnk
2010-10-18 05:42 . 2009-03-17 05:46 84 --sha-w- c:\documents and settings\admin 2\Start Menu\Programs\Startup\desktop.ini
2010-10-18 05:42 . 2004-08-04 10:00 4570 ----a-w- c:\documents and settings\admin 2\Templates\amipro.sam
2010-10-18 05:42 . 2004-08-04 10:00 5632 ----a-w- c:\documents and settings\admin 2\Templates\excel.xls
2010-10-18 05:42 . 2004-08-04 10:00 1518 ----a-w- c:\documents and settings\admin 2\Templates\excel4.xls
2010-10-18 05:42 . 2004-08-04 10:00 2448 ----a-w- c:\documents and settings\admin 2\Templates\lotus.wk4
2010-10-18 05:42 . 2004-08-04 10:00 12288 ----a-w- c:\documents and settings\admin 2\Templates\powerpnt.ppt
2010-10-18 05:42 . 2004-08-04 10:00 461 ----a-w- c:\documents and settings\admin 2\Templates\presenta.shw
2010-10-18 05:42 . 2004-08-04 10:00 4017 ----a-w- c:\documents and settings\admin 2\Templates\quattro.wb2
2010-10-18 05:42 . 2004-08-04 10:00 58 ----a-w- c:\documents and settings\admin 2\Templates\sndrec.wav
2010-10-18 05:42 . 2004-08-04 10:00 4608 ----a-w- c:\documents and settings\admin 2\Templates\winword.doc
2010-10-18 05:42 . 2004-08-04 10:00 1769 ----a-w- c:\documents and settings\admin 2\Templates\winword2.doc
2010-10-18 05:42 . 2004-08-04 10:00 30 ----a-r- c:\documents and settings\admin 2\Templates\wordpfct.wpd
2010-10-18 05:42 . 2004-08-04 10:00 57 ----a-r- c:\documents and settings\admin 2\Templates\wordpfct.wpg
2010-10-18 05:42 . 2010-10-26 03:23 1024 ---ha-w- c:\documents and settings\admin 2\Ntuser.dat.LOG
2010-10-18 05:42 . 2010-10-18 05:45 786432 ---ha-w- c:\documents and settings\admin 2\NTUSER.DAT

---- Directory of c:\documents and settings\Admin ----

2010-10-26 03:47 . 2010-10-26 03:47 387 ----a-w- c:\documents and settings\Admin\Recent\CFScript.txt.lnk
2010-10-26 03:44 . 2010-10-26 03:44 423 ----a-w- c:\documents and settings\Admin\Recent\hijackthis1025.log.lnk
2010-10-26 03:44 . 2010-10-26 03:44 4396 ----a-w- c:\documents and settings\Admin\Desktop\hijackthis1025.log
2010-10-26 03:43 . 2010-10-26 03:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-26 03:43 . 2010-10-26 03:43 2447 ----a-w- c:\documents and settings\Admin\Desktop\HiJackThis.lnk
2010-10-26 03:43 . 2010-10-26 03:43 1984 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\HiJackThis\HiJackThis.lnk
2010-10-26 03:42 . 2010-10-26 03:31 1402880 ----a-w- c:\documents and settings\Admin\Desktop\HiJackThis.msi
2010-10-26 03:39 . 2010-10-26 03:45 5482 ----a-w- c:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\LQM197H7\views[1]
2010-10-26 03:25 . 2006-07-05 20:12 186880 ----a-w- c:\documents and settings\Admin\Desktop\LSPFix.exe
2010-10-26 03:25 . 2010-10-26 03:24 32768 --sha-w- c:\documents and settings\Admin\Local Settings\History\History.IE5\MSHist012010102520101026\index.dat
2010-10-26 03:25 . 2010-10-26 03:24 32768 --sha-w- c:\documents and settings\Admin\Local Settings\History\History.IE5\MSHist012010101820101025\index.dat
2010-10-26 03:25 . 2010-10-26 03:45 503 ----a-w- c:\documents and settings\Admin\Recent\instructions.txt.lnk
2010-10-26 03:25 . 2010-10-25 15:10 201030 ----a-w- c:\documents and settings\Admin\Desktop\lspfix.zip
2010-10-26 03:25 . 2010-10-25 15:10 2677 ----a-w- c:\documents and settings\Admin\Desktop\instructions.txt
2010-10-22 02:38 . 2010-10-22 02:38 290 ----a-w- c:\documents and settings\Admin\Recent\hijackthis.log.lnk
2010-10-22 02:35 . 2010-10-22 02:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\PVJ3CBKC\desktop.ini
2010-10-22 02:35 . 2010-10-26 03:45 32768 --sha-w- c:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2010-10-22 02:35 . 2010-10-22 02:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\4UHF04O8\desktop.ini
2010-10-22 02:35 . 2010-10-22 02:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\KUY7WT0H\desktop.ini
2010-10-22 02:35 . 2010-10-22 02:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\LQM197H7\desktop.ini
2010-10-22 02:35 . 2010-10-22 02:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
2010-10-22 02:35 . 2010-10-22 02:35 298 ----a-w- c:\documents and settings\Admin\Recent\ComboFix log.txt.lnk
2010-10-22 02:29 . 2010-10-18 05:02 1873 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\prefs.js.BAK
2010-10-22 02:20 . 2010-10-22 02:13 3882530 ----a-r- c:\documents and settings\Admin\Desktop\ComboFix.exe
2010-10-22 02:17 . 2010-10-22 02:36 288 ----a-w- c:\documents and settings\Admin\Recent\directions.txt.lnk
2010-10-22 02:17 . 2010-10-22 02:15 1865 ----a-w- c:\documents and settings\Admin\Desktop\directions.txt
2010-10-19 02:27 . 2010-10-19 02:27 896 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-10-18 (22-27-23).txt
2010-10-19 02:03 . 2010-10-19 02:02 61440 ----a-w- c:\documents and settings\Admin\Desktop\VEW.exe
2010-10-18 05:51 . 2010-10-18 05:51 67 --sh--w- c:\documents and settings\Admin\Local Settings\Temporary Internet Files\desktop.ini
2010-10-18 05:47 . 2010-10-18 05:47 488 ----a-w- c:\documents and settings\Admin\Recent\filepaths.lnk
2010-10-18 05:39 . 2010-10-18 05:39 5632 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{1D488944-DA7A-11DF-8842-0015C543FF13}.dat
2010-10-18 05:04 . 2010-10-18 05:04 620 ----a-w- c:\documents and settings\Admin\Recent\mbam-log-2010-10-18 (01-04-13)2.lnk
2010-10-18 05:04 . 2010-10-18 05:04 895 ----a-w- c:\documents and settings\Admin\Desktop\mbam-log-2010-10-18 (01-04-13)2.txt
2010-10-18 05:04 . 2010-10-18 05:04 895 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-10-18 (01-04-13).txt
2010-10-18 05:02 . 2010-10-18 05:02 1485 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\localstore.rdf
2010-10-18 05:02 . 2010-10-18 05:02 4220 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\bookmarkbackups\bookmarks-2010-10-18.json
2010-10-18 05:02 . 2010-10-22 02:29 1873 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\prefs.js
2010-10-18 04:18 . 2010-10-18 04:18 7530 ----a-w- c:\documents and settings\Admin\Desktop\DDS 10.17.10.txt
2010-10-18 04:18 . 2010-10-18 04:18 411 ----a-w- c:\documents and settings\Admin\Recent\DDS 10.17.10.lnk
2010-10-18 04:17 . 2010-10-18 04:17 9924 ----a-w- c:\documents and settings\Admin\Desktop\Attach 10.17.10.txt
2010-10-18 04:17 . 2010-10-18 04:17 428 ----a-w- c:\documents and settings\Admin\Recent\Attach 10.17.10.lnk
2010-10-18 04:16 . 2010-10-18 04:13 544768 ----a-w- c:\documents and settings\Admin\Desktop\dds.scr
2010-10-18 04:16 . 2010-10-18 04:13 543197 ----a-w- c:\documents and settings\Admin\Desktop\dds.zip
2010-10-18 04:14 . 2010-10-18 04:04 49152 --sha-w- c:\documents and settings\Admin\Local Settings\History\History.IE5\MSHist012010101120101018\index.dat
2010-10-18 04:14 . 2010-10-18 04:14 519 ----a-w- c:\documents and settings\Admin\Recent\mbam-log-2010-10-18 (00-14-13).lnk
2010-10-18 04:14 . 2010-10-18 04:14 908 ----a-w- c:\documents and settings\Admin\Desktop\mbam-log-2010-10-18 (00-14-13).txt
2010-10-18 04:14 . 2010-10-18 04:14 908 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-10-18 (00-14-13).txt
2010-10-18 03:47 . 2010-10-18 03:47 519 ----a-w- c:\documents and settings\Admin\Recent\mbam-log-2010-10-17 (23-47-33).lnk
2010-10-18 03:47 . 2010-10-18 03:47 896 ----a-w- c:\documents and settings\Admin\Desktop\mbam-log-2010-10-17 (23-47-33).txt
2010-10-18 03:47 . 2010-10-18 03:47 896 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-10-17 (23-47-33).txt
2010-10-15 13:03 . 2010-10-15 13:03 519 ----a-w- c:\documents and settings\Admin\Recent\mbam-log-2010-10-15 (09-00-21).lnk
2010-10-15 13:03 . 2010-10-15 13:03 1778 ----a-w- c:\documents and settings\Admin\Desktop\mbam-log-2010-10-15 (09-00-21).txt
2010-10-15 13:02 . 2010-10-15 13:02 368 ----a-w- c:\documents and settings\Admin\Cookies\admin@addthis[2].txt
2010-10-15 13:02 . 2010-10-15 13:02 284 ----a-w- c:\documents and settings\Admin\Cookies\admin@crosspixel.demdex[1].txt
2010-10-15 13:02 . 2010-10-15 13:02 1084 ----a-w- c:\documents and settings\Admin\Cookies\admin@www.techspot[2].txt
2010-10-15 13:02 . 2010-10-15 13:02 92 ----a-w- c:\documents and settings\Admin\Cookies\admin@crowdscience[2].txt
2010-10-15 13:02 . 2010-10-15 13:02 112 ----a-w- c:\documents and settings\Admin\Cookies\admin@scorecardresearch[1].txt
2010-10-15 13:02 . 2010-10-15 13:02 447 ----a-w- c:\documents and settings\Admin\Cookies\admin@techspot[2].txt
2010-10-15 13:00 . 2010-10-15 13:03 1778 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-10-15 (09-00-21).txt
2010-10-15 13:00 . 2010-10-15 13:00 138 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.57171
2010-10-15 13:00 . 2010-10-15 13:00 122368 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.57171
2010-10-15 13:00 . 2010-10-15 13:00 111 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.89575
2010-10-15 13:00 . 2010-10-15 13:00 81920 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.89575
2010-10-15 13:00 . 2010-10-15 13:00 104 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.16695
2010-10-15 13:00 . 2010-10-15 13:00 194560 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.16695
2010-10-15 13:00 . 2010-10-15 13:00 123 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.49953
2010-10-15 13:00 . 2010-10-15 13:00 843264 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.49953
2010-10-15 13:00 . 2010-10-15 13:00 141 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.36496
2010-10-15 13:00 . 2010-10-15 13:00 41984 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.36496
2010-10-15 13:00 . 2010-10-15 13:00 104 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.54735
2010-10-15 13:00 . 2010-10-15 13:00 41984 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.54735
2010-10-15 12:59 . 2010-10-15 12:59 762 ----a-w- c:\documents and settings\Admin\Cookies\admin@rad.msn[1].txt
2010-10-15 12:59 . 2010-10-15 12:59 241 ----a-w- c:\documents and settings\Admin\Cookies\admin@mail.live[2].txt
2010-10-15 12:59 . 2010-10-15 13:04 867 ----a-w- c:\documents and settings\Admin\Cookies\admin@live[2].txt
2010-10-15 03:18 . 2010-10-15 03:18 85 ----a-w- c:\documents and settings\Admin\Cookies\admin@eyewonder[1].txt
2010-10-15 03:18 . 2010-10-15 03:18 556 ----a-w- c:\documents and settings\Admin\Cookies\admin@voicefive[2].txt
2010-10-15 03:18 . 2010-10-15 03:18 159 ----a-w- c:\documents and settings\Admin\Cookies\admin@adecn[1].txt
2010-10-15 03:18 . 2010-10-15 03:18 68 ----a-w- c:\documents and settings\Admin\Cookies\admin@h.live[1].txt
2010-10-15 03:18 . 2010-10-15 13:04 575 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\LCYFVYQZ\secure.shared.live[1].xml
2010-10-15 03:18 . 2010-10-15 03:18 13 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C9HPB4SJ\sn143w.snt143.mail.live[1].xml
2010-10-15 03:18 . 2010-10-15 03:18 290 ----a-w- c:\documents and settings\Admin\Cookies\admin@login.live[1].txt
2010-10-15 02:55 . 2010-10-15 02:55 284 ----a-w- c:\documents and settings\Admin\Cookies\admin@legolas-media[2].txt
2010-10-15 02:54 . 2010-10-15 02:54 32734 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4
2010-10-15 02:54 . 2010-10-15 02:54 132 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4
2010-10-15 02:54 . 2010-10-15 02:54 6153352 ----a-w- c:\documents and settings\Admin\Desktop\mbam-setup-1.46.exe
2010-10-15 02:53 . 2010-10-15 02:53 286 ----a-w- c:\documents and settings\Admin\Cookies\admin@www.bleepingcomputer[1].txt
2010-10-15 02:53 . 2010-10-15 02:53 500 ----a-w- c:\documents and settings\Admin\Cookies\admin@bleepingcomputer[1].txt
2010-10-15 02:53 . 2010-10-15 02:53 177 ----a-w- c:\documents and settings\Admin\Cookies\admin@store.malwarebytes[2].txt
2010-10-15 02:53 . 2010-10-15 02:53 223003 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\119EFCC56A568F53AA7025356F876799
2010-10-15 02:53 . 2010-10-15 02:53 130 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\119EFCC56A568F53AA7025356F876799
2010-10-15 02:53 . 2010-10-15 02:53 494 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\FCEA474F228C13CD0DAD678431D0ACFC
2010-10-15 02:53 . 2010-10-15 02:53 130 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\FCEA474F228C13CD0DAD678431D0ACFC
2010-10-15 02:53 . 2010-10-15 02:53 381 ----a-w- c:\documents and settings\Admin\Cookies\admin@malwarebytes[2].txt
2010-10-15 02:53 . 2010-10-15 02:53 87 ----a-w- c:\documents and settings\Admin\Cookies\admin@yahoo[1].txt
2010-10-15 02:52 . 2010-10-15 02:52 7318 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\frameiconcache.dat
2010-10-15 02:51 . 2010-10-15 02:51 475 ----a-w- c:\documents and settings\Admin\Cookies\admin@media6degrees[2].txt
2010-10-15 02:49 . 2010-10-15 02:49 13 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\EXE4RKG1\www.google[1].xml
2010-10-15 02:49 . 2010-10-15 03:50 32768 --sha-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
2010-10-15 02:49 . 2010-10-15 02:49 350 ----a-w- c:\documents and settings\Admin\Cookies\admin@google[3].txt
2010-10-15 02:47 . 2010-10-15 02:47 1728 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Office\MSOut12.pip
2010-10-15 02:47 . 2010-10-15 02:47 2367 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Outlook\Outlook.xml
2010-10-15 02:47 . 2010-10-15 02:47 660 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Outlook\outcmd.dat
2010-10-15 02:47 . 2010-10-15 02:47 2560 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Outlook\Outlook.srs
2010-10-15 02:46 . 2010-10-15 02:47 3552 ----a-w- c:\documents and settings\Admin\Application Data\Apple Computer\Logs\asl.224653_14Oct10.log
2010-10-15 02:46 . 2010-10-15 02:46 792 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
2010-10-15 02:46 . 2010-10-15 02:46 793 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Outlook\extend.dat
2010-10-15 02:46 . 2010-10-15 02:47 1297 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Outlook\Outlook.sharing.xml.obi
2010-10-15 02:46 . 2010-10-15 02:47 271360 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
2010-10-15 02:46 . 2010-10-15 02:46 245980 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\FORMS\FRMCACHE.DAT
2010-10-15 02:43 . 2010-10-15 02:43 171 ----a-w- c:\documents and settings\Admin\Cookies\admin@mediaplex[2].txt
2010-10-15 02:43 . 2010-10-15 02:43 98 ----a-w- c:\documents and settings\Admin\Cookies\admin@apmebf[1].txt
2010-10-15 02:40 . 2010-10-15 02:40 141492 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\930D1D196EE05A60D0FD6680AB99D0D5
2010-10-15 02:40 . 2010-10-15 02:40 120 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\930D1D196EE05A60D0FD6680AB99D0D5
2010-10-15 02:40 . 2010-10-15 02:40 45213 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\B171751C11ECDD4C0C4BC4BBF7B99FBF
2010-10-15 02:40 . 2010-10-15 02:40 128 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\B171751C11ECDD4C0C4BC4BBF7B99FBF
2010-10-15 02:40 . 2010-10-15 02:40 533 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\5C45AD19E3530EC4218F560AFC04C3F7
2010-10-15 02:40 . 2010-10-15 02:40 118 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\5C45AD19E3530EC4218F560AFC04C3F7
2010-10-15 02:39 . 2010-10-15 02:39 179 ----a-w- c:\documents and settings\Admin\Cookies\admin@quantserve[2].txt
2010-10-15 02:37 . 2010-10-15 02:37 395 ----a-w- c:\documents and settings\Admin\Cookies\admin@aggregateknowledge[2].txt
2010-10-15 02:32 . 2010-10-15 02:32 212 ----a-w- c:\documents and settings\Admin\Cookies\admin@imrworldwide[2].txt
2010-10-15 02:30 . 2010-10-15 02:30 91 ----a-w- c:\documents and settings\Admin\Cookies\admin@youtube[1].txt
2010-10-15 02:30 . 2010-10-15 02:30 126 ----a-w- c:\documents and settings\Admin\Cookies\admin@msnportal.112.2o7[1].txt
2010-10-15 02:30 . 2010-10-15 02:30 584 ----a-w- c:\documents and settings\Admin\Cookies\admin@msn[1].txt
2010-10-15 02:29 . 2010-10-15 02:29 377 ----a-w- c:\documents and settings\Admin\Cookies\admin@google[1].txt
2010-10-15 02:29 . 2010-10-15 02:29 374 ----a-w- c:\documents and settings\Admin\Cookies\admin@google[2].txt
2010-10-15 02:29 . 2010-10-15 02:29 1396 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\D0F063B6B88A2B8BFE21C3993A613447
2010-10-15 02:29 . 2010-10-15 02:29 178 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\D0F063B6B88A2B8BFE21C3993A613447
2010-10-15 02:29 . 2010-10-15 02:29 2484 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D
2010-10-15 02:29 . 2010-10-15 02:29 112 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D
2010-10-15 02:29 . 2010-10-15 02:29 46159 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\5F74056C561F814B7771CB2993A44DEB
2010-10-15 02:29 . 2010-10-15 02:29 104 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\5F74056C561F814B7771CB2993A44DEB
2010-10-15 02:28 . 2010-10-15 02:54 257 ----a-w- c:\documents and settings\Admin\Cookies\admin@ad.wsod[2].txt
2010-10-15 02:28 . 2010-10-15 02:28 67 ----a-w- c:\documents and settings\Admin\Cookies\admin@c.msn[1].txt
2010-10-15 02:28 . 2010-10-15 02:28 137 ----a-w- c:\documents and settings\Admin\Cookies\admin@exp.www.msn[1].txt
 
2010-10-12 02:15 . 2010-10-12 02:15 552 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
2010-10-12 02:15 . 2010-10-12 02:15 132 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
2010-10-12 02:15 . 2010-10-12 02:15 528 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\E04822AD18D472EA5B582E6E6F8C6B9A
2010-10-12 02:15 . 2010-10-12 02:15 140 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\E04822AD18D472EA5B582E6E6F8C6B9A
2010-10-12 00:07 . 2010-10-12 00:07 518 ----a-w- c:\documents and settings\Admin\Recent\10102010_114759 (3).lnk
2010-10-12 00:02 . 2010-10-12 00:02 415 ----a-w- c:\documents and settings\Admin\Recent\aaw7boot.lnk
2010-10-11 23:43 . 2010-10-11 23:43 518 ----a-w- c:\documents and settings\Admin\Recent\10102010_114759 (2).lnk
2010-10-11 23:40 . 2010-10-11 23:40 518 ----a-w- c:\documents and settings\Admin\Recent\10102010_114759.lnk
2010-10-11 23:39 . 2010-10-11 23:34 32768 --sha-w- c:\documents and settings\Admin\Local Settings\History\History.IE5\MSHist012010100420101011\index.dat
2010-10-10 16:03 . 2010-10-12 01:53 293 ----a-w- c:\documents and settings\Admin\Recent\Local Disk (C).lnk
2010-10-10 16:02 . 2010-10-10 16:02 269 ----a-w- c:\documents and settings\Admin\Recent\error.lnk
2010-10-10 15:51 . 2010-10-10 15:51 4108 ----a-w- c:\documents and settings\Admin\Desktop\10102010_114759.log
2010-10-10 15:46 . 2010-10-10 15:43 253 ----a-w- c:\documents and settings\Admin\Desktop\filepaths.txt
2010-10-10 15:46 . 2010-10-22 02:38 186 ----a-w- c:\documents and settings\Admin\Recent\TOSHIBA (E).lnk
2010-10-10 15:46 . 2010-10-10 15:44 1211285 ----a-w- c:\documents and settings\Admin\Desktop\tdsskiller.zip
2010-10-10 15:46 . 2010-10-10 15:43 519680 ----a-w- c:\documents and settings\Admin\Desktop\OTM.exe
2010-10-10 02:43 . 2010-10-10 02:43 399 ----a-w- c:\documents and settings\Admin\Recent\services 4.lnk
2010-10-10 02:43 . 2010-10-10 02:43 181140 ----a-w- c:\documents and settings\Admin\Desktop\services 4.JPG
2010-10-10 02:43 . 2010-10-10 02:43 168479 ----a-w- c:\documents and settings\Admin\Desktop\services 3.JPG
2010-10-10 02:43 . 2010-10-10 02:43 399 ----a-w- c:\documents and settings\Admin\Recent\services 3.lnk
2010-10-10 02:43 . 2010-10-10 02:43 399 ----a-w- c:\documents and settings\Admin\Recent\services 2.lnk
2010-10-10 02:43 . 2010-10-10 02:43 157192 ----a-w- c:\documents and settings\Admin\Desktop\services 2.JPG
2010-10-10 02:42 . 2010-10-10 02:42 387 ----a-w- c:\documents and settings\Admin\Recent\services.lnk
2010-10-10 02:42 . 2010-10-10 02:42 152360 ----a-w- c:\documents and settings\Admin\Desktop\services.JPG
2010-10-10 02:33 . 2010-10-10 02:33 15 ----a-w- c:\documents and settings\Admin\resetlog.txt
2010-10-10 02:19 . 2010-10-10 02:19 602 ----a-w- c:\documents and settings\Admin\Recent\DW WLAN Card.lnk
2010-10-10 02:19 . 2010-10-10 02:19 620 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Office\Recent\DW WLAN Card.LNK
2010-10-10 02:19 . 2010-10-10 02:19 723 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Office\Recent\Readme.LNK
2010-10-10 02:19 . 2010-10-10 02:19 775 ----a-w- c:\documents and settings\Admin\Recent\Readme.lnk
2010-10-10 02:15 . 2010-10-09 17:22 24750424 ----a-w- c:\documents and settings\Admin\Desktop\R138226.EXE
2010-10-10 02:15 . 2010-10-09 17:27 119415640 ----a-w- c:\documents and settings\Admin\Desktop\R242906.exe
2010-10-10 02:15 . 2010-10-09 17:23 5002248 ----a-w- c:\documents and settings\Admin\Desktop\R116101.EXE
2010-10-10 02:12 . 2010-10-12 02:18 261 ----a-w- c:\documents and settings\Admin\Recent\log.lnk
2010-10-10 02:07 . 2010-10-10 02:10 14373 ----a-w- c:\documents and settings\Admin\Desktop\Attach.txt
2010-10-10 02:07 . 2010-10-10 02:09 7134 ----a-w- c:\documents and settings\Admin\Desktop\DDS.txt
2010-10-10 01:30 . 2010-10-10 01:30 893 ----a-w- c:\documents and settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-10-09 (21-30-19).txt
2010-10-10 01:30 . 2010-10-10 01:30 1684 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Office\Word12.pip
2010-10-10 01:30 . 2010-10-10 01:30 15403 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Templates\Normal.dotm
2010-10-10 01:30 . 2010-10-10 01:30 766 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Office\Recent\Templates.LNK
2010-10-10 01:30 . 2010-10-10 02:19 119 ---h--w- c:\documents and settings\Admin\Application Data\Microsoft\Office\Recent\index.dat
2010-10-10 01:30 . 2010-10-10 01:30 731 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Office\Recent\changes.LNK
2010-10-10 01:30 . 2010-10-10 01:30 623 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Office\Recent\Malwarebytes' Anti-Malware.LNK
2010-10-10 01:29 . 2006-10-27 13:32 322380 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
2010-10-10 01:29 . 2010-10-10 01:29 37814 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Office\MSO1033.acl
2010-10-10 01:29 . 2010-10-10 01:30 605 ----a-w- c:\documents and settings\Admin\Recent\Malwarebytes' Anti-Malware.lnk
2010-10-10 01:29 . 2010-10-10 01:30 801 ----a-w- c:\documents and settings\Admin\Recent\changes.lnk
2010-10-10 01:23 . 2010-10-10 01:23 3446 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\extensions.rdf
2010-10-10 01:23 . 2010-10-10 01:23 430 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\extensions.ini
2010-10-10 01:23 . 2010-10-10 01:23 582 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\extensions.cache
2010-10-10 01:23 . 2009-03-18 18:40 2005 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\chrome.manifest
2010-10-10 01:23 . 2009-03-18 18:40 1271 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\install.rdf
2010-10-10 01:23 . 2009-03-18 18:40 27394 -c--a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\chrome\chrome_user.jar
2010-10-10 01:23 . 2009-03-18 18:40 424 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\defaults\preferences\defaults.js
2010-10-10 01:22 . 2010-10-10 01:22 7226 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\tabiconcache.dat
2010-10-10 01:21 . 2010-10-18 05:39 3584 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{C0808B3E-D40C-11DF-8839-0015C543FF13}.dat
2010-10-10 01:21 . 2010-10-15 02:56 171 ----a-w- c:\documents and settings\Admin\Cookies\admin@kontera[2].txt
2010-10-10 01:21 . 2010-10-10 01:21 177 ----a-w- c:\documents and settings\Admin\Cookies\admin@demdex[1].txt
2010-10-10 01:21 . 2010-10-15 03:18 444 ----a-w- c:\documents and settings\Admin\Cookies\admin@atdmt[1].txt
2010-10-10 01:21 . 2010-10-10 01:21 108 ----a-w- c:\documents and settings\Admin\Cookies\admin@imageshack[1].txt
2010-10-10 01:21 . 2010-10-10 01:21 202 ----a-w- c:\documents and settings\Admin\Cookies\admin@abmr[2].txt
2010-10-10 01:21 . 2010-10-10 01:21 78 ----a-w- c:\documents and settings\Admin\Cookies\admin@apture[1].txt
2010-10-10 01:21 . 2010-10-10 01:21 123 ----a-w- c:\documents and settings\Admin\Cookies\admin@doubleclick[1].txt
2010-10-10 01:21 . 2010-10-10 01:21 394 ----a-w- c:\documents and settings\Admin\Cookies\admin@collective-media[1].txt
2010-10-10 01:20 . 2010-10-10 01:20 868352 --sha-w- c:\documents and settings\Admin\IECompatCache\index.dat
2010-10-10 01:17 . 2010-10-10 01:17 4220 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\bookmarkbackups\bookmarks-2010-10-09.json
2010-10-10 00:59 . 2010-10-10 02:09 452 ----a-w- c:\documents and settings\Admin\Recent\msg.lnk
2010-10-10 00:36 . 2010-10-10 01:16 1111 ----a-w- c:\documents and settings\Admin\Desktop\log.txt
2010-10-10 00:36 . 2010-10-10 00:36 898 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
2010-10-10 00:36 . 2010-10-10 00:36 94 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
2010-10-10 00:35 . 2010-10-10 00:35 95984 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
2010-10-10 00:35 . 2010-10-10 00:35 124 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
2010-10-10 00:35 . 2010-10-10 00:35 32042 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
2010-10-10 00:35 . 2010-10-10 00:35 216 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
2010-10-10 00:35 . 2010-10-10 00:35 18 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
2010-10-10 00:35 . 2010-10-10 00:35 216 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
2010-10-10 00:33 . 2010-10-10 00:33 549 ----a-w- c:\documents and settings\Admin\Cookies\admin@microsoft[1].txt
2010-10-10 00:32 . 2010-10-10 00:34 585 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs\10092010.Log
2010-10-10 00:30 . 2010-10-10 02:12 471 ----a-w- c:\documents and settings\Admin\Recent\Attach.lnk
2010-10-10 00:30 . 2010-10-11 23:40 452 ----a-w- c:\documents and settings\Admin\Recent\DDS.lnk
2010-10-10 00:26 . 2010-10-15 02:29 8590 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\HTML Help\hh.dat
2010-10-10 00:24 . 2010-10-10 00:24 75312 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-10-09 17:58 . 2010-10-10 01:24 2048 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\downloads.sqlite
2010-10-09 17:57 . 2010-10-18 05:02 154 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\urlclassifierkey3.txt
2010-10-09 17:57 . 2010-10-09 17:57 11264 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\signons.sqlite
2010-10-09 17:57 . 2010-10-09 17:57 7168 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\content-prefs.sqlite
2010-10-09 17:57 . 2010-10-18 05:02 16384 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\key3.db
2010-10-09 17:57 . 2010-10-18 05:02 65536 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\cert8.db
2010-10-09 17:57 . 2010-10-09 17:57 16384 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\secmod.db
2010-10-09 17:57 . 2010-10-18 05:02 8192 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\cookies.sqlite
2010-10-09 17:57 . 2010-10-10 01:25 4096 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\formhistory.sqlite
2010-10-09 17:57 . 2010-10-09 17:57 11719 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\search.json
2010-10-09 17:57 . 2010-10-10 01:25 2048 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\search.sqlite
2010-10-09 17:57 . 2010-10-18 05:02 9681 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\pluginreg.dat
2010-10-09 17:57 . 2010-10-09 17:57 3406 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\mimeTypes.rdf
2010-10-09 17:57 . 2010-10-10 01:29 188416 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\places.sqlite
2010-10-09 17:57 . 2010-10-18 05:02 0 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\places.sqlite-journal
2010-10-09 17:57 . 2010-10-09 17:57 2048 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\permissions.sqlite
2010-10-09 17:57 . 2010-10-10 01:23 147032 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\compreg.dat
2010-10-09 17:57 . 2010-10-10 01:23 101604 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\xpti.dat
2010-10-09 17:57 . 2010-10-09 17:57 187 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\compatibility.ini
2010-10-09 17:57 . 2010-04-01 15:56 663 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\chrome\userContent-example.css
2010-10-09 17:57 . 2010-04-01 15:56 959 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\chrome\userChrome-example.css
2010-10-09 17:57 . 2010-04-01 15:56 6284 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\bookmarks.html
2010-10-09 17:57 . 2010-10-09 17:57 111 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\profiles.ini
2010-10-09 17:57 . 2010-10-09 17:57 10 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Crash Reports\InstallTime20100401080539
2010-10-09 17:39 . 2010-10-09 17:39 1150 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
2010-10-09 17:39 . 2010-10-09 17:39 289 ----a-w- c:\documents and settings\Admin\Cookies\admin@www.microsoft[2].txt
2010-10-09 17:39 . 2010-10-09 17:39 15654 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\D725F3459E2275E9EA5871B92AD896D0
2010-10-09 17:39 . 2010-10-09 17:39 110 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\D725F3459E2275E9EA5871B92AD896D0
2010-10-09 17:39 . 2010-10-09 17:39 840 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\Content\FB788E090BC1F3AA2FBC9E8FB2859601
2010-10-09 17:39 . 2010-10-09 17:39 134 --s-a-w- c:\documents and settings\Admin\Application Data\Microsoft\CryptnetUrlCache\MetaData\FB788E090BC1F3AA2FBC9E8FB2859601
2010-10-09 17:39 . 2010-10-09 17:39 0 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\L4XUX3F5\ieonline.microsoft[1]
2010-10-09 17:39 . 2010-10-10 01:22 32768 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
2010-10-09 17:39 . 2010-10-09 17:39 302 ----a-w- c:\documents and settings\Admin\Favorites\Links\Suggested Sites.url
2010-10-09 17:38 . 2010-10-09 17:38 16384 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
2010-10-09 17:38 . 2010-10-18 05:36 180224 --sha-w- c:\documents and settings\Admin\PrivacIE\index.dat
2010-10-09 17:34 . 2010-10-09 17:34 3584 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2010-10-09 17:34 . 2010-10-09 17:34 24 --sha-w- c:\documents and settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-839522115-688789844-725345543-1004\Preferred
2010-10-09 17:34 . 2010-10-09 17:34 388 --sha-w- c:\documents and settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-839522115-688789844-725345543-1004\94815c83-27ce-411d-b4c9-4538c9fbb8a5
2010-10-09 17:34 . 2010-10-09 17:34 24 --sha-w- c:\documents and settings\Admin\Application Data\Microsoft\Protect\CREDHIST
2010-10-09 16:54 . 2010-10-22 02:45 3767034 ---ha-w- c:\documents and settings\Admin\Local Settings\Application Data\IconCache.db
2010-10-09 16:53 . 2010-10-18 04:00 6141 ----a-w- c:\documents and settings\Admin\reset.log
2010-10-09 16:36 . 2010-10-26 03:24 144 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Office\Groove12.pip
2010-10-09 16:35 . 2010-10-09 16:35 7917 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.bak
2010-10-09 16:35 . 2010-10-09 16:35 0 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\HHC01VB0\fwlink[1]
2010-10-09 16:35 . 2010-10-09 16:35 28672 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
2010-10-09 16:35 . 2010-10-09 16:35 226 ----a-w- c:\documents and settings\Admin\Favorites\Links\Web Slice Gallery.url
2010-10-09 16:35 . 2010-10-09 16:35 0 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\P36MHRD2\fwlink[1]
2010-10-09 16:35 . 2010-10-09 16:35 28672 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms
2010-10-09 16:35 . 2010-10-09 16:35 0 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\0IBNNJ8D\fwlink[1]
2010-10-09 16:35 . 2010-10-10 01:22 5632 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms
2010-10-09 16:35 . 2010-10-09 16:35 28672 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
2010-10-09 16:35 . 2010-10-09 16:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\L4XUX3F5\desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\0IBNNJ8D\desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\HHC01VB0\desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\P36MHRD2\desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 67 --sh--w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini
2010-10-09 16:35 . 2010-10-18 05:36 32768 --sha-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2010-10-09 16:35 . 2010-10-09 16:35 84 --sha-w- c:\documents and settings\Admin\Favorites\Links\desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 134 ----a-w- c:\documents and settings\Admin\Favorites\Microsoft Websites\Microsoft Store.url
2010-10-09 16:35 . 2010-10-09 16:35 133 ----a-w- c:\documents and settings\Admin\Favorites\Microsoft Websites\Microsoft At Work.url
2010-10-09 16:35 . 2010-10-09 16:35 133 ----a-w- c:\documents and settings\Admin\Favorites\Microsoft Websites\Microsoft At Home.url
2010-10-09 16:35 . 2010-10-09 16:35 133 ----a-w- c:\documents and settings\Admin\Favorites\Microsoft Websites\IE Add-on site.url
2010-10-09 16:35 . 2010-10-09 16:35 133 ----a-w- c:\documents and settings\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
2010-10-09 16:35 . 2010-10-09 16:35 7801 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt
2010-10-09 16:35 . 2010-10-09 16:35 815 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
2010-10-09 16:35 . 2010-10-09 16:35 803 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Internet Explorer.lnk
2010-10-09 16:35 . 2010-10-09 16:35 833 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
2010-10-09 16:35 . 2010-10-09 16:35 122 --sha-w- c:\documents and settings\Admin\Favorites\Desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 60 --sh--w- c:\documents and settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 150 --sha-w- c:\documents and settings\Admin\Recent\Desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 79 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
2010-10-09 16:35 . 2010-10-09 16:35 774 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Address Book.lnk
2010-10-09 16:35 . 2010-10-09 16:35 738 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Outlook Express.lnk
2010-10-09 16:35 . 2010-10-09 16:35 2572 --sha-w- c:\documents and settings\Admin\Application Data\Microsoft\Internet Explorer\Desktop.htt
2010-10-09 16:35 . 2010-10-09 16:35 0 ----a-w- c:\documents and settings\Admin\SendTo\My Documents.mydocs
2010-10-09 16:35 . 2010-10-09 16:35 638 ----a-w- c:\documents and settings\Admin\My Documents\My Music\Sample Music.lnk
2010-10-09 16:35 . 2010-10-09 16:35 181 --sha-w- c:\documents and settings\Admin\My Documents\My Music\Desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 668 ----a-w- c:\documents and settings\Admin\My Documents\My Pictures\Sample Pictures.lnk
2010-10-09 16:35 . 2010-10-09 16:35 183 --sha-w- c:\documents and settings\Admin\My Documents\My Pictures\Desktop.ini
2010-10-09 16:35 . 2010-10-09 16:35 76 --sha-w- c:\documents and settings\Admin\My Documents\desktop.ini
2010-10-09 16:35 . 2010-10-15 03:50 245760 --sha-w- c:\documents and settings\Admin\IETldCache\index.dat
2010-10-09 16:35 . 2010-10-22 02:45 178 --sh--w- c:\documents and settings\Admin\ntuser.ini
2010-10-09 16:35 . 2010-10-18 05:40 262144 ---ha-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2010-10-09 16:35 . 2010-10-26 03:24 1024 ---ha-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2010-10-09 16:35 . 2009-03-16 22:51 62 --sha-w- c:\documents and settings\Admin\Application Data\desktop.ini
2010-10-09 16:35 . 2009-03-17 05:46 113 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Internet Explorer\brndlog.bak
2010-10-09 16:35 . 2009-03-17 05:46 141 ----a-w- c:\documents and settings\Admin\Application Data\Microsoft\Internet Explorer\brndlog.txt
2010-10-09 16:35 . 2009-03-17 05:46 498 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD
2010-10-09 16:35 . 2010-10-26 03:45 32768 ----a-w- c:\documents and settings\Admin\Cookies\index.dat
2010-10-09 16:35 . 2009-03-17 05:46 720896 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb
2010-10-09 16:35 . 2009-03-17 05:46 12784 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
2010-10-09 16:35 . 2010-10-10 01:20 67 --sh--w- c:\documents and settings\Admin\Local Settings\History\History.IE5\desktop.ini
2010-10-09 16:35 . 2010-10-26 03:24 62 --sha-w- c:\documents and settings\Admin\Local Settings\desktop.ini
2010-10-09 16:35 . 2009-03-17 05:50 113 --sha-w- c:\documents and settings\Admin\Local Settings\History\desktop.ini
2010-10-09 16:35 . 2010-10-26 03:45 65536 ----a-w- c:\documents and settings\Admin\Local Settings\History\History.IE5\index.dat
2010-10-09 16:35 . 2009-03-17 05:45 0 ----a-w- c:\documents and settings\Admin\SendTo\Compressed (zipped) Folder.ZFSendToTarget
2010-10-09 16:35 . 2009-03-17 05:45 0 ----a-w- c:\documents and settings\Admin\SendTo\Desktop (create shortcut).DeskLink
2010-10-09 16:35 . 2009-03-17 05:45 181 --sha-w- c:\documents and settings\Admin\SendTo\desktop.ini
2010-10-09 16:35 . 2009-03-17 05:45 0 ----a-w- c:\documents and settings\Admin\SendTo\Mail Recipient.MAPIMail
2010-10-09 16:35 . 2009-03-16 22:51 62 --sha-w- c:\documents and settings\Admin\Start Menu\desktop.ini
2010-10-09 16:35 . 2009-03-17 05:46 348 --sha-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Accessibility\desktop.ini
2010-10-09 16:35 . 2009-03-17 05:46 1525 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk
2010-10-09 16:35 . 2009-03-17 05:46 1532 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
2010-10-09 16:35 . 2009-03-17 05:46 1501 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
2010-10-09 16:35 . 2009-03-17 05:46 1555 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Command Prompt.lnk
2010-10-09 16:35 . 2010-10-09 16:35 542 --sha-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\desktop.ini
2010-10-09 16:35 . 2009-03-17 05:46 1539 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk
2010-10-09 16:35 . 2010-10-10 00:58 1519 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Notepad.lnk
2010-10-09 16:35 . 2009-03-17 05:46 386 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk
2010-10-09 16:35 . 2009-03-17 05:46 84 --sha-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Entertainment\desktop.ini
2010-10-09 16:35 . 2009-03-17 05:46 1519 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Synchronize.lnk
2010-10-09 16:35 . 2010-10-09 16:35 804 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk
2010-10-09 16:35 . 2009-03-17 05:46 1527 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Tour Windows XP.lnk
2010-10-09 16:35 . 2010-10-09 16:35 190 --sha-w- c:\documents and settings\Admin\Start Menu\Programs\desktop.ini
2010-10-09 16:35 . 2009-03-17 05:45 1487 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Accessories\Windows Explorer.lnk
2010-10-09 16:35 . 2009-03-17 05:46 1599 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Remote Assistance.lnk
2010-10-09 16:35 . 2010-10-09 16:35 792 ----a-w- c:\documents and settings\Admin\Start Menu\Programs\Windows Media Player.lnk
2010-10-09 16:35 . 2004-08-04 10:00 4570 ----a-w- c:\documents and settings\Admin\Templates\amipro.sam
2010-10-09 16:35 . 2004-08-04 10:00 5632 ----a-w- c:\documents and settings\Admin\Templates\excel.xls
2010-10-09 16:35 . 2004-08-04 10:00 1518 ----a-w- c:\documents and settings\Admin\Templates\excel4.xls
2010-10-09 16:35 . 2009-03-17 05:46 84 --sha-w- c:\documents and settings\Admin\Start Menu\Programs\Startup\desktop.ini
2010-10-09 16:35 . 2004-08-04 10:00 2448 ----a-w- c:\documents and settings\Admin\Templates\lotus.wk4
2010-10-09 16:35 . 2004-08-04 10:00 12288 ----a-w- c:\documents and settings\Admin\Templates\powerpnt.ppt
2010-10-09 16:35 . 2004-08-04 10:00 461 ----a-w- c:\documents and settings\Admin\Templates\presenta.shw
2010-10-09 16:35 . 2004-08-04 10:00 4017 ----a-w- c:\documents and settings\Admin\Templates\quattro.wb2
2010-10-09 16:35 . 2004-08-04 10:00 58 ----a-w- c:\documents and settings\Admin\Templates\sndrec.wav
2010-10-09 16:35 . 2004-08-04 10:00 4608 ----a-w- c:\documents and settings\Admin\Templates\winword.doc
2010-10-09 16:35 . 2004-08-04 10:00 1769 ----a-w- c:\documents and settings\Admin\Templates\winword2.doc
2010-10-09 16:35 . 2004-08-04 10:00 30 ----a-r- c:\documents and settings\Admin\Templates\wordpfct.wpd
2010-10-09 16:35 . 2004-08-04 10:00 57 ----a-r- c:\documents and settings\Admin\Templates\wordpfct.wpg
2010-10-09 16:35 . 2010-10-26 03:49 1024 ---ha-w- c:\documents and settings\Admin\Ntuser.dat.LOG
2010-10-09 16:35 . 2010-10-26 03:47 1572864 ---ha-w- c:\documents and settings\Admin\NTUSER.DAT
2010-10-04 13:08 . 2010-10-04 13:08 1325656 ----a-w- c:\documents and settings\Admin\Desktop\TDSSKiller.exe
2010-05-17 20:15 . 2010-05-17 20:15 2258 ----a-w- c:\documents and settings\Admin\Desktop\tdsskiller\eula.txt


((((((((((((((((((((((((((((( SnapShot@2010-10-12_02.15.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-18 04:46 . 2009-10-07 19:01 2649216 c:\windows\system32\ReinstallBackups\0018\DriverFiles\BCMWL5.SYS
- 2010-10-10 02:17 . 2009-10-07 19:01 2649216 c:\windows\system32\ReinstallBackups\0018\DriverFiles\BCMWL5.SYS
+ 2010-10-26 03:43 . 2010-10-26 03:43 1094656 c:\windows\Installer\11ebc8.msi
+ 2009-07-10 00:57 . 2010-10-15 13:05 35385288 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-04-11 03:38 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-09-09 05:18 57344 ----a-w- c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 12:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Fi]
2010-10-06 04:57 2179 -c--a-w- c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2009-10-07 19:01 2498560 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-07-20 00:26 52896 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-01-19 14:14 7401472 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2006-01-19 14:14 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-01-19 14:14 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 22:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-01 04:05 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-28 01:33 125168 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PlugPlay"=2 (0x2)
"Netman"=2 (0x2)
"CryptSvc"=3 (0x3)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ALG"=3 (0x3)
"ADVService"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"ACDaemon"=3 (0x3)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"wltrysvc"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=2 (0x2)
"TlntSvr"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SNDSrvc"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RemoteAccess"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"odserv"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=2 (0x2)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"helpsvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"DefWatch"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"Alerter"=3 (0x3)
"TrkWks"=2 (0x2)
"SavRoam"=2 (0x2)
"MSDTC"=3 (0x3)
"HTTPFilter"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"CiSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/17/2009 3:13 AM 64160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/1/2010 8:06 PM 102448]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3/18/2009 12:19 PM 73368]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 12:13 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 12:12 PM 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S4 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [3/18/2009 12:19 PM 139264]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:38]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxps://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1944)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msiexec.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
.
**************************************************************************
.
Completion time: 2010-10-26 00:01:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-26 04:01
ComboFix2.txt 2010-10-22 02:29
ComboFix3.txt 2010-10-12 02:17

Pre-Run: 25,956,585,472 bytes free
Post-Run: 25,909,669,888 bytes free

- - End Of File - - 53E477F1CE40061D5BF09247E25218EA

Check this Seevice: Start> Run> type in services.msc> Double click on Cryptography Services> should be set to Automatic Startup Type and Started. If it is not, set it that way. Then check Remote Procedure Call> should also be set to Automatic/Start.
Click to expand...

I changed the settings on those two services. Would it be helpful for me to take a screenshot of all my services/settings in services.msc and post it?

Also, just to be sure, I am still using (and will continue to use) the Selective Startup in the System Config Utility. The only item that is checked under the startup tab is "WLTRAY". Everything else is disabled. Is this the correct setting?

Thanks again for your help. Sorry this is such a pain!!
 
Funny thing about asking for information in a log! Sometime you get more than you bargained for! I requested seeing the contents of 2 directories you had set up> admin and admin2. It's kind of like a body scan at the airport though- it looks like you have set up 2 Administrative accounts which could be a big part of your problem.
Directory of c:\documents and settings\Admin
Directory of c:\documents and settings\admin2

Instead of this, looking in Windows explorer should give you the tree with:
My Computer> Local Drive (C)> Documents & Settings> All Users listed, then the Administrator account or account in your name.

This is not my area though> somehow you are going to have to get down to only 1 Administrator. I'm going to ask someone to look at this directory and see if there is some way to resolve it and get the Services set. Don't send me a print- I already have a print of the services.

Just bear with me while I ask for help.
 
Hi Bobbye,

I think I may have made things more confusing for you! I used to only have two Windows user accounts on my computer - Emily and Guest. When I started having all of these issues, I created a new Windows user account and named it "Admin" and gave it administrator (rather than restricted) privileges. This seemed to help because the virus windows weren't popping up like mad and I could get online in the new account. When the new account seemed to be having more issues and I wasn't able to access the internet, I created a new user account and called it Admin 2. I can delete both accounts without issue, if that makes it easier.

Sorry if I created any confusion!
 
Well you need to get rid of calling all these accounts 'admin'! And giving a second person the administrative privileges makes a malware writer very happy because then he has 2 Administrative account to infect. And the elevated privileges allow for access to more of the system.

Get the accounts down to one Administrator and other as Guest. Check the information on this site for help: http://support.microsoft.com/kb/281140

About Selective Startup and the msconfig utility:
WLTRAY is the Dell Wireless WLAN Card Wireless Network Tray Applet.
My computers are all Dell. I have a Service named WLAN keeper which I have set to Manual. I think you have confused the Services with the Startup entries. These are 2 different sets of processes that contribute to making the OS work.

The only processes that have to be on Startup are: Antivirus program, third party firewall if using one, touchpad if on a laptop and network process is using something like Network Magic. All other processes can be unchecked. And you must stay in Selective Startup to retain the changes.

I put my systems in Selective Startup about the second day I have the computer I stay that way. My desktop has been on it for 7 years!

Whether you have the backdoor on the system now or not really isn't you issue- the issue is that the operating system is not set up correctly. It might be best to do a reformat/reinstall and let the accounts go back to where you can manage them correctly and where the Services are running on the Startup menu.

I would also recommend that you get a basic reference book for Windows XP and see how the system should be set up.
 
Hi Bobbye,

Thank you for your help. I'm sorry for the delay - I have been out of town for work and didn't have my infected computer with me. Hopefully this information will help!!

Bobbye said:
Well you need to get rid of calling all these accounts 'admin'!
Click to expand...

I got rid of all accounts except for one admin and one guest.

I think you have confused the Services with the Startup entries.
Click to expand...

When I referring to my list of services, I meant the list in services.msc. As you mentioned, I went to blackviper.com and set the services in services.msc to the suggested "Safe" mode for my operating system.

I am staying in Selective Startup mode. Under "Startup", there are only three boxes checked, as you suggested.

Whether you have the backdoor on the system now or not really isn't you issue- the issue is that the operating system is not set up correctly. It might be best to do a reformat/reinstall and let the accounts go back to where you can manage them correctly and where the Services are running on the Startup menu.
Click to expand...

My system came with Windows XP already installed, so I don't have a Windows XP disc. Also, if I were to reinstall, that would delete all of my files, correct? I have many things I would like to get off my computer but don't want to backup if there is a chance the infection could sneak into the backed up files. Is there a way to avoid this?

Lastly, after deleting the additional accounts, I reran some of the steps above. I will attach the reports below.

Hope you had a great weekend. Thank you!!
 
I ran a Malwarebytes scan. The log is below.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4826

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/7/2010 6:30:49 PM
mbam-log-2010-11-07 (18-30-49).txt

Scan type: Quick scan
Objects scanned: 146964
Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\KOO9RV9K4Z (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Emily\Application Data\srsf.bat (Malware.Trace) -> Quarantined and deleted successfully.
 
I also reran ComboFix. The log is below.

ComboFix 10-11-07.07 - Emily 11/07/2010 19:50:56.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.509 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Emily\GoToAssistDownloadHelper.exe
c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}
c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}\chrome.manifest
c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}\chrome\content\_cfg.js
c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}\chrome\content\overlay.xul
c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-10-08 to 2010-11-08 )))))))))))))))))))))))))))))))
.

2010-11-08 00:06 . 2010-11-08 00:06 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-11-08 00:06 . 2010-11-08 00:06 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-10-22 02:36 . 2010-10-22 02:36 -------- d-----w- c:\program files\Trend Micro
2010-10-15 02:54 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 02:54 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 02:54 . 2010-10-15 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-10 15:57 . 2010-10-10 15:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-10 15:47 . 2010-10-10 15:47 -------- dc----w- C:\_OTM
2010-10-10 02:28 . 2004-08-04 10:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-10-10 02:01 . 2010-10-10 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-10 00:36 . 2010-10-10 00:36 -------- d-----w- c:\program files\ESET
2010-10-09 17:38 . 2010-10-09 17:38 -------- d-----w- c:\program files\Intel
2010-10-09 17:35 . 2009-10-07 19:01 457 ----a-w- c:\windows\system32\vcredist_x86.bat
2010-10-09 17:35 . 2009-10-07 19:01 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-10-09 17:35 . 2009-10-07 19:01 155648 ----a-w- c:\windows\system32\bcmwlapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-12_02.15.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 10:00 . 2010-10-09 17:38 68558 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-11-08 00:00 68558 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-11-08 00:00 435828 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-10-09 17:38 435828 c:\windows\system32\perfh009.dat
+ 2010-10-18 04:46 . 2009-10-07 19:01 2649216 c:\windows\system32\ReinstallBackups\0018\DriverFiles\BCMWL5.SYS
- 2010-10-10 02:17 . 2009-10-07 19:01 2649216 c:\windows\system32\ReinstallBackups\0018\DriverFiles\BCMWL5.SYS
+ 2009-07-10 00:57 . 2010-10-15 13:05 35385288 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2009-07-21 2707526]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-04-11 03:38 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-09-09 05:18 57344 ----a-w- c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 12:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Fi]
2010-10-06 04:57 2179 -c--a-w- c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2009-10-07 19:01 2498560 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-07-20 00:26 52896 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-01-19 14:14 7401472 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2006-01-19 14:14 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-01-19 14:14 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 22:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-01 04:05 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-28 01:33 125168 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PlugPlay"=2 (0x2)
"Netman"=2 (0x2)
"CryptSvc"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ALG"=3 (0x3)
"ADVService"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"ACDaemon"=3 (0x3)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"wltrysvc"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=2 (0x2)
"TlntSvr"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SNDSrvc"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RemoteAccess"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"odserv"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=2 (0x2)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"helpsvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"DefWatch"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"Alerter"=3 (0x3)
"TrkWks"=2 (0x2)
"SavRoam"=2 (0x2)
"MSDTC"=3 (0x3)
"HTTPFilter"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"CiSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/17/2009 2:13 AM 64160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/1/2010 7:06 PM 102448]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3/18/2009 11:19 AM 73368]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 11:13 AM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 11:12 AM 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 2:43 PM 32408]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
S4 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [3/18/2009 11:19 AM 139264]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HIDSERV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: amicillc.com\matters
Trusted Zone: ontrackinview.com\connect
Trusted Zone: xerox-xls.com\matters
DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxps://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\hdb9te0t.default\
FF - prefs.js: browser.startup.homepage - nyt.com
FF - plugin: c:\documents and settings\Emily\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Csaperiwedok - c:\windows\WMSvasri.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-11-07 19:55:46
ComboFix-quarantined-files.txt 2010-11-08 00:55
ComboFix2.txt 2010-10-26 04:01
ComboFix3.txt 2010-10-22 02:29
ComboFix4.txt 2010-10-12 02:17

Pre-Run: 26,167,693,312 bytes free
Post-Run: 26,166,464,512 bytes free

- - End Of File - - 7E165B8ADC23BF8620AC2347BAF13843
 
And finally, my HiJackThis log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:04:09 PM, on 11/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Zinio\ZinioReader.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://connect.ontrackinview.com
O16 - DPF: {3F777025-3835-4117-B9FA-5E5230669310} (Dataflight FYI Reviewer Control) - https://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {971127BB-259F-48C2-BD75-5F97A3331551} (Microsoft RDP Client Control (redist)) - http://connect.ontrackinview.com/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: DW WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4835 bytes
 
When I referring to my list of services, I meant the list in services.msc. As you mentioned, I went to blackviper.com and set the services in services.msc to the suggested "Safe" mode for my operating system
Click to expand...

I am trying to figure out why all the Services show like this:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PlugPlay"=2 (0x2)
"Netman"=2 (0x2)
"CryptSvc"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
and on d o with all the other services. These are what you see with the run services.msc. They just shouldn't be broken out like this from the Registry. I'm asking someone else to look at it- again!
.
 
Okay- we ut our heads together and decided that there is nothing 'wrong' with the Services showing this way, as long as they are all legit, which they are!!

These would be work-related?
Trusted Zone: amicillc.com\matters
Trusted Zone: ontrackinview.com\connect
Trusted Zone: xerox-xls.com\matters

It always concerns me when there are sites in the Trusted Zone. None 'need' to be there and unless there is an intranet established, security is lower there and it can be a risk.

Only one entry to remove in HJT:
Please reopen HijackThis to 'do system scan only.' Please check each of the following, if present:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings,ProxyServer =

Close HJT and click on "Fix Checked."
===================================================
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Let me know if you have any more questions. To help stay safe:
Tips for added security and safer browsing:
  1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
  2. Have layered Security:
    • Antivirus Software(only one):Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
    IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
    Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
    [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
  3. Stay current on updates:
    [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
    [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
  4. Reset Cookies to prevent Tracking Cookies:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
  5. Do regular Maintenance
    Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
    Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
  6. Practice Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
 
Bobbye said:
These would be work-related?
Trusted Zone: amicillc.com\matters
Trusted Zone: ontrackinview.com\connect
Trusted Zone: xerox-xls.com\matters
Click to expand...

Yes, these are all work-related sites.

Only one entry to remove in HJT:
Please reopen HijackThis to 'do system scan only.' Please check each of the following, if present:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings,ProxyServer =

Close HJT and click on "Fix Checked."
Click to expand...

That entry was present and I fixed it with HJT.

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Click to expand...

This is all set.


Lastly, I'm sorry this is such a pain... I am still unable to access the internet. Because I am not able to get online, I still have to download the files you suggested from a working computer and onto a thumb drive. My infected computer wasn't recognizing my thumb drive, so I opened "services.msc" to see if anything was disabled. Unfortunately, all but a few services were again disabled. It is completely random.

I followed this guide to set the services settings yesterday - to "Safe" mode:
http://www.blackviper.com/WinXPx64/servicecfg.htm

All of the services are set to disabled upon reboot except:
-DCOM Service Process (set to automatic and started)
-IMAPI CD Burning (set to manual)
-InstallDriver Table (set to manual)
-Net.Tcp Port Sharing (set to automatic and started)
-Remote Procedure Call (set to automatic and started)
-Remote Procedure Call Locator (set to manual)
-Windows User Mode Driver Framework (set to automatic and started)
 
I need for you to try something please- none of the Services you said are running are included in the Registry list of Services I was concerned about.

Please set a System Restore point. Name it service test> then do the following:

I want you to deliberately set these Services to either Automatic or Manual- it doesn't matter, then reboot the computer. If they have gotten disabled again, then I know how to fix them.

Alerter
AudioSrv
HTTPFilter
EventSystem
PlugPlay
Spooler

If you need help setting the System Restore: Click on All Programs> Accessories> System Tools> System Restore> Check Create a new restore point> next> name it services test> next> let it set .
 
Status
Not open for further replies.

Similar threads

midian182
Resellers are enabling China to access Nvidia AI chips via Dell and Supermicro servers, despite US restrictions
Replies
2
Views
28
Watzupken
W
midian182
Star Wars Outlaws trailer confirms August launch date, physical edition will require an internet connection
2
Replies
32
Views
348
ZedRM
ZedRM
midian182
China wants to severely limit young people's mobile use and internet access
Replies
24
Views
686
Endymio
Endymio

Latest posts

Back