Author Topic: I too have AV security suite and Trojan AV issue, windows security alert, etc (Read 9525 times)

justin caise · « **on:** July 09, 2010, 03:14:21 AM »

I know you can help me with this - but I'm entirely lost.
I'm getting notifications/pop ups from AV security suite saying my computer is infected, "Application cannot be executed. File xxxx is infected. Do you want to activate your antivirus software now?."
Odd thing - This is happening on two machines, which to the best of my knowledge have never shared a removable drive, and haven't even visited the same websites for months - my desktop running XP and my wifes laptop running Vista.
I'm also seeing the (I assume) associated windows security alerts and spyware alerts windows.
In the AV suite window I'm seeing malware names such as "Backdoor win32, and Downloader win 3...

On my XP machine I had it in to the "Easy Techs" a short time ago - for a virus removal [trojan AV] which obviously didn't remove it.

I haven't experienced any of the Trojan AV virus on wifes laptop and the AV suite thing is new and started on both (seperate machines) at the same time?

I haven't downloaded any fixes or requested any help anywhere else for this issue.

can you help please?

SuperDave · « **Reply #1 on:** July 09, 2010, 08:42:06 AM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

====================================

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.

=================================

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

==================================

Please download: HiJackThis to your Desktop.

Double Click the HijackThis icon, located on your Desktop.
By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
Accept the license agreement.
Click the Open the Misc Tools section button.
Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
Please post the log in your next reply.

justin caise · « **Reply #2 on:** July 12, 2010, 07:50:56 PM »

Well, so far we've stopped the bleeding anyway.... thank you.
Here are my logs;

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 07/12/2010 at 15:28:18.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Administrator\Desktop\rkill.exe

Rkill completed on 07/12/2010 at 15:28:24.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/12/2010 at 05:27 PM

Application Version : 4.40.1002

Core Rules Database Version : 5134
Trace Rules Database Version: 2946

Scan type : Complete Scan
Total Scan Time : 01:52:39

Memory items scanned : 481
Memory threats detected : 0
Registry items scanned : 9292
Registry threats detected : 11
File items scanned : 166361
File threats detected : 619

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@naked[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ru4[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@liveperson[3].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@dmtracker[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@invitemedia[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@imrworldwide[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@adecn[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@advertise[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@bizzclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@nextag[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@kontera[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@revenue[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@pointroll[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][3].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@liveperson[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt
   cdn4.specificclick.net [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   core.insightexpressai.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   media.scanscout.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   myxxxpass.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   naiadsystems.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   objects.tremormedia.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   s0.2mdn.net [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   static.xxxmatch.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   udn.specificclick.net [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   www.freepornofreeporn.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   www.naiadsystems.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   www.secretsofporn.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   www.shakiramedia.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   wwwstatic.megaporn.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\GRJ7KBXM ]
   .doubleclick.net [ C:\Documents and Settings\administrator.ASE_SOLAR\Application Data\Mozilla\Firefox\Profiles\jjt52wt1.default\cookies.sqlite ]
   .kontera.com [ C:\Documents and Settings\administrator.ASE_SOLAR\Application Data\Mozilla\Firefox\Profiles\jjt52wt1.default\cookies.sqlite ]
   .kontera.com [ C:\Documents and Settings\administrator.ASE_SOLAR\Application Data\Mozilla\Firefox\Profiles\jjt52wt1.default\cookies.sqlite ]
   .tribalfusion.com [ C:\Documents and Settings\administrator.ASE_SOLAR\Application Data\Mozilla\Firefox\Profiles\jjt52wt1.default\cookies.sqlite ]
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\administrator@2o7[2].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\[email protected][1].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\[email protected][2].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\[email protected][2].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\administrator@doubleclick[1].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\administrator@findarticles[1].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\administrator@findarticles[2].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\administrator@kontera[2].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\[email protected][1].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\administrator@revsci[2].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\administrator@specificclick[1].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\[email protected][2].txt
   C:\Documents and Settings\administrator.ASE_SOLAR\Cookies\administrator@tribalfusion[1].txt
   C:\Documents and Settings\champagne\Cookies\champagne@2o7[1].txt
   C:\Documents and Settings\champagne\Cookies\[email protected][2].txt
   C:\Documents and Settings\champagne\Cookies\[email protected][2].txt
   C:\Documents and Settings\champagne\Cookies\champagne@atdmt[2].txt
   C:\Documents and Settings\champagne\Cookies\[email protected][1].txt
   C:\Documents and Settings\champagne\Cookies\[email protected][1].txt
   C:\Documents and Settings\champagne\Cookies\champagne@doubleclick[2].txt
   C:\Documents and Settings\champagne\Cookies\champagne@insightexpressai[1].txt
   C:\Documents and Settings\champagne\Cookies\champagne@interclick[1].txt
   C:\Documents and Settings\champagne\Cookies\[email protected][2].txt
   C:\Documents and Settings\champagne\Cookies\[email protected][1].txt
   C:\Documents and Settings\champagne\Cookies\[email protected][1].txt
   C:\Documents and Settings\champagne\Cookies\[email protected][1].txt
   C:\Documents and Settings\champagne\Cookies\champagne@precisionclick[1].txt
   C:\Documents and Settings\champagne\Cookies\champagne@realmedia[2].txt
   C:\Documents and Settings\champagne\Cookies\champagne@serving-sys[2].txt
   C:\Documents and Settings\champagne\Cookies\champagne@tacoda[2].txt
   objects.tremormedia.com [ C:\Documents and Settings\david\Application Data\Macromedia\Flash Player\#SharedObjects\78DP88BB ]
   C:\Documents and Settings\david\Cookies\david@2o7[1].txt
   C:\Documents and Settings\david\Cookies\david@adrevolver[2].txt
   C:\Documents and Settings\david\Cookies\david@apmebf[1].txt
   C:\Documents and Settings\david\Cookies\david@bravenet[2].txt
   C:\Documents and Settings\david\Cookies\david@casalemedia[2].txt
   C:\Documents and Settings\david\Cookies\[email protected][1].txt
   C:\Documents and Settings\david\Cookies\[email protected][1].txt
   C:\Documents and Settings\david\Cookies\[email protected][1].txt
   C:\Documents and Settings\david\Cookies\david@revsci[1].txt
   C:\Documents and Settings\david\Cookies\david@statcounter[2].txt
   C:\Documents and Settings\david\Cookies\david@supercountryhits[2].txt
   C:\Documents and Settings\david\Cookies\david@tacoda[2].txt
   C:\Documents and Settings\david\Cookies\[email protected][1].txt
   C:\Documents and Settings\david\Cookies\david@windowsmedia[1].txt
   C:\Documents and Settings\david\Cookies\[email protected][2].txt
   C:\Documents and Settings\david\Cookies\[email protected][3].txt
   C:\Documents and Settings\david\Cookies\[email protected][4].txt
   C:\Documents and Settings\david\Cookies\[email protected][1].txt
   C:\Documents and Settings\david\Cookies\[email protected][2].txt
   C:\Documents and Settings\david\Cookies\david@xiti[1].txt
   C:\Documents and Settings\david\Cookies\david@zedo[1].txt
   convoad.technoratimedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D7NWDSJ9 ]
   core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D7NWDSJ9 ]
   media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D7NWDSJ9 ]
   media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D7NWDSJ9 ]
   media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D7NWDSJ9 ]
   objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D7NWDSJ9 ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D7NWDSJ9 ]
   C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adcloudmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adecn[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@admedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@apmebf[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[4].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bluestreak[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@burstbeacon[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@burstnet[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@burstnet[3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@clicksor[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@clicksor[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@clicksor[4].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][5].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][6].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][7].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][8].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@edgeadx[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@enhance[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@findfeature[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@game-advertising-online[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@pointroll[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[5].txt
   C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@smartadx[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@statcounter[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@statcounter[4].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
   m1.2mdn.net [ C:\Documents and Settings\ssok\Application Data\Macromedia\Flash Player\#SharedObjects\NCXBB6J4 ]
   media.mtvnservices.com [ C:\Documents and Settings\ssok\Application Data\Macromedia\Flash Player\#SharedObjects\NCXBB6J4 ]
   msnbcmedia.msn.com [ C:\Documents and Settings\ssok\Application Data\Macromedia\Flash Player\#SharedObjects\NCXBB6J4 ]
   www.crackle.com [ C:\Documents and Settings\ssok\Application Data\Macromedia\Flash Player\#SharedObjects\NCXBB6J4 ]
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@247realmedia[2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@2o7[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@adbrite[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@adinterax[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@adlegend[2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@adrevolver[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@advertising[2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@apmebf[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@atdmt[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@azjmp[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][3].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@bizrate[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@burstnet[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@casalemedia[2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@chitika[2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@clickshift[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@collective-media[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@crackle[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@dmtracker[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@doubleclick[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@ehomefinder[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@findapartmentshere[2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@fortunecity[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@hitbox[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@imrworldwide[2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@insightexpressai[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@interclick[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@kontera[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@media6degrees[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@mediaplex[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@nextag[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@overture[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@questionmarket[2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@realmedia[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@revenue[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@revsci[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][3].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][4].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][4].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][3].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][4].txt
   C:\Documents and Settings\ssok\Cookies\ssok@serving-sys[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@specificclick[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@statcounter[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\ssok@superstats[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@tacoda[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][3].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@trafficmp[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@tribalfusion[1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@windowsmedia[2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][2].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][4].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][5].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\[email protected][1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@yieldmanager[1].txt
   C:\Documents and Settings\ssok\Cookies\ssok@zedo[1].txt
   cdn4.specificclick.net [ C:\Documents and Settings\stuart-vail\Application Data\Macromedia\Flash Player\#SharedObjects\QHZTCA57 ]
   content.oddcast.com [ C:\Documents and Settings\stuart-vail\Application Data\Macromedia\Flash Player\#SharedObjects\QHZTCA57 ]
   core.insightexpressai.com [ C:\Documents and Settings\stuart-vail\Application Data\Macromedia\Flash Player\#SharedObjects\QHZTCA57 ]
   interclick.com [ C:\Documents and Settings\stuart-vail\Application Data\Macromedia\Flash Player\#SharedObjects\QHZTCA57 ]
   media.mtvnservices.com [ C:\Documents and Settings\stuart-vail\Application Data\Macromedia\Flash Player\#SharedObjects\QHZTCA57 ]
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@123count[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@247realmedia[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@2o7[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@adbrite[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@adbureau[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@adecn[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@admarketplace[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@adrevolver[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][3].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@adtech[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@advertising[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@apmebf[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@atdmt[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@atwola[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@bizrate[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@bluestreak[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@bravenet[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@burstbeacon[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@burstnet[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@casalemedia[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@chitika[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@clickaider[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@collective-media[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][3].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@countrybynet[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@dmtracker[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@doubleclick[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@elitedeals[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@eyewonder[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@fastclick[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@findamachine[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@findyourgreatwork[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@fivebigquestions[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@hitbox[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@imrworldwide[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@indextools[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@insightexpressai[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@interclick[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@intermundomedia[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@invitemedia[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@kontera[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@linksynergy[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@mcadxmag[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@media6degrees[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@mediaplex[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@middlesexgases[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@nextag[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@oddcast[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@overture[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@pointroll[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@questionmarket[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@realmedia[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@redirectclicks[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@revenue[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@revsci[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@roiservice[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][3].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][5].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][6].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][10].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][3].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][4].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][5].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][6].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][7].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][8].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][9].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@serving-sys[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@specificclick[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@specificmedia[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@statcounter[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@tacoda[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@thefind[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@tonystrackdays[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][3].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@tradedoubler[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@trafficmp[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@tribalfusion[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@tripod[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@weborama[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@websponsors[2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][3].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][4].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][5].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][6].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][7].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][1].txt
   C:\Documents and Settings\stuart-vail\Cookies\[email protected][2].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@yieldmanager[1].txt
   C:\Documents and Settings\stuart-vail\Cookies\stuart-vail@zedo[2].txt
   media.mtvnservices.com [ C:\Documents and Settings\wells\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
   media.thewb.com [ C:\Documents and Settings\wells\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@247realmedia[1].txt
   C:\Documents and Settings\wells\Cookies\wells@2o7[2].txt
   C:\Documents and Settings\wells\Cookies\wells@adrevolver[2].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@adtech[1].txt
   C:\Documents and Settings\wells\Cookies\wells@advertising[2].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@atdmt[1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@burstnet[2].txt
   C:\Documents and Settings\wells\Cookies\wells@casalemedia[2].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@collective-media[1].txt
   C:\Documents and Settings\wells\Cookies\wells@doubleclick[1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][2].txt
   C:\Documents and Settings\wells\Cookies\wells@imrworldwide[2].txt
   C:\Documents and Settings\wells\Cookies\wells@insightexpressai[2].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@kontera[2].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@media6degrees[2].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@overture[2].txt
   C:\Documents and Settings\wells\Cookies\wells@revsci[1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@serving-sys[1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@tacoda[2].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\[email protected][1].txt
   C:\Documents and Settings\wells\Cookies\wells@yieldmanager[2].txt
   C:\Documents and Settings\wells\Cookies\wells@zedo[2].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt

Adware.Flash Tracking Cookie
   C:\Documents and Settings\Administrator\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\GRJ7KBXM\WWWSTATIC.MEGAPORN.COM
   C:\Documents and Settings\Administrator\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\GRJ7KBXM\OBJECTS.TREMORMEDIA.COM
   C:\Documents and Settings\Administrator\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\GRJ7KBXM\WWW.SHAKIRAMEDIA.COM
   C:\Documents and Settings\Administrator\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\GRJ7KBXM\UDN.SPECIFICCLICK.NET
   C:\Documents and Settings\Administrator\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\GRJ7KBXM\NAIADSYSTEMS.COM
   C:\Documents and Settings\Administrator\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\GRJ7KBXM\WWW.NAIADSYSTEMS.COM
   C:\Documents and Settings\Administrator\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\GRJ7KBXM\SECURE-US.IMRWORLDWIDE.COM

Trojan.DNS-Changer (Hi-Jacked DNS)
   HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{4100AE52-3648-44AB-88E7-E263354DA53D}#NAMESERVER
   HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{A698369F-A538-40AA-9685-54A6AF8DBB16}#NAMESERVER
   HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{4100AE52-3648-44AB-88E7-E263354DA53D}#NAMESERVER
   HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{A698369F-A538-40AA-9685-54A6AF8DBB16}#NAMESERVER
   HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{4100AE52-3648-44AB-88E7-E263354DA53D}#NAMESERVER
   HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{A698369F-A538-40AA-9685-54A6AF8DBB16}#NAMESERVER
   HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS#NAMESERVER
   HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS#NAMESERVER
   HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS#NAMESERVER

Malware.Trace
   C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
   HKU\.DEFAULT\SOFTWARE\XML
   HKU\S-1-5-18\SOFTWARE\XML

Rogue.Agent/Gen-Nullo[DLL]
   C:\WINDOWS\OHUFUJUFUXUZ.DLL

Rootkit.TDSS
   C:\WINDOWS\SYSTEM32\ERNEL32.DLL

Trojan.Agent/Gen-Dropper[Temp]
   C:\WINDOWS\TEMP\A.TMP

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/12/2010 8:01:31 PM
mbam-log-2010-07-12 (20-01-31).txt

Scan type: Full scan (C:\|)
Objects scanned: 365795
Time elapsed: 1 hour(s), 28 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oadkcjsi (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oadkcjsi (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:45 PM, on 7/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\dldtcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2081209
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2081209
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exeC:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (filesize 75200 bytes, MD5 6D9042F1443A601DA8DC24D991EDDD0A)
O2 - BHO: CmjBrowserHelperObject Object - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll (filesize 84840 bytes, MD5 E7A33C90EB37095AA9C30361C5A91F63)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 278192 bytes, MD5 7B32216D73CE3F02B3CCCFBBD9DA896A)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (filesize 814648 bytes, MD5 42CB4EE0B0FC259C8AD20B460FA7D72A)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41760 bytes, MD5 C9EDE29F223A27873E187D9FB6045EA6)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 73728 bytes, MD5 DEE8F03D1EACE0C8F914A2C76568EA32)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 278192 bytes, MD5 7B32216D73CE3F02B3CCCFBBD9DA896A)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (filesize 52896 bytes, MD5 1918A1D8E67A6452720797919FA520C9)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 417792 bytes, MD5 55D7A219AD8D0DB8980528944152A6FD)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (filesize 39408 bytes, MD5 5D61BE7DB55B026A5D61A3EED09D0EAD)
O4 - HKUS\S-1-5-21-205410724-2460346520-2862275422-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'QBDataServiceUser20')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to Mindjet MindManager - {2F72393D-2472-4F82-B600-ED77F354B7FF} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll (filesize 84840 bytes, MD5 E7A33C90EB37095AA9C30361C5A91F63)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234807912982
O16 - DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} (SolidWorks Installation Manager Contol) - http://www.solidworks.com/sw/support/subscription/sldimdownload.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (filesize 56096 bytes, MD5 6063FE286762180C48F92BEDCE5D3AAD)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exeC:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SW Distributed TS Coor

SuperDave · « **Reply #3 on:** July 13, 2010, 05:04:44 PM »

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

====================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

====================================

Please download RootRepeal from GooglePages.com.

Extract the program file to your Desktop.
Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
Select ALL of the checkboxes and then click OK and it will start scanning your system.
If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
When done, click on Save Report
Save it to the Desktop.
Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

===================================

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

justin caise · « **Reply #4 on:** July 13, 2010, 08:32:37 PM »

Uninstalled Windows Messenger .
Did HijackThis system scan. (two of your listed files were present, checked them.)

Here's the root repeal report
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/07/13 21:42
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9CCA0000   Size: 819200   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9C844000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc18.docx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc19.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc38.ppt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc39.ppt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc40.xls
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc45.xls
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc46.doc
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc47.doc
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc48.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc67.tif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc68.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc56.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc49.SLDPRT
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc50.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc51.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc52.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc53.xls
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc54.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc55.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc29.pod
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc30.sdr
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc31.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc27.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc28.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc32.doc
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Health Plans Inc:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc35.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Job leads 2010:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc34.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc36.psp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc37.psp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Losing_My_Mind-Revised__03_21_10-_Chapter_5.doc:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc20.ppt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc21.ppt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc22.ppt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc23.xls
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc24.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc25.xls
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc26.xls
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc57.ppt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc58.ppt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc59.ppt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc60.ppt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc66.csv
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\tdBank North balabnce dec 23 09:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Dc42.SLDPRT
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment (7).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment *censored*.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment (1).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment (2).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment (3).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment (4).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment (5).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment (6).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment (

.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemployment (9).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (10).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (11).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (12).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (13).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (14).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (15).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (16).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (17).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (18).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\massGovDuaWebcert\Division of Career Services and Division of Unemploymen (19).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Maps\Career discovery set up in Outlook PSM.mmap774047215046896964.mm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Pictures\04-01-2010 08_19_48PM.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Pictures\05-10-2010 10_47_25AM.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Pictures\05-10-2010 10_50_41AM.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\School-TAA\Dc43.tif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\School-TAA\Dc44.tif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\School-TAA\Dc61.doc
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\School-TAA\Dc62.doc
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\School-TAA\Dc63.doc
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\School-TAA\Dc64.doc
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\School-TAA\Dc65.doc
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Job leads 2010\Health, Safety and Environmental Manager Job in Milford 0305.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Job leads 2010\Manufacturing - Plant Technician - Operating Team Leader - B.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Job leads 2010\Sales - Marketing - Pr Environmental Compliance Coordinator .htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Dc33.bmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\Solidworks\Stair Barricade\Stair barricade center dish burnished copper 13 inch deep.SLDPRT
Status: Locked to the Windows API!

SSDT
-------------------
#: 012   Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x89765008

#: 013   Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8975d1e8

#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89a44408

#: 031   Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x897c61d8

#: 043   Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x896e61e8

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x899e9850

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0x9d1f9350

#: 083   Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x896f0248

#: 089   Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x896fe070

#: 091   Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8975a1e8

#: 108   Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a57eb80

#: 114   Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x897531e0

#: 123   Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8975b208

#: 129   Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x896eac78

#: 177   Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x89a9c478

#: 206   Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x896ff1c8

#: 213   Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89765070

#: 228   Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x896f3210

#: 229   Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x89755708

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0x9d1f9580

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x897851d8

#: 254   Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x897691e8

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x896ef188

#: 258   Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89755230

#: 267   Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x896ea7a0

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89a0ac30

==EOF==

Here's the Security checkup txt
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 17
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.3.3
Mozilla Firefox (3.0.7) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus SavRoam.exe
Symantec AntiVirus Rtvscan.exe
Windows Defender MsMpEng.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````

So tell me Doc, am I gonna live?
Thanks JC

SuperDave · « **Reply #5 on:** July 14, 2010, 06:50:52 PM »

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

================================

Download this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code: [Select]

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

justin caise · « **Reply #6 on:** July 14, 2010, 07:52:31 PM »

The only thing I didn't get to do is "Run CCleaner." Is that part of JavaRa? I didn't see it anywhere.

I accidentally hit a key after the TDSSKILLER ran and ended that app, therefore booting the system. But I did see that is showed 1 registry (?) or file (?) object to cure on reboot - which it must have done because running it again yielded only zeroes.

This thing cranks now by the way! I've not opened or used any programs other than IE but that's a happening deal now, and no nasty pop up obstructions.
I'm a heavy CAD program user, btw, so speed and space is key.

What next if anything?

justin caise · « **Reply #7 on:** July 14, 2010, 07:56:07 PM »

Oh, also...
As I originally posted these issues have simultaneoulsy occurred on two of my machines. Should I just replicate all of your suggested actions on the laptop, continue conversing about that machine here, or start a new thread?

thanks, JC

SuperDave · « **Reply #8 on:** July 15, 2010, 06:26:20 PM »

Quote

As I originally posted these issues have simultaneoulsy occurred on two of my machines. Should I just replicate all of your suggested actions on the laptop, continue conversing about that machine here, or start a new thread?

If they both have the same OS, you could give it a try. If it doesn't work, start a new thread for the other computer.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

justin caise · « **Reply #9 on:** July 15, 2010, 07:32:06 PM »

Sysprot is currently scanning...

Well, My wifes laptop (showing AV security suite issue) is running Vista. New thread needed?

justin caise · « **Reply #10 on:** July 15, 2010, 07:34:30 PM »

And here is the Sysprot log from my desktop... the one we've been working on.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 9B546000
Module End: 9B60E000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAlertResumeThread
Address: 898011D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAlertThread
Address: 898C9F98
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAllocateVirtualMemory
Address: 89AB9AF0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwConnectPort
Address: 89B738F0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateMutant
Address: 89B3D208
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 89AAFAB0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: 9BA9F350
Driver Base: 9BA8B000
Driver End: 9BAAD000
Driver Name: \??\C:\Program Files\Symantec\SYMEVENT.SYS

Function Name: ZwFreeVirtualMemory
Address: 89573980
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateAnonymousToken
Address: 89A30858
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateThread
Address: 89800970
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwMapViewOfSection
Address: 898606B8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenEvent
Address: 89573680
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcessToken
Address: 898041D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThreadToken
Address: 898518B0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryValueKey
Address: 898A8630
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwResumeThread
Address: 898221D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: 897FD058
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationProcess
Address: 89801050
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationThread
Address: 89852468
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: 9BA9F580
Driver Base: 9BA8B000
Driver End: 9BAAD000
Driver Name: \??\C:\Program Files\Symantec\SYMEVENT.SYS

Function Name: ZwSuspendProcess
Address: 89854920
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 89801B80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 897FF180
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 89803548
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnmapViewOfSection
Address: 8982D1C0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 89AB8888
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\ca5aea2e2784d3ee5437ee\amd64\filterpipelineprintproc.dll
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\amd64\msxpsdrv.cat
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\amd64\msxpsdrv.inf
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\amd64\msxpsinc.gpd
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\amd64\msxpsinc.ppd
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\amd64\mxdwdrv.dll
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\amd64\xpssvcs.dll
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\i386\filterpipelineprintproc.dll
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\i386\msxpsdrv.cat
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\i386\msxpsdrv.inf
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\i386\msxpsinc.gpd
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\i386\msxpsinc.ppd
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\i386\mxdwdrv.dll
Status: Access denied

Object: C:\ca5aea2e2784d3ee5437ee\i386\xpssvcs.dll
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}
Status: Access denied

SuperDave · « **Reply #11 on:** July 16, 2010, 05:15:24 PM »

Quote

Well, My wifes laptop (showing AV security suite issue) is running Vista. New thread needed?

Yes, please. It's hard enough to clean one computer in one thread.

Quote

The only thing I didn't get to do is "Run CCleaner." Is that part of JavaRa? I didn't see it anywhere.

No. CCleaner is to clean up old files while JavaRa is to update your Java script.

I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

justin caise · « **Reply #12 on:** July 17, 2010, 07:27:08 AM »

C:\WINDOWS\Temp\jar_cache5603222836598598056.tmp multiple threats deleted - quarantined

SuperDave · « **Reply #13 on:** July 17, 2010, 11:20:12 AM »

That looks good. Let's try this scanner.

Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

justin caise · « **Reply #14 on:** July 17, 2010, 07:05:16 PM »

ComboFix 10-07-16.01 - Administrator 07/17/2010 20:50:48.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1362 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\System
c:\documents and settings\Administrator\System\win_qs8.jqx
c:\documents and settings\stuart-vail\g2mdlhlpx.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-17 01:47 . 2010-07-17 01:47   --------   d-----w-   c:\program files\ESET
2010-07-16 04:05 . 2010-07-16 04:05   --------   d-----w-   c:\windows\ie8updates
2010-07-15 17:09 . 2010-06-14 14:31   744448   ------w-   c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 17:01 . 2010-05-06 10:41   12800   ------w-   c:\windows\system32\dllcache\xpshims.dll
2010-07-15 17:01 . 2010-05-06 10:41   247808   ------w-   c:\windows\system32\dllcache\ieproxy.dll
2010-07-15 17:01 . 2010-05-06 10:41   743424   ------w-   c:\windows\system32\dllcache\iedvtool.dll
2010-07-15 01:22 . 2010-07-15 01:22   503808   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d620dd4-n\msvcp71.dll
2010-07-15 01:22 . 2010-07-15 01:22   499712   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d620dd4-n\jmc.dll
2010-07-15 01:22 . 2010-07-15 01:22   348160   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d620dd4-n\msvcr71.dll
2010-07-15 01:21 . 2010-07-15 01:21   61440   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3db7c99a-n\decora-sse.dll
2010-07-15 01:21 . 2010-07-15 01:21   12800   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3db7c99a-n\decora-d3d.dll
2010-07-15 01:21 . 2010-06-22 08:36   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-13 00:05 . 2010-07-13 00:05   --------   d-----w-   c:\program files\Trend Micro
2010-07-12 19:19 . 2010-07-12 19:19   63488   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-12 19:19 . 2010-07-12 19:19   52224   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-12 19:19 . 2010-07-12 19:19   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-12 19:19 . 2010-07-12 19:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-12 19:19 . 2010-07-12 19:19   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-12 19:18 . 2010-07-12 19:19   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-08 22:45 . 2010-07-08 22:45   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-08 22:39 . 2010-07-08 22:39   --------   d-sh--w-   c:\windows\system32\config\systemprofile\PrivacIE
2010-07-08 22:14 . 2010-07-12 19:17   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\tgnmsncep
2010-06-18 15:25 . 2010-06-18 15:25   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 00:44 . 2008-12-17 20:13   --------   d-----w-   c:\program files\Symantec AntiVirus
2010-07-17 20:47 . 2009-02-16 21:52   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-07-15 03:31 . 2010-04-05 12:20   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SolidWorks
2010-07-15 01:36 . 2001-08-17 18:52   125056   ----a-w-   c:\windows\system32\drivers\ftdisk.sys
2010-07-15 01:27 . 2008-12-09 12:28   --------   d-----w-   c:\program files\Java
2010-07-15 01:23 . 2008-12-09 12:28   --------   d-----w-   c:\program files\Common Files\Java
2010-07-14 01:30 . 2009-04-05 12:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-07-12 21:41 . 2010-06-08 23:35   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-06-17 15:58 . 2010-06-17 15:58   --------   d-----w-   c:\documents and settings\Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-06-14 14:31 . 2004-08-11 22:12   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 18:32 . 2010-06-09 18:31   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Symantec
2010-06-09 18:32 . 2008-12-17 20:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\Symantec
2010-06-09 12:56 . 2008-12-17 20:13   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-06-08 23:36 . 2010-06-08 23:36   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-08 23:35 . 2010-06-08 23:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-27 14:09 . 2009-03-14 15:34   --------   d-----w-   c:\program files\FreeMind
2010-05-21 18:14 . 2009-10-03 05:53   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-18 02:25 . 2010-03-08 18:22   3024   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-05-06 10:41 . 2004-08-11 22:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-11 22:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-06-08 23:35   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-06-08 23:35   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-11 22:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
2009-08-20 15:27 . 2009-08-20 15:27   1958242   ----a-w-   c:\program files\timeline.zip
2009-04-25 19:47 . 2009-04-25 19:46   21878064   ----a-w-   c:\program files\QuickTimeInstaller.exe
2009-04-19 16:50 . 2009-04-19 16:49   2882572   ----a-w-   c:\program files\anagram_v2.10.0_installer.exe
2009-04-05 12:57 . 2009-04-05 12:56   1075832   ----a-w-   c:\program files\Google_Updater.exe
2009-03-14 15:49 . 2009-03-14 15:49   4085904   ----a-w-   c:\program files\wmfadist.exe
2009-03-14 15:32 . 2009-03-14 15:32   8941834   ----a-w-   c:\program files\FreeMind-Windows-Installer-0.8.1-max.exe
1999-10-31 02:54 . 2009-04-04 11:54   561152   ----a-w-   c:\program files\convert.exe
2010-02-25 17:11 . 2010-02-25 17:11   28472   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-02-25 17:11 . 2010-02-25 17:11   185224   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-02-25 17:11 . 2010-02-25 17:11   99208   ----a-w-   c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-06-19 09:16 . 2008-06-19 09:16   118784   ----a-w-   c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-05 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06   976832   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-07-31 22:38   283792   ----a-w-   c:\program files\Carbonite\CarbonitePreinstaller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
2008-06-24 06:27   16624   ----a-w-   c:\program files\Dell V305\dldtamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
2008-06-24 06:26   668912   ----a-w-   c:\program files\Dell V305\dldtmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 20:44   178712   ----a-w-   c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-28 20:21   141848   ----a-w-   c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2009-11-26 06:04   1087752   ----a-w-   c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07   141608   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MmDesignPartner.exe]
2009-12-07 18:17   12640   ----a-w-   c:\program files\Mindjet\MindManager 8\MmDesignPartner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMReminderService]
2009-12-07 18:17   38240   ----a-w-   c:\program files\Mindjet\MindManager 8\MmReminderService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NGTray]
2008-04-23 02:35   218504   ----a-w-   c:\program files\Symantec\Ghost\ngtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08   417792   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
2009-03-19 23:30   7308584   ----a-w-   c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-09-25 00:12   1036288   ----a-w-   c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-05 12:57   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-28 01:33   125168   ----a-w-   c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20   866584   ----a-w-   c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"c:\\WINDOWS\\system32\\dldtcoms.exe"=
"c:\\Program Files\\Dell V305\\dldtmon.exe"=
"c:\\WINDOWS\\system32\\dldtcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Dell V305\\dldtlscn.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 4:58 AM 133968]
R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [4/22/2008 10:35 PM 673160]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/11/2010 8:09 AM 102448]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [1/12/2010 9:26 PM 99568]
S2 gupdate1c9b5ee4668cb7c;Google Update Service (gupdate1c9b5ee4668cb7c);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 8:58 AM 133104]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [3/19/2009 11:31 AM 83240]
S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-02-16 22:10]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 12:58]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 12:58]

2010-07-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-07-17 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-04-15 16:21]

2010-07-17 c:\windows\Tasks\User_Feed_Synchronization-{4255649C-6950-45D3-84EF-887008759005}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 20:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-205410724-2460346520-2862275422-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,66,8f,60,5b,33,61,15,44,8d,fb,b9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,66,8f,60,5b,33,61,15,44,8d,fb,b9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-17 21:00:11
ComboFix-quarantined-files.txt 2010-07-18 00:59

Pre-Run: 40,728,305,664 bytes free
Post-Run: 40,687,247,360 bytes free

- - End Of File - - 3384DA171C6D334D70593128DAB0BB81

Computer Hope Forum

News:

Author Topic: I too have AV security suite and Trojan AV issue, windows security alert, etc (Read 9525 times)

justin caise

I too have AV security suite and Trojan AV issue, windows security alert, etc

SuperDave

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

justin caise

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

SuperDave

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

justin caise

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

SuperDave

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

justin caise

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

justin caise

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

SuperDave

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

justin caise

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

justin caise

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

SuperDave

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

justin caise

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

SuperDave

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc

justin caise

Re: I too have AV security suite and Trojan AV issue, windows security alert, etc