[lgfr]

I think I have an infection. Google keeps redirecting me. I also see I have a new folder in Windows. Windows\system32\Syswow32.

I looked at the guide for fixing the problem but I am afraid to do anything that will might cause my computer not to start.

Can someone help me.

[Advertisements]

Hello lgfr and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

Download OTL to your Desktop

• Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
  . Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.

• Extract the zip file to its own folder.
• Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
• Click Start scan to start scanning.
• If infection is detected, the default setting for "action" should be Cure
  
  • (If suspicious file is detected please click on it and change it to Skip).
• Click Continue button
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 3

Download aswMBR.exe ( 511KB ) to your desktop.

• Double click the aswMBR.exe to run it
• Click the "Scan" button to start scan
• On completion of the scan click save log, save it to your desktop and post in your next reply

Step 4

Please don't forget to include these items in your reply:

• OTL log
• OTL Extras log
• TDSSKiller log
• aswMBR log

It would be helpful if you could post each log in separate post

[maliprog]

Hello lgfr and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

Download OTL to your Desktop

• Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
  . Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.

• Extract the zip file to its own folder.
• Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
• Click Start scan to start scanning.
• If infection is detected, the default setting for "action" should be Cure
  
  • (If suspicious file is detected please click on it and change it to Skip).
• Click Continue button
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 3

Download aswMBR.exe ( 511KB ) to your desktop.

• Double click the aswMBR.exe to run it
• Click the "Scan" button to start scan
• On completion of the scan click save log, save it to your desktop and post in your next reply

Step 4

Please don't forget to include these items in your reply:

• OTL log
• OTL Extras log
• TDSSKiller log
• aswMBR log

It would be helpful if you could post each log in separate post

[lgfr]

I think I messed up. I ran this as Run scan not quick scan so I deleted the files and ran a second time and didn't get the Extrra file I tried a third time and still didn't get it. So all I have is the OTL which is below:

OTL logfile created on: 5/30/2011 7:45:32 AM - Run 3
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Linda\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.15 Gb Available Physical Memory | 61.47% Memory free
3.72 Gb Paging File | 3.11 Gb Available in Paging File | 83.46% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 166.02 Gb Total Space | 150.22 Gb Free Space | 90.48% Space Free | Partition Type: NTFS

Computer Name: 8FCC61F12 | User Name: Linda | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/30 07:44:16 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Linda\My Documents\Downloads\OTL.scr
PRC - [2011/05/27 17:13:43 | 001,123,328 | -HS- | M] () -- C:\WINDOWS\system32\11.tmp
PRC - [2011/05/27 17:13:32 | 000,201,728 | ---- | M] () -- C:\Documents and Settings\Linda\Application Data\SysWin\lsass.exe
PRC - [2011/05/22 17:06:10 | 001,425,408 | ---- | M] () -- C:\WINDOWS\system32\msrclr4032.exe
PRC - [2011/05/22 17:06:10 | 001,425,408 | ---- | M] () -- C:\WINDOWS\system32\BROSNMP32.exe
PRC - [2011/05/03 13:14:48 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/01/08 18:08:20 | 000,274,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2010/11/11 22:45:25 | 001,766,736 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\casc.exe
PRC - [2010/11/11 22:45:24 | 001,115,472 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccevtmgr.exe
PRC - [2010/11/11 22:45:24 | 000,251,216 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
PRC - [2010/11/11 22:45:24 | 000,212,992 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
PRC - [2010/11/11 22:45:24 | 000,206,160 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
PRC - [2010/10/29 20:18:44 | 000,206,152 | ---- | M] (CA) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\CAAMSvc.exe
PRC - [2010/09/17 12:21:00 | 000,301,648 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
PRC - [2010/08/24 12:07:34 | 000,740,160 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
PRC - [2010/08/12 14:57:58 | 000,060,416 | ---- | M] () -- C:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
PRC - [2010/02/28 19:37:38 | 001,377,008 | ---- | M] () -- C:\WINDOWS\system32\svcprs32.exe
PRC - [2010/02/28 19:33:56 | 002,347,760 | ---- | M] () -- C:\WINDOWS\system32\mdmcls32.exe
PRC - [2009/08/04 10:42:18 | 000,887,288 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
PRC - [2009/07/31 16:30:14 | 000,150,008 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
PRC - [2009/03/27 22:10:56 | 000,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2008/04/15 00:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/12/14 02:12:02 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [1999/10/12 09:53:46 | 000,013,312 | ---- | M] () -- C:\WINDOWS\system32\LMSXXEF.exe
PRC - [1998/12/10 13:57:12 | 000,037,376 | ---- | M] () -- C:\Program Files\TextBridge Pro 8.0\Bin\InstantAccess.exe


========== Modules (SafeList) ==========

MOD - [2011/05/30 07:44:16 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Linda\My Documents\Downloads\OTL.scr
MOD - [2011/01/08 18:08:35 | 000,040,448 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
MOD - [2010/09/28 14:10:00 | 000,079,184 | ---- | M] (CA) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-9.0.0.69\QOEHook.dll
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/08/12 14:57:56 | 000,011,264 | ---- | M] () -- C:\Program Files\Avanquest\PowerDesk\DClickDesktopHook.dll
MOD - [2010/08/12 14:57:32 | 000,103,936 | ---- | M] () -- C:\WINDOWS\system32\FileMonitor32.dll
MOD - [2010/04/25 16:54:00 | 000,653,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
MOD - [2010/04/25 16:54:00 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
MOD - [1998/12/10 13:40:10 | 000,119,808 | ---- | M] () -- C:\Program Files\TextBridge Pro 8.0\Bin\Tbmhook.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/22 17:06:10 | 001,425,408 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\BROSNMP32.exe -- (UmxFwHlp32)
SRV - [2010/11/11 22:45:24 | 000,251,216 | ---- | M] (CA, Inc.) [On_Demand | Running] -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP)
SRV - [2010/11/11 22:45:24 | 000,212,992 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe -- (CAISafe)
SRV - [2010/11/11 22:45:24 | 000,206,160 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe -- (ccSchedulerSVC)
SRV - [2010/10/29 20:18:44 | 000,206,152 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\CAAMSvc.exe -- (CAAMSvc)
SRV - [2010/09/17 12:21:00 | 000,301,648 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe -- (UmxPol)
SRV - [2010/08/24 12:07:34 | 000,740,160 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe -- (UmxCfg)
SRV - [2010/02/28 19:37:38 | 001,377,008 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\svcprs32.exe -- (WinSvchostManager)
SRV - [2010/02/28 19:33:56 | 002,347,760 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\mdmcls32.exe -- (WinExtManager)
SRV - [2009/08/04 10:42:18 | 000,887,288 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe -- (UmxAgent)
SRV - [2009/07/31 16:30:14 | 000,150,008 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe -- (UmxFwHlp)
SRV - [2009/03/27 22:10:56 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - [2010/09/24 11:16:18 | 000,146,000 | ---- | M] (CA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\KmxCF.sys -- (KmxCF)
DRV - [2010/09/24 11:16:18 | 000,115,792 | ---- | M] (CA) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\KmxFw.sys -- (KmxFw)
DRV - [2010/09/24 11:16:18 | 000,061,008 | ---- | M] (CA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\KmxSbx.sys -- (KmxSbx)
DRV - [2010/09/24 11:16:18 | 000,061,008 | ---- | M] (CA) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\KmxFile.sys -- (KmxFile)
DRV - [2010/09/17 12:21:00 | 000,135,248 | ---- | M] (CA) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\KmxAMRT.sys -- (KmxAMRT)
DRV - [2010/09/17 06:00:28 | 000,599,936 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2010/06/09 06:54:38 | 000,244,304 | ---- | M] (CA) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\KmxCfg.sys -- (KmxCfg)
DRV - [2010/05/03 02:12:02 | 000,108,112 | ---- | M] (CA) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\kmxstart.sys -- (KmxStart)
DRV - [2010/03/22 13:58:42 | 000,079,864 | ---- | M] (CA) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\KmxAgent.sys -- (KmxAgent)
DRV - [2010/02/01 11:02:44 | 000,084,984 | ---- | M] (SUNIX Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snxppalx.sys -- (SNXPPALX)
DRV - [2010/01/14 03:44:00 | 000,041,080 | ---- | M] (SUNIX Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snxpcard.sys -- (SNXPCARD)
DRV - [2009/08/13 15:07:12 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/03/27 15:27:04 | 000,598,656 | ---- | M] (Computer Associates International, Inc.) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KmxAMVet.sys -- (KmxAMVet)
DRV - [2009/02/11 12:40:40 | 005,028,352 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/08/01 18:36:26 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/08/01 18:36:20 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/04/13 23:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007/04/16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2006/01/24 17:38:40 | 000,078,720 | ---- | M] (Netgear Inc. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FA311XP.SYS -- (RTL8023xp)
DRV - [1999/07/31 09:11:54 | 000,058,304 | ---- | M] (Sharp Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\VSP1284D.SYS -- (VSP1284D)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9B 21 65 03 D6 29 17 48 96 A3 B1 05 2E F5 6E 69 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [email protected]:2.0.0.108
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1
FF - prefs.js..extensions.enabledItems: {6c821380-3bfa-4a8a-9dc2-a522bc32ff1f}:1.0
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\CA\CA Internet Security Suite\RRR Anti-Phishing\Toolbar\Firefox [2010/10/29 20:20:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/01/08 18:08:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/29 15:15:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/03 13:14:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.10\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/05/01 16:44:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.10\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/04/03 15:50:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Linda\Application Data\Mozilla\Extensions
[2010/04/03 15:50:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Linda\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/05/29 19:41:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\q95jpmru.default\extensions
[2011/03/06 18:48:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\q95jpmru.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/30 07:18:28 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\q95jpmru.default\extensions\{6c821380-3bfa-4a8a-9dc2-a522bc32ff1f}
[2011/05/29 19:41:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/18 12:18:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2011/01/08 13:18:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/01/08 18:08:35 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2010/10/29 20:20:38 | 000,000,000 | ---D | M] (CA Anti-Phishing Toolbar) -- C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\RRR ANTI-PHISHING\TOOLBAR\FIREFOX
[2010/03/29 22:47:49 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2008/04/15 00:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {0365219B-29D6-4817-96A3-B1052EF56E69} - C:\WINDOWS\system32\autodisc32.dll (Borland Software Corporation)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (CA Anti-Phishing Toolbar Helper) - {45011CF5-E4A9-4F13-9093-F30A784EB9B2} - C:\Program Files\CA\CA Internet Security Suite\RRR Anti-Phishing\Toolbar\caIEToolbar.dll (CA, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (CA Anti-Phishing Toolbar) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - C:\Program Files\CA\CA Internet Security Suite\RRR Anti-Phishing\Toolbar\caIEToolbar.dll (CA, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (CA Anti-Phishing Toolbar) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - C:\Program Files\CA\CA Internet Security Suite\RRR Anti-Phishing\Toolbar\caIEToolbar.dll (CA, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BVRPLiveUpdate] File not found
O4 - HKLM..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe (CA, Inc.)
O4 - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe (CA, Inc.)
O4 - HKLM..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe (Hewlett-Packard)
O4 - HKLM..\Run: [InstantAccess] C:\Program Files\TextBridge Pro 8.0\Bin\InstantAccess.exe ()
O4 - HKLM..\Run: [KBDALwow.exe] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [RegisterDropHandler] C:\Program Files\TextBridge Pro 8.0\Bin\RegisterDropHandler.exe ()
O4 - HKLM..\Run: [shginawow.exe] File not found
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WCEFLMS] C:\WINDOWS\System32\WCEFLMS.EXE ()
O4 - HKLM..\Run: [XE Fax LM Status] C:\WINDOWS\System32\LMSXXEF.exe ()
O4 - HKCU..\Run: [PDHookServer] C:\Program Files\Avanquest\PowerDesk\PDHookServer.exe ()
O4 - HKLM..\RunOnceEx: [washindex] C:\Program Files\Washer\washidx.exe ()
O4 - HKLM..\RunServices: [RegisterDropHandler] C:\Program Files\TextBridge Pro 8.0\Bin\RegisterDropHandler.exe ()
O4 - HKLM..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\XE_fx Status Monitor.lnk = C:\Program Files\XWC_90fx\X9ENGSS.EXE (SHARP CORPORATION)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: RTHDBPL = C:\Documents and Settings\Linda\Application Data\SysWin\lsass.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\winsflt.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\winsflt.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\winsflt.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\winsflt.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\winsflt.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\winsflt.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1269900647072 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - AppInit_DLLs: (C:\WINDOWS\system32\FileMonitor32.dll) - C:\WINDOWS\system32\FileMonitor32.dll ()
O20 - AppInit_DLLs: (C:\WINDOWS\system32\mscories32.dll) - C:\WINDOWS\system32\mscories32.dll (Borland Software Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\PFW: DllName - UmxWnp.Dll - C:\WINDOWS\System32\UmxWNP.dll (CA)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/29 17:29:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{719be275-4966-11df-95ef-0026181a0539}\Shell\AutoRun\command - "" = K:\setupSNK.exe
O33 - MountPoints2\{8e574204-08ad-11e0-9653-0026181a0539}\Shell\AutoRun\command - "" = I:\ShellRun.exe StartHere.html
O33 - MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\Shell - "" = Autorun
O33 - MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-7-5-16-100031972-100019914-100003244-2638.com d:\
O33 - MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\Shell\Open\command - "" = RECYCLER\S-7-5-16-100031972-100019914-100003244-2638.com d:\
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465059307421696)

========== Files/Folders - Created Within 30 Days ==========

[2011/05/29 19:01:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Linda\Desktop\GooredFix Backups
[2011/05/29 18:01:32 | 000,424,960 | ---- | C] (Borland Software Corporation) -- C:\WINDOWS\System32\autodisc32.dll
[2011/05/27 17:20:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\WinRAR
[2011/05/27 17:20:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1739438284
[2011/05/27 17:14:26 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\SysWoW32
[2011/05/27 17:14:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1245202996
[2011/05/27 17:14:01 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\B3CF20ECE12D5ED97AC84A0E0BB05B01
[2011/05/27 17:13:38 | 000,261,632 | ---- | C] (Borland Software Corporation) -- C:\WINDOWS\System32\mscories32.dll
[2011/05/27 17:13:33 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Linda\Application Data\SysWin
[2011/05/01 17:05:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Free Convert to DIVX AVI WMV MP4 MPEG Converter
[2011/05/01 17:05:29 | 000,000,000 | ---D | C] -- C:\Program Files\Free Convert to DIVX AVI WMV MP4 MPEG Converter
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Linda\*.tmp files -> C:\Documents and Settings\Linda\*.tmp -> ]
[1 C:\Documents and Settings\Linda\My Documents\*.tmp files -> C:\Documents and Settings\Linda\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\Linda\Desktop\*.tmp files -> C:\Documents and Settings\Linda\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/30 07:42:24 | 000,000,148 | -HS- | M] () -- C:\WINDOWS\System32\677018883
[2011/05/30 07:42:23 | 000,001,265 | ---- | M] () -- C:\WINDOWS\System32\141579823
[2011/05/30 07:13:40 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2011/05/30 07:13:20 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-299502267-329068152-682003330-1003.job
[2011/05/30 07:13:11 | 000,000,258 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/05/30 07:12:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/29 22:34:38 | 001,319,877 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1
[2011/05/29 22:34:38 | 000,000,331 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1
[2011/05/29 22:34:38 | 000,000,331 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0
[2011/05/29 22:34:38 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7
[2011/05/29 22:34:38 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6
[2011/05/29 22:34:38 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5
[2011/05/29 22:34:38 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4
[2011/05/29 22:34:38 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3
[2011/05/29 22:34:38 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2
[2011/05/29 22:34:38 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7
[2011/05/29 22:34:38 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6
[2011/05/29 22:34:38 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5
[2011/05/29 22:34:38 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4
[2011/05/29 22:34:38 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3
[2011/05/29 22:34:38 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2
[2011/05/29 22:34:37 | 000,587,452 | ---- | M] () -- C:\WINDOWS\System32\drivers\KmxAgent.asc
[2011/05/29 22:34:37 | 000,010,185 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0
[2011/05/29 22:34:14 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-299502267-329068152-682003330-1003.job
[2011/05/29 22:26:09 | 000,000,019 | ---- | M] () -- C:\WINDOWS\System32\288a2a54
[2011/05/29 19:11:29 | 000,000,992 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\Shortcut to redirectkiller.exe.lnk
[2011/05/29 18:01:34 | 000,201,728 | ---- | M] () -- C:\WINDOWS\System32\mscorier32.exe
[2011/05/29 18:01:32 | 000,424,960 | ---- | M] (Borland Software Corporation) -- C:\WINDOWS\System32\autodisc32.dll
[2011/05/29 16:44:10 | 000,518,144 | -H-- | M] () -- C:\WINDOWS\KBDALwowbad.exe
[2011/05/29 15:41:47 | 000,008,336 | ---- | M] () -- C:\WINDOWS\System32\GnuHashes.ini
[2011/05/29 15:09:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/27 17:14:11 | 000,203,776 | -HS- | M] () -- C:\WINDOWS\System32\unrar.exe
[2011/05/27 17:13:46 | 000,514,048 | -H-- | M] () -- C:\WINDOWS\shginawowbad.exe
[2011/05/27 17:13:38 | 000,261,632 | ---- | M] (Borland Software Corporation) -- C:\WINDOWS\System32\mscories32.dll
[2011/05/27 17:13:38 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\44317220
[2011/05/27 17:13:32 | 000,201,728 | ---- | M] () -- C:\WINDOWS\System32\mscories32.exe
[2011/05/26 19:12:09 | 000,000,181 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2011/05/24 18:30:45 | 003,443,534 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\18605_Pompano_CPS.pdf
[2011/05/24 18:25:27 | 003,084,118 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\18605_Pompano.pdf
[2011/05/22 17:06:10 | 001,425,408 | ---- | M] () -- C:\WINDOWS\System32\msrclr4032.exe
[2011/05/22 17:06:10 | 001,425,408 | ---- | M] () -- C:\WINDOWS\System32\BROSNMP32.exe
[2011/05/22 15:08:00 | 000,000,426 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2011/05/14 21:52:36 | 000,008,192 | ---- | M] () -- C:\Documents and Settings\Linda\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/08 17:33:22 | 000,117,755 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\leaves.jpg
[2011/05/08 17:28:50 | 000,029,980 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\flower.pdf
[2011/05/08 17:15:23 | 000,024,442 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\carolo swirls.pdf
[2011/05/08 16:52:22 | 000,035,315 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\Carol Business Card Back.pdf
[2011/05/08 16:45:13 | 000,074,208 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\carolo swirls.cdr
[2011/05/08 16:06:37 | 000,056,059 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\Carol Business Card Front1.pdf
[2011/05/08 15:14:11 | 000,117,755 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls6.jpg
[2011/05/08 14:53:52 | 000,046,417 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls5.jpg
[2011/05/08 14:52:19 | 000,041,584 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls3.jpg
[2011/05/08 14:50:34 | 000,028,446 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls1.jpg
[2011/05/08 14:49:01 | 000,036,418 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls.jpg
[2011/05/08 11:37:08 | 000,059,314 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\Backup_of_carolo swirls.cdr
[2011/05/08 11:30:20 | 000,068,881 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\swirl_5.jpg
[2011/05/08 11:29:13 | 000,047,389 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\swirl_4.jpg
[2011/05/08 11:23:41 | 000,142,628 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\swirl_3.jpg
[2011/05/08 11:17:26 | 000,088,047 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\swirl 2.jpg
[2011/05/08 11:14:12 | 000,196,624 | ---- | M] () -- C:\Documents and Settings\Linda\My Documents\swirl.jpg
[2011/05/01 17:05:34 | 000,000,034 | -H-- | M] () -- C:\WINDOWS\System32\Converter_sysquict.dat
[2011/05/01 17:05:30 | 000,000,840 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Free Convert to DIVX AVI WMV MP4 MPEG Converter.lnk
[2011/05/01 16:54:29 | 003,469,469 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\J&K 2.JPG
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Linda\*.tmp files -> C:\Documents and Settings\Linda\*.tmp -> ]
[1 C:\Documents and Settings\Linda\My Documents\*.tmp files -> C:\Documents and Settings\Linda\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\Linda\Desktop\*.tmp files -> C:\Documents and Settings\Linda\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/29 19:11:40 | 000,000,992 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\Shortcut to redirectkiller.exe.lnk
[2011/05/29 18:01:34 | 000,201,728 | ---- | C] () -- C:\WINDOWS\System32\mscorier32.exe
[2011/05/29 16:44:10 | 000,518,144 | -H-- | C] () -- C:\WINDOWS\KBDALwowbad.exe
[2011/05/27 17:58:57 | 000,000,019 | ---- | C] () -- C:\WINDOWS\System32\288a2a54
[2011/05/27 17:27:28 | 000,008,336 | ---- | C] () -- C:\WINDOWS\System32\GnuHashes.ini
[2011/05/27 17:14:26 | 000,001,265 | ---- | C] () -- C:\WINDOWS\System32\141579823
[2011/05/27 17:14:11 | 000,203,776 | -HS- | C] () -- C:\WINDOWS\System32\unrar.exe
[2011/05/27 17:14:11 | 000,000,148 | -HS- | C] () -- C:\WINDOWS\System32\677018883
[2011/05/27 17:14:01 | 000,514,048 | -H-- | C] () -- C:\WINDOWS\shginawowbad.exe
[2011/05/27 17:13:38 | 001,425,408 | ---- | C] () -- C:\WINDOWS\System32\msrclr4032.exe
[2011/05/27 17:13:33 | 001,425,408 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP32.exe
[2011/05/27 17:13:32 | 000,000,098 | ---- | C] () -- C:\WINDOWS\System32\44317220
[2011/05/27 17:13:31 | 000,201,728 | ---- | C] () -- C:\WINDOWS\System32\mscories32.exe
[2011/05/24 18:30:45 | 003,443,534 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\18605_Pompano_CPS.pdf
[2011/05/24 18:25:25 | 003,084,118 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\18605_Pompano.pdf
[2011/05/08 17:33:18 | 000,117,755 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\leaves.jpg
[2011/05/08 17:28:50 | 000,029,980 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\flower.pdf
[2011/05/08 17:15:23 | 000,024,442 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\carolo swirls.pdf
[2011/05/08 16:52:22 | 000,035,315 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\Carol Business Card Back.pdf
[2011/05/08 16:45:13 | 000,059,314 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\Backup_of_carolo swirls.cdr
[2011/05/08 16:06:37 | 000,056,059 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\Carol Business Card Front1.pdf
[2011/05/08 15:14:09 | 000,117,755 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls6.jpg
[2011/05/08 14:53:48 | 000,046,417 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls5.jpg
[2011/05/08 14:52:16 | 000,041,584 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls3.jpg
[2011/05/08 14:50:32 | 000,028,446 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls1.jpg
[2011/05/08 14:48:57 | 000,036,418 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\carolo_swirls.jpg
[2011/05/08 11:37:08 | 000,074,208 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\carolo swirls.cdr
[2011/05/08 11:30:17 | 000,068,881 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\swirl_5.jpg
[2011/05/08 11:29:09 | 000,047,389 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\swirl_4.jpg
[2011/05/08 11:23:37 | 000,142,628 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\swirl_3.jpg
[2011/05/08 11:17:23 | 000,088,047 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\swirl 2.jpg
[2011/05/08 11:13:57 | 000,196,624 | ---- | C] () -- C:\Documents and Settings\Linda\My Documents\swirl.jpg
[2011/05/01 17:05:34 | 000,000,034 | -H-- | C] () -- C:\WINDOWS\System32\Converter_sysquict.dat
[2011/05/01 17:05:30 | 000,000,840 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Free Convert to DIVX AVI WMV MP4 MPEG Converter.lnk
[2011/05/01 16:54:28 | 003,469,469 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\J&K 2.JPG
[2010/09/18 15:42:31 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/09/18 15:42:30 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\BD2170W.DAT
[2010/09/18 12:37:29 | 000,232,968 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2010/09/18 12:37:27 | 000,232,968 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2010/09/18 12:37:27 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2010/09/17 18:58:11 | 000,000,007 | ---- | C] () -- C:\WINDOWS\System32\mkghj.dll
[2010/09/17 18:56:23 | 001,054,032 | ---- | C] () -- C:\WINDOWS\System32\cfgmig32.dll
[2010/09/17 18:56:05 | 005,845,744 | ---- | C] () -- C:\WINDOWS\System32\win32cpr.dll
[2010/09/17 18:56:05 | 002,385,136 | ---- | C] () -- C:\WINDOWS\System32\winsflt_x64.dll
[2010/09/17 18:56:05 | 001,872,624 | ---- | C] () -- C:\WINDOWS\System32\winsflt.dll
[2010/09/17 18:56:05 | 001,377,008 | ---- | C] () -- C:\WINDOWS\System32\svcprs32.exe
[2010/09/17 18:56:05 | 000,286,208 | ---- | C] () -- C:\WINDOWS\System32\winsfinst.exe
[2010/09/17 18:56:04 | 002,347,760 | ---- | C] () -- C:\WINDOWS\System32\mdmcls32.exe
[2010/08/12 14:57:32 | 000,103,936 | ---- | C] () -- C:\WINDOWS\System32\FileMonitor32.dll
[2010/05/24 16:06:04 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\hppapr02.DLL
[2010/05/24 16:06:04 | 000,000,526 | ---- | C] () -- C:\WINDOWS\System32\hppapr02.DAT
[2010/04/18 13:02:05 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Linda\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/05 20:16:39 | 000,000,272 | ---- | C] () -- C:\WINDOWS\ReadIris.ini
[2010/04/05 13:14:16 | 000,000,331 | ---- | C] () -- C:\WINDOWS\FMTMSAM.INI
[2010/04/05 13:13:33 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2010/04/05 13:13:28 | 000,000,033 | ---- | C] () -- C:\WINDOWS\hppLangChoice.ini
[2010/04/05 13:13:27 | 000,343,040 | R--- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2010/04/05 13:13:27 | 000,116,736 | R--- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2010/04/05 12:43:04 | 000,000,181 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2010/04/03 22:57:23 | 000,009,536 | ---- | C] () -- C:\WINDOWS\System32\XEFX_ENU.DLL
[2010/04/03 22:47:59 | 000,000,095 | ---- | C] () -- C:\WINDOWS\tb96.ini
[2010/04/03 22:43:51 | 000,000,096 | ---- | C] () -- C:\WINDOWS\Tb98.ini
[2010/04/03 22:43:37 | 000,046,512 | ---- | C] () -- C:\WINDOWS\System32\EPSN.DLL
[2010/04/03 22:43:37 | 000,012,126 | ---- | C] () -- C:\WINDOWS\System32\PIXPCZ.DLL
[2010/04/03 22:43:37 | 000,011,934 | ---- | C] () -- C:\WINDOWS\System32\PIXPNR.DLL
[2010/04/03 22:43:37 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\INETWH16.DLL
[2010/04/03 22:43:37 | 000,004,528 | ---- | C] () -- C:\WINDOWS\System32\SETBROWS.EXE
[2010/04/03 21:37:08 | 000,000,029 | ---- | C] () -- C:\WINDOWS\spiemon.ini
[2010/04/03 13:22:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\X9QUEMGR.INI
[2010/04/03 13:11:33 | 000,000,689 | ---- | C] () -- C:\WINDOWS\SHSFTSET.INI
[2010/04/03 13:11:33 | 000,000,428 | ---- | C] () -- C:\WINDOWS\spipcl4a.ini
[2010/04/03 13:11:33 | 000,000,147 | ---- | C] () -- C:\WINDOWS\XEROXTW.INI
[2010/04/03 13:11:25 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\LMSXXEF.exe
[2010/04/03 13:11:25 | 000,001,106 | ---- | C] () -- C:\WINDOWS\sd4.ini
[2010/04/03 12:41:47 | 000,026,516 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2010/03/30 17:10:52 | 000,039,095 | ---- | C] () -- C:\WINDOWS\iccsigs.dat
[2010/03/30 17:10:50 | 000,112,688 | ---- | C] () -- C:\WINDOWS\System32\shw32.dll
[2010/03/29 21:22:02 | 000,340,992 | ---- | C] () -- C:\WINDOWS\unwash.exe
[2010/03/29 21:16:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/03/29 19:01:30 | 000,004,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2010/03/29 17:31:42 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/03/29 17:29:52 | 001,481,728 | ---- | C] () -- C:\WINDOWS\System32\LegitCheckControl.dll
[2010/03/29 17:29:52 | 000,323,072 | ---- | C] () -- C:\WINDOWS\System32\WgaTray.exe
[2010/03/29 17:29:52 | 000,190,976 | ---- | C] () -- C:\WINDOWS\System32\WgaLogon.dll
[2010/03/29 17:26:43 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/03/29 09:18:31 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/29 09:17:11 | 000,393,568 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/12 12:03:34 | 002,195,030 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2008/04/15 00:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/15 00:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/15 00:00:00 | 000,493,054 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/15 00:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/15 00:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/15 00:00:00 | 000,083,598 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/15 00:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/15 00:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/15 00:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/15 00:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/15 00:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/15 00:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/11/20 03:51:59 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2001/10/15 09:52:20 | 000,000,089 | ---- | C] () -- C:\WINDOWS\System32\WCEFSTMN.INI
[2001/09/27 13:45:52 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\WCEFLMS.EXE

========== LOP Check ==========

[2010/09/19 15:14:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avanquest
[2010/09/19 15:19:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2010/03/29 18:00:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2010/04/03 12:41:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2010/03/29 21:40:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda\Application Data\Avanquest
[2010/04/03 14:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda\Application Data\GetRightToGo
[2010/03/29 22:50:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda\Application Data\OpenOffice.org
[2010/04/03 12:44:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda\Application Data\ScanSoft
[2011/05/27 17:13:33 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Linda\Application Data\SysWin
[2010/04/03 15:50:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda\Application Data\Thunderbird
[2011/01/23 18:52:00 | 000,000,514 | ---- | M] () -- C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Linda at 4 52 PM.job
[2011/05/30 07:13:11 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010/03/21 00:31:26 | 002,228,534 | ---- | M] ( ) -- C:\audacity-win-1.2.6.exe


< MD5 for: EXPLORER.EXE >
[2008/04/15 00:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/15 00:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/15 00:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/15 00:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/15 00:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/15 00:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008/04/15 00:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/15 00:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/05/03 13:14:49 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/05/03 13:14:49 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/05/03 13:14:49 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/05/03 13:14:48 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/05/03 13:14:48 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/05/03 13:14:48 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/05/03 13:14:49 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/05/03 13:14:49 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/05/03 13:14:49 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/05/03 13:14:48 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/05/03 13:14:48 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/05/03 13:14:48 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation)

< End of report >

[lgfr]

Here is the TDSSKiller.log

011/05/30 07:53:48.0328 0672 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/05/30 07:53:48.0890 0672 ================================================================================
2011/05/30 07:53:48.0890 0672 SystemInfo:
2011/05/30 07:53:48.0906 0672
2011/05/30 07:53:48.0906 0672 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/30 07:53:48.0906 0672 Product type: Workstation
2011/05/30 07:53:48.0906 0672 ComputerName: 8FCC61F12
2011/05/30 07:53:48.0906 0672 UserName: Linda
2011/05/30 07:53:48.0906 0672 Windows directory: C:\WINDOWS
2011/05/30 07:53:48.0906 0672 System windows directory: C:\WINDOWS
2011/05/30 07:53:48.0906 0672 Processor architecture: Intel x86
2011/05/30 07:53:48.0906 0672 Number of processors: 2
2011/05/30 07:53:48.0906 0672 Page size: 0x1000
2011/05/30 07:53:48.0906 0672 Boot type: Normal boot
2011/05/30 07:53:48.0906 0672 ================================================================================
2011/05/30 07:53:49.0875 0672 Initialize success
2011/05/30 07:53:52.0562 1864 ================================================================================
2011/05/30 07:53:52.0562 1864 Scan started
2011/05/30 07:53:52.0562 1864 Mode: Manual;
2011/05/30 07:53:52.0562 1864 ================================================================================
2011/05/30 07:53:53.0765 1864 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/30 07:53:53.0812 1864 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/30 07:53:53.0859 1864 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/30 07:53:53.0906 1864 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/30 07:53:53.0984 1864 AgereSoftModem (7560f465f1ce69c53bf17559ee195548) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/05/30 07:53:54.0093 1864 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/05/30 07:53:54.0218 1864 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/30 07:53:54.0234 1864 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/30 07:53:54.0281 1864 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/30 07:53:54.0328 1864 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/30 07:53:54.0375 1864 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/30 07:53:54.0421 1864 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/30 07:53:54.0468 1864 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/30 07:53:54.0515 1864 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/30 07:53:54.0531 1864 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/30 07:53:54.0640 1864 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/30 07:53:54.0687 1864 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/30 07:53:54.0734 1864 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/30 07:53:54.0750 1864 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/30 07:53:54.0796 1864 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/30 07:53:54.0843 1864 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2011/05/30 07:53:54.0875 1864 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2011/05/30 07:53:54.0921 1864 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2011/05/30 07:53:54.0953 1864 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/30 07:53:55.0015 1864 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/30 07:53:55.0046 1864 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/30 07:53:55.0062 1864 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/30 07:53:55.0078 1864 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/30 07:53:55.0078 1864 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/30 07:53:55.0140 1864 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/30 07:53:55.0156 1864 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/30 07:53:55.0203 1864 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/30 07:53:55.0250 1864 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/30 07:53:55.0312 1864 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/30 07:53:55.0390 1864 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/30 07:53:55.0453 1864 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/30 07:53:55.0468 1864 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/30 07:53:55.0609 1864 IntcAzAudAddService (14b48553be78472d2bd3a518658a1710) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/30 07:53:55.0734 1864 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/30 07:53:55.0781 1864 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/30 07:53:55.0796 1864 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/30 07:53:55.0812 1864 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/30 07:53:55.0875 1864 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/30 07:53:55.0906 1864 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/30 07:53:55.0953 1864 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/30 07:53:55.0984 1864 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/30 07:53:56.0000 1864 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/30 07:53:56.0046 1864 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/30 07:53:56.0078 1864 KmxAgent (bf236f7a7a4b437dae22cf7665055e71) C:\WINDOWS\system32\DRIVERS\kmxagent.sys
2011/05/30 07:53:56.0093 1864 KmxAMRT (431f909c73deaf60522e0be5e81aa6ef) C:\WINDOWS\system32\DRIVERS\KmxAMRT.sys
2011/05/30 07:53:56.0140 1864 KmxAMVet (041b29c8e3bed6e833ade367ecfa51f9) C:\WINDOWS\system32\Drivers\KmxAMVet.sys
2011/05/30 07:53:56.0203 1864 KmxCF (c9c6c7edc44f274705a881d0ecc6be77) C:\WINDOWS\system32\DRIVERS\KmxCF.sys
2011/05/30 07:53:56.0234 1864 KmxCfg (ebec5bc094f7127de83751deba0111c7) C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
2011/05/30 07:53:56.0250 1864 KmxFile (776b22d0708d527452c17ab0685437ec) C:\WINDOWS\system32\DRIVERS\KmxFile.sys
2011/05/30 07:53:56.0265 1864 KmxFw (9ea53f75df547e59040b4da03fa32f80) C:\WINDOWS\system32\DRIVERS\kmxfw.sys
2011/05/30 07:53:56.0296 1864 KmxSbx (694e1b995586c94bd8355a7bda7c6ca0) C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
2011/05/30 07:53:56.0312 1864 KmxStart (ba870f60f3662d82ddd20e4d34843c8e) C:\WINDOWS\system32\DRIVERS\kmxstart.sys
2011/05/30 07:53:56.0343 1864 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/30 07:53:56.0421 1864 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/30 07:53:56.0453 1864 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/30 07:53:56.0500 1864 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/30 07:53:56.0515 1864 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/30 07:53:56.0546 1864 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/30 07:53:56.0593 1864 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/30 07:53:56.0625 1864 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/30 07:53:56.0640 1864 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/30 07:53:56.0671 1864 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/30 07:53:56.0687 1864 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/30 07:53:56.0703 1864 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/30 07:53:56.0765 1864 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/30 07:53:56.0812 1864 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/30 07:53:56.0828 1864 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/30 07:53:56.0859 1864 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/30 07:53:56.0875 1864 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/30 07:53:56.0921 1864 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/30 07:53:56.0937 1864 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/30 07:53:56.0968 1864 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/30 07:53:57.0000 1864 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/30 07:53:57.0031 1864 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/30 07:53:57.0093 1864 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/30 07:53:57.0328 1864 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/30 07:53:57.0515 1864 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/05/30 07:53:57.0578 1864 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/05/30 07:53:57.0609 1864 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/30 07:53:57.0625 1864 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/30 07:53:57.0687 1864 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/30 07:53:57.0703 1864 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/30 07:53:57.0734 1864 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/30 07:53:57.0765 1864 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/30 07:53:57.0796 1864 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/30 07:53:57.0812 1864 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/30 07:53:57.0953 1864 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/30 07:53:57.0968 1864 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/30 07:53:57.0984 1864 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/30 07:53:58.0015 1864 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/30 07:53:58.0109 1864 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/30 07:53:58.0140 1864 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/30 07:53:58.0156 1864 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/30 07:53:58.0171 1864 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/30 07:53:58.0187 1864 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/30 07:53:58.0218 1864 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/30 07:53:58.0265 1864 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/30 07:53:58.0312 1864 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/30 07:53:58.0359 1864 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/30 07:53:58.0421 1864 RTL8023xp (47b8ea4493ebffb3d6a0e06cd03c5aba) C:\WINDOWS\system32\DRIVERS\FA311XP.SYS
2011/05/30 07:53:58.0468 1864 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/05/30 07:53:58.0515 1864 RTL8192su (fd0a03c5e862e3c0bcf4e9438d1878f4) C:\WINDOWS\system32\DRIVERS\RTL8192su.sys
2011/05/30 07:53:58.0593 1864 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/30 07:53:58.0625 1864 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/05/30 07:53:58.0671 1864 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/30 07:53:58.0718 1864 SNXPCARD (58b7f7745de0f13a8aa1247c0d34006e) C:\WINDOWS\system32\DRIVERS\snxpcard.sys
2011/05/30 07:53:58.0750 1864 SNXPPALX (1191bbec29580fea2e418592fb9a2d8c) C:\WINDOWS\system32\DRIVERS\snxppalx.sys
2011/05/30 07:53:58.0953 1864 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/30 07:53:59.0140 1864 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/30 07:53:59.0328 1864 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/30 07:53:59.0343 1864 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/30 07:53:59.0406 1864 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/30 07:53:59.0500 1864 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/30 07:53:59.0562 1864 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/30 07:53:59.0609 1864 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/30 07:53:59.0640 1864 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/30 07:53:59.0671 1864 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/30 07:53:59.0750 1864 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/30 07:53:59.0828 1864 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/30 07:53:59.0875 1864 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/30 07:53:59.0890 1864 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/30 07:53:59.0906 1864 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/30 07:53:59.0921 1864 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/30 07:53:59.0937 1864 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/30 07:53:59.0953 1864 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/30 07:53:59.0984 1864 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/30 07:54:00.0031 1864 VSP1284D (1928efc92bc4c32efa30c09879fce5a0) C:\WINDOWS\system32\VSP1284D.SYS
2011/05/30 07:54:00.0093 1864 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/30 07:54:00.0156 1864 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/30 07:54:00.0250 1864 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/30 07:54:00.0312 1864 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/30 07:54:00.0328 1864 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/30 07:54:00.0375 1864 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/05/30 07:54:00.0484 1864 ================================================================================
2011/05/30 07:54:00.0484 1864 Scan finished
2011/05/30 07:54:00.0484 1864 ================================================================================
2011/05/30 07:54:00.0500 4244 Detected object count: 0
2011/05/30 07:54:00.0500 4244 Actual detected object count: 0

[lgfr]

Here is the aswMBR log

aswMBR version 0.9.5.317 Copyright© 2011 AVAST Software
Run date: 2011-05-30 07:59:34
-----------------------------
07:59:34.406 OS Version: Windows 5.1.2600 Service Pack 3
07:59:34.406 Number of processors: 2 586 0x6B02
07:59:34.406 ComputerName: 8FCC61F12 UserName: Linda
07:59:37.375 Initialize success
07:59:47.406 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
07:59:47.406 Disk 0 Vendor: WDC_WD3200AAJS-65M0A0 01.03E01 Size: 305245MB BusType: 3
07:59:49.421 Disk 0 MBR read successfully
07:59:49.421 Disk 0 MBR scan
07:59:49.421 Disk 0 Windows XP default MBR code
07:59:51.421 Disk 0 scanning sectors +348160680
07:59:51.421 Disk 0 scanning C:\WINDOWS\system32\drivers
07:59:55.171 Service scanning
07:59:56.062 Disk 0 trace - called modules:
07:59:56.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
07:59:56.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89cbeab8]
07:59:56.078 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000061[0x89d281e0]
07:59:56.078 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89cca940]
08:00:03.593 Unsigned kernel modules:
08:00:03.593 0xb81c8000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
08:00:03.687 0xb7c1c000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
08:00:09.765 0xb82e8000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
08:00:09.937 0xb44f3000 C:\WINDOWS\system32\drivers\RtkHDAud.sys
08:00:17.250 0xa43fa000 C:\WINDOWS\system32\VSP1284D.SYS
08:00:18.093 Scan finished successfully
08:01:09.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Linda\Desktop\MBR.dat"
08:01:09.578 The log file has been saved successfully to "C:\Documents and Settings\Linda\Desktop\aswMBR.txt"

[maliprog]

You have a badly infected system. It time to remove some of infection.

Step 1

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :processes
  killallprocesses
  
  :OTL
  SRV - [2011/05/22 17:06:10 | 001,425,408 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\BROSNMP32.exe -- (UmxFwHlp32)
  O4 - HKLM..\Run: [KBDALwow.exe] File not found
  O4 - HKLM..\Run: [shginawow.exe] File not found
  O4 - HKLM..\Run: [WCEFLMS] C:\WINDOWS\System32\WCEFLMS.EXE ()
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: RTHDBPL = C:\Documents and Settings\Linda\Application Data\SysWin\lsass.exe ()
  O33 - MountPoints2\{719be275-4966-11df-95ef-0026181a0539}\Shell\AutoRun\command - "" = K:\setupSNK.exe
  O33 - MountPoints2\{8e574204-08ad-11e0-9653-0026181a0539}\Shell\AutoRun\command - "" = I:\ShellRun.exe StartHere.html
  O33 - MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\Shell - "" = Autorun
  O33 - MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-7-5-16-100031972-100019914-100003244-2638.com d:\
  O33 - MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\Shell\Open\command - "" = RECYCLER\S-7-5-16-100031972-100019914-100003244-2638.com d:\
  O20 - AppInit_DLLs: (C:\WINDOWS\system32\mscories32.dll) - C:\WINDOWS\system32\mscories32.dll (Borland Software Corporation)
  [2011/05/29 18:01:32 | 000,424,960 | ---- | C] (Borland Software Corporation) -- C:\WINDOWS\System32\autodisc32.dll
  [2011/05/27 17:20:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1739438284
  [2011/05/27 17:14:26 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\SysWoW32
  [2011/05/27 17:14:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1245202996
  [2011/05/27 17:14:01 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\B3CF20ECE12D5ED97AC84A0E0BB05B01
  [2011/05/27 17:13:38 | 000,261,632 | ---- | C] (Borland Software Corporation) -- C:\WINDOWS\System32\mscories32.dll
  [2011/05/27 17:13:33 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Linda\Application Data\SysWin
  [2011/05/29 16:44:10 | 000,518,144 | -H-- | M] () -- C:\WINDOWS\KBDALwowbad.exe
  [2011/05/27 17:13:46 | 000,514,048 | -H-- | M] () -- C:\WINDOWS\shginawowbad.exe
  [2011/05/27 17:13:38 | 000,261,632 | ---- | M] (Borland Software Corporation) -- C:\WINDOWS\System32\mscories32.dll
  [2011/05/27 17:13:38 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\44317220
  [2011/05/27 17:13:32 | 000,201,728 | ---- | M] () -- C:\WINDOWS\System32\mscories32.exe
  
  :Files
  ipconfig /flushdns /c
  C:\WINDOWS\system32\11.tmp
  C:\Documents and Settings\Linda\Application Data\SysWin\lsass.exe
  C:\WINDOWS\system32\msrclr4032.exe
  C:\WINDOWS\system32\BROSNMP32.exe
  
  :Commands
  [purity]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3

Please don't forget to include these items in your reply:

• OTL fix log
• Malwarebytes log

It would be helpful if you could post each log in separate post

[lgfr]

========== PROCESSES ==========
All processes killed
========== OTL ==========
Service UmxFwHlp32 stopped successfully!
Service UmxFwHlp32 deleted successfully!
C:\WINDOWS\system32\BROSNMP32.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KBDALwow.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\shginawow.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WCEFLMS deleted successfully.
C:\WINDOWS\system32\WCEFLMS.EXE moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\RTHDBPL deleted successfully.
C:\Documents and Settings\Linda\Application Data\SysWin\lsass.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{719be275-4966-11df-95ef-0026181a0539}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{719be275-4966-11df-95ef-0026181a0539}\ not found.
File K:\setupSNK.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8e574204-08ad-11e0-9653-0026181a0539}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8e574204-08ad-11e0-9653-0026181a0539}\ not found.
File I:\ShellRun.exe StartHere.html not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-7-5-16-100031972-100019914-100003244-2638.com d:\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f6ec17ae-3ccf-11df-95cc-0026181a0539}\ not found.
File C:\RECYCLER\S-7-5-16-100031972-100019914-100003244-2638.com d:\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\mscories32.dll deleted successfully.
C:\WINDOWS\system32\mscories32.dll moved successfully.
C:\WINDOWS\system32\autodisc32.dll moved successfully.
C:\WINDOWS\System32\1739438284 folder moved successfully.
C:\WINDOWS\System32\SysWoW32 folder moved successfully.
C:\WINDOWS\System32\1245202996 folder moved successfully.
C:\WINDOWS\System32\B3CF20ECE12D5ED97AC84A0E0BB05B01\h folder moved successfully.
C:\WINDOWS\System32\B3CF20ECE12D5ED97AC84A0E0BB05B01\b folder moved successfully.
C:\WINDOWS\System32\B3CF20ECE12D5ED97AC84A0E0BB05B01 folder moved successfully.
File C:\WINDOWS\System32\mscories32.dll not found.
C:\Documents and Settings\Linda\Application Data\SysWin folder moved successfully.
C:\WINDOWS\KBDALwowbad.exe moved successfully.
C:\WINDOWS\shginawowbad.exe moved successfully.
File C:\WINDOWS\System32\mscories32.dll not found.
C:\WINDOWS\system32\44317220 moved successfully.
C:\WINDOWS\system32\mscories32.exe moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Linda\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Linda\My Documents\Downloads\cmd.txt deleted successfully.
C:\WINDOWS\system32\11.tmp moved successfully.
File\Folder C:\Documents and Settings\Linda\Application Data\SysWin\lsass.exe not found.
C:\WINDOWS\system32\msrclr4032.exe moved successfully.
File\Folder C:\WINDOWS\system32\BROSNMP32.exe not found.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.23.0 log created on 05302011_092314

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[lgfr]

alwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/30/2011 10:12:29 AM
mbam-log-2011-05-30 (10-12-18).txt

Scan type: Quick scan
Objects scanned: 130441
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jgdw400wow.exe (Trojan.TracurW.Gen) -> Value: jgdw400wow.exe -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\localservice\application data\0200000045b75ac91307c.manifest (Malware.Trace) -> No action taken.
c:\documents and settings\localservice\application data\0200000045b75ac91307o.manifest (Malware.Trace) -> No action taken.
c:\documents and settings\localservice\application data\0200000045b75ac91307p.manifest (Malware.Trace) -> No action taken.
c:\documents and settings\localservice\application data\0200000045b75ac91307s.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000045b75ac91307c.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000045b75ac91307o.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000045b75ac91307p.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000045b75ac91307s.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\gnuhashes.ini (Trojan.Tracur) -> No action taken.

[maliprog]

Why didn't you remove what Malwarebytes found? Make sure that everything is checked, and click Remove Selected button.

Please scan one more time and remove all malware that Malwarebytes finds.

[lgfr]

Sorry - I thought I did. I will do that now.

[lgfr]

Here are the results. Also I still see a file called jdgw400wow.exe under windows and another one called mscorier32.exe under windows\system32

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/30/2011 4:48:26 PM
mbam-log-2011-05-30 (16-48-26).txt

Scan type: Quick scan
Objects scanned: 130360
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[maliprog]

We will remove all of them. Please tell me how is your system now? Problems?

Step 1

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 2

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Confirm deletion to all infection AVP finds
Once it has finished select report and post that.

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Step 3

• Run OTL.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open notepad window. OTL.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of this file, and post it with your next reply.

Step 4

Please don't forget to include these items in your reply:

• GMER log
• AVP log
• OTL scan log

It would be helpful if you could post each log in separate post

[lgfr]

I will follow your next steps. Just an update. The computer is running faster, I just tried to get windows updates and it now lets me into the update site. I will now run your steps and post them.

[lgfr]

Here are the results for GMER

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-05-30 18:05:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAJS-65M0A0 rev.01.03E01
Running: lj379cfw.exe; Driver: C:\DOCUME~1\Linda\LOCALS~1\Temp\pwtyipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwCreateKey [0xB38AFFFE]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwCreateSymbolicLinkObject [0xB38B0ECB]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwMakeTemporaryObject [0xB38B121C]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwOpenKey [0xB38AFF62]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwOpenSection [0xB38B0BF0]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ZwSetInformationProcess [0xB7133B6F]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwSetSystemInformation [0xB38B0FF8]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB717B3A0, 0x59FFE5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Real\RealPlayer\update\realsched.exe[1232] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\Explorer.EXE[2300] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 10004400 c:\windows\system32\filemonitor32.dll
.text C:\WINDOWS\Explorer.EXE[2300] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 100067D0 c:\windows\system32\filemonitor32.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMCoSendComplete] [B7DA0400] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [B7DA22A0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisInitializeWrapper] [B7DA1E60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [B7DA28D0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisTerminateWrapper] [B7DA24B0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMCmRegisterAddressFamily] [B7D9FF90] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisClOpenAddressFamily] [B7D9FE50] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B7DA1D60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B7DA17E0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMCoSendComplete] [B7DA0400] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [B7DA22A0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMCmRegisterAddressFamily] [B7D9FF90] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisReturnPackets] [B7DA0EB0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisInitializeWrapper] [B7DA1E60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisTerminateWrapper] [B7DA24B0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B7DA1F10] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [B7DA28D0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B7DA1F10] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7DA17E0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisReturnPackets] [B7DA0EB0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B7DA1D60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMSetAttributesEx] [B7DA22A0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisTerminateWrapper] [B7DA24B0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterMiniport] [B7DA28D0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisInitializeWrapper] [B7DA1E60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [B7DA22A0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisInitializeWrapper] [B7DA1E60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [B7DA28D0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisTerminateWrapper] [B7DA24B0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\TDI.SYS[NDIS.SYS!NdisReturnPackets] [B7DA0EB0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisReturnPackets] [B7DA0EB0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisTerminateWrapper] [B7DA24B0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisIMAssociateMiniport] [B7DA21C0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisIMRegisterLayeredMiniport] [B7DA2990] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B7DA1F10] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisInitializeWrapper] [B7DA1E60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7DA17E0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisClOpenAddressFamily] [B7D9FE50] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisMSetAttributesEx] [B7DA22A0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B7DA1D60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisInitializeWrapper] [B7DA1E60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisMCoSendComplete] [B7DA0400] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [B7DA22A0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisMCmRegisterAddressFamily] [B7D9FF90] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [B7DA28D0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisTerminateWrapper] [B7DA24B0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7DA1F10] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7DA1D60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7DA17E0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCmRegisterAddressFamily] [B7D9FEF0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisClOpenAddressFamily] [B7D9FE50] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7DA1D60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7DA17E0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7DA1F10] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisReturnPackets] [B7DA0EB0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisReturnPackets] [B7DA0EB0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7DA1F10] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7DA17E0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7DA1D60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisReturnPackets] [B7DA0EB0] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B7DA1F10] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B7DA1D60] kmxstart.sys (HIPS Core Driver/CA)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7DA17E0] kmxstart.sys (HIPS Core Driver/CA)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip kmxfw.sys (HIPS Firewall Driver/CA)
Device \Driver\Tcpip \Device\Tcp kmxfw.sys (HIPS Firewall Driver/CA)
Device \Driver\Tcpip \Device\Udp kmxfw.sys (HIPS Firewall Driver/CA)
Device \Driver\Tcpip \Device\RawIp kmxfw.sys (HIPS Firewall Driver/CA)
Device \Driver\Tcpip \Device\IPMULTICAST kmxfw.sys (HIPS Firewall Driver/CA)
Device \Driver\AFD \Device\Afd KmxCF.sys (HIPS Content Filter Driver/CA)

---- EOF - GMER 1.0.15 ----

[lgfr]

Here are the results for AVPTool. I confirmed deletion of infected files and on several of them I got a message saying file was deleted and a backup copy for made.

Autoscan: completed 1 minute ago (events: 48, objects: 199187, time: 00:43:18)
5/30/2011 6:59:27 PM Task completed
5/30/2011 6:59:26 PM Deleted: Trojan.Win32.Menti.gnxp C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\_u575698697v9/setup.exe
5/30/2011 6:59:26 PM Deleted: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\_u575698697v3/setup.exe
5/30/2011 6:59:23 PM Deleted: Trojan.Win32.Menti.goaz C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\_u575698697v10/setup.exe
5/30/2011 6:59:23 PM Detected: Trojan.Win32.Menti.gnxp C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\_u575698697v9/setup.exe
5/30/2011 6:59:20 PM Detected: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\_u575698697v3/setup.exe
5/30/2011 6:59:19 PM Deleted: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\wu575698697v3/setup.exe
5/30/2011 6:59:19 PM Detected: Trojan.Win32.Menti.goaz C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\_u575698697v10/setup.exe
5/30/2011 6:59:18 PM Deleted: Trojan.Win32.Menti.gnxp C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\wu575698697v9/setup.exe
5/30/2011 6:59:08 PM Deleted: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\_u575698697v1/setup.exe
5/30/2011 6:59:00 PM Detected: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\_u575698697v1/setup.exe
5/30/2011 6:59:00 PM Detected: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\wu575698697v3/setup.exe
5/30/2011 6:59:00 PM Deleted: Trojan.Win32.Menti.goaz C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\wu575698697v10/setup.exe
5/30/2011 6:59:00 PM Detected: Trojan.Win32.Menti.gnxp C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\wu575698697v9/setup.exe
5/30/2011 6:58:57 PM Deleted: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\wu575698697v1/setup.exe
5/30/2011 6:58:57 PM Detected: Trojan.Win32.Menti.goaz C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\wu575698697v10/setup.exe
5/30/2011 6:58:57 PM Deleted: Trojan.Win32.Menti.gnzc C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\@u575698697v2/setup.exe
5/30/2011 6:58:57 PM Deleted: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\@u575698697v3/setup.exe
5/30/2011 6:58:48 PM Detected: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\@u575698697v3/setup.exe
5/30/2011 6:58:47 PM Detected: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\wu575698697v1/setup.exe
5/30/2011 6:58:47 PM Deleted: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\msrclr4032.exe
5/30/2011 6:58:47 PM Detected: Trojan.Win32.Menti.gnzc C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\@u575698697v2/setup.exe
5/30/2011 6:58:46 PM Deleted: Trojan.Win32.Menti.gnup C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\@u575698697v1/setup.exe
5/30/2011 6:58:45 PM Deleted: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\mscories32.dll
5/30/2011 6:58:39 PM Detected: Trojan.Win32.Menti.gnup C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\SysWoW32\@u575698697v1/setup.exe
5/30/2011 6:58:39 PM Deleted: Trojan.Win32.Swisyn.bgsn C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\mscories32.exe
5/30/2011 6:58:32 PM Detected: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\msrclr4032.exe
5/30/2011 6:58:32 PM Deleted: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\11.tmp
5/30/2011 6:58:31 PM Detected: Trojan.Win32.Swisyn.bgsn C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\mscories32.exe
5/30/2011 6:58:31 PM Detected: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\mscories32.dll
5/30/2011 6:58:31 PM Deleted: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\BROSNMP32.exe
5/30/2011 6:58:31 PM Deleted: Trojan.Win32.Menti.gndk C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\autodisc32.dll
5/30/2011 6:58:21 PM Detected: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\BROSNMP32.exe
5/30/2011 6:58:20 PM Deleted: Trojan.Win32.Menti.gnsd C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\shginawowbad.exe
5/30/2011 6:58:20 PM Detected: Trojan.Win32.Menti.gndk C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\autodisc32.dll
5/30/2011 6:58:20 PM Deleted: Trojan.Win32.Menti.gnzv C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\KBDALwowbad.exe
5/30/2011 6:58:19 PM Detected: HEUR:Trojan.Win32.Generic C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\system32\11.tmp
5/30/2011 6:58:19 PM Deleted: Trojan.Win32.Swisyn.bgsn C:\_OTL\MovedFiles\05302011_092314\C_Documents and Settings\Linda\Application Data\SysWin\lsass.exe
5/30/2011 6:58:01 PM Detected: Trojan.Win32.Menti.gnsd C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\shginawowbad.exe
5/30/2011 6:58:01 PM Detected: Trojan.Win32.Menti.gnzv C:\_OTL\MovedFiles\05302011_092314\C_WINDOWS\KBDALwowbad.exe
5/30/2011 6:58:01 PM Detected: Trojan.Win32.Swisyn.bgsn C:\_OTL\MovedFiles\05302011_092314\C_Documents and Settings\Linda\Application Data\SysWin\lsass.exe
5/30/2011 6:55:15 PM Deleted: Trojan.Win32.Swisyn.bgsn C:\WINDOWS\system32\mscorier32.exe
5/30/2011 6:55:00 PM Detected: Trojan.Win32.Swisyn.bgsn C:\WINDOWS\system32\mscorier32.exe
5/30/2011 6:49:30 PM Deleted: HEUR:Trojan.Win32.Generic C:\WINDOWS\jgdw400wowbad.exe
5/30/2011 6:49:29 PM Deleted: Trojan.Win32.Menti.gndk C:\System Volume Information\_restore{92FC6BE7-E1D1-47FD-971A-5C2C81F550F8}\RP156\A0017925.dll
5/30/2011 6:48:18 PM Detected: HEUR:Trojan.Win32.Generic C:\WINDOWS\jgdw400wowbad.exe
5/30/2011 6:47:58 PM Detected: Trojan.Win32.Menti.gndk C:\System Volume Information\_restore{92FC6BE7-E1D1-47FD-971A-5C2C81F550F8}\RP156\A0017925.dll
5/30/2011 6:16:09 PM Task started