[Racingal60]

We were notified by our web carrier last night (July 17) that we had several spamcop reports indicating that spam emails were coming from our IP Address. The graph he sent us showed our bandwidth usage (the spam was the green (SMTP) on the outbound bandwidth. This would not be using our email addresses, but routing spam out of the infected computer with "bogus" email addresses. I immediately went to my office and shut down all computers.

The one I'm working on began to give us problems (very slow internet connection, and very slow all around) on Monday, July 15th and has continued to get worse.

I disconnected it from the internet this morning and ran MBAM and Ccleaner. It found 2 items (qasutbeqhisg.exe (Trojan.Packer)) and (ladyxwubusce.exe (Trojan.Packer))in my registry Values and in my Documents and Settings/Name? file and was able to quarantine and delete them successfully and told me I needed to finish by deleting on reboot, which I did.

I reconnected the computer to the network, booted it back up about 1/2 hour ago and just received a call from our web carrier that it was doing it again. I would appreciate any help you can give me or suggestions how to remove this from this computer.

I just ran the OTL Log and am copying it here:


OTL logfile created on: 7/18/2013 11:39:30 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Dawn\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.24 Gb Total Physical Memory | 2.22 Gb Available Physical Memory | 68.57% Memory free
6.32 Gb Paging File | 5.51 Gb Available in Paging File | 87.26% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 318.32 Gb Free Space | 68.35% Space Free | Partition Type: NTFS
Drive E: | 1.90 Gb Total Space | 1.83 Gb Free Space | 96.08% Space Free | Partition Type: FAT
Drive S: | 465.72 Gb Total Space | 431.57 Gb Free Space | 92.67% Space Free | Partition Type: NTFS

Computer Name: GINA1 | User Name: Dawn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/07/18 11:39:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn\My Documents\Downloads\OTL.exe
PRC - [2013/07/16 07:24:28 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Dawn\ganukdyxypyx.exe
PRC - [2013/07/12 13:49:47 | 000,846,288 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Chrome\Application\chrome.exe
PRC - [2013/04/05 03:53:30 | 000,121,600 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\IPROSetMonitor.exe
PRC - [2013/01/11 17:16:44 | 000,530,488 | ---- | M] (Gillware Data Services, LLC) -- C:\Program Files\Gillware Remote Backup\ArchiveService.exe
PRC - [2013/01/02 12:21:37 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2010/08/05 20:11:44 | 001,885,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe
PRC - [2010/08/05 20:05:52 | 001,459,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2010/07/01 18:17:24 | 001,832,072 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2010/05/06 18:21:14 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/11/27 17:05:30 | 000,641,024 | ---- | M] (WinMagic Inc.) -- C:\Program Files\WinMagic\SecureDoc-NT\SDService.exe
PRC - [2008/10/04 14:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe


========== Modules (No Company Name) ==========

MOD - [2013/07/16 07:24:28 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Dawn\ganukdyxypyx.exe
MOD - [2013/07/12 13:49:44 | 000,396,240 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\28.0.1500.72\ppgooglenaclpluginchrome.dll
MOD - [2013/07/12 13:49:43 | 013,599,184 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\28.0.1500.72\PepperFlash\pepflashplayer.dll
MOD - [2013/07/12 13:49:42 | 004,052,944 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\28.0.1500.72\pdf.dll
MOD - [2013/07/12 13:48:49 | 001,597,392 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\28.0.1500.72\ffmpegsumo.dll
MOD - [2013/01/11 17:16:44 | 000,057,400 | ---- | M] () -- C:\Program Files\Gillware Remote Backup\zlib_gw.dll
MOD - [2013/01/11 17:16:34 | 000,031,800 | ---- | M] () -- C:\Program Files\Gillware Remote Backup\ArchiveTypesPS.dll
MOD - [2009/11/27 17:05:12 | 000,018,432 | ---- | M] () -- C:\WINDOWS\system32\SDXML.dll
MOD - [2009/11/27 17:05:02 | 000,527,360 | ---- | M] () -- C:\WINDOWS\system32\sdck.dll
MOD - [2008/04/13 19:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 19:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll


========== Services (SafeList) ==========

SRV - [2013/07/11 14:46:38 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/04/05 03:53:30 | 000,121,600 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\system32\IPROSetMonitor.exe -- (Intel®
SRV - [2013/01/11 17:16:44 | 000,530,488 | ---- | M] (Gillware Data Services, LLC) [Auto | Running] -- C:\Program Files\Gillware Remote Backup\ArchiveService.exe -- (ArchiveService)
SRV - [2013/01/02 12:21:37 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/10/31 09:55:49 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
SRV - [2010/08/05 20:11:44 | 001,885,488 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2010/07/01 18:17:24 | 001,832,072 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2010/07/01 17:24:02 | 000,357,704 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2010/05/06 18:21:14 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/05/06 18:21:14 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2010/02/17 11:53:18 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/11/27 17:05:30 | 000,641,024 | ---- | M] (WinMagic Inc.) [Auto | Running] -- C:\Program Files\WinMagic\SecureDoc-NT\SDService.exe -- (WinMagic SecureDoc Service)
SRV - [2008/10/04 14:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter)
SRV - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [File_System | Boot | Stopped] -- system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\GINADO~1\LOCALS~1\Temp\_B0E3.tmp\FoxAwdWINFLASH.sys -- (FoxAwdWINFLASH)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/06/17 03:00:00 | 001,611,992 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130712.016\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/06/17 03:00:00 | 000,093,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130712.016\NAVENG.SYS -- (NAVENG)
DRV - [2013/04/05 05:11:04 | 000,031,048 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2012/08/15 03:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/08/10 03:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/06/02 10:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2011/02/21 10:09:38 | 000,125,488 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/03/08 13:59:14 | 000,320,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2010/03/08 13:59:14 | 000,283,184 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2010/03/08 13:59:14 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/12/18 16:42:12 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/11/18 16:07:12 | 000,179,200 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDDisk2K.sys -- (SDDisk2K)
DRV - [2009/09/28 11:53:00 | 000,020,224 | ---- | M] (WinMagic, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PinFile.sys -- (PinFile)
DRV - [2009/09/25 15:57:24 | 000,117,120 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDDToki.sys -- (SDDToki)
DRV - [2009/09/25 15:57:24 | 000,075,520 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDDVD.sys -- (SDDVD)
DRV - [2009/09/03 17:03:48 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2009/09/03 17:03:48 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2009/03/05 14:03:34 | 000,016,512 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDUPC.sys -- (SDUPC)
DRV - [2007/07/16 20:48:54 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co...html?channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7DKUS_enUS311
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.excite.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.72\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.72\gcswf32.dll
CHR - plugin: Wajam (Enabled) = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp\1.24_0\plugins/PriamNPAPI.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 7.0.0.147 (Enabled) = C:\Program Files\Java\jre7\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 7 (Enabled) = C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Gmail = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe File not found
O4 - HKCU..\Run: [ganukdyxypyx] C:\Documents and Settings\Dawn\ganukdyxypyx.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {123FE8C9-0BDC-4946-A854-DDBA7398CF64} https://www.fts.newy...ftwebupdate.cab (Reg Error: Key error.)
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} Reg Error: Key error. (ERPageAddin Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F4D662B4-C5C2-4337-8824-C04913A6029F}: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\sds {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\SHARP\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (SDocGina.dll) - C:\WINDOWS\System32\SDocGina.dll (Winmagic Inc.)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\615\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\dell.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a0ca232a-9564-11e2-a5b9-00219b06268b}\Shell - "" = AutoRun
O33 - MountPoints2\{a0ca232a-9564-11e2-a5b9-00219b06268b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a0ca232a-9564-11e2-a5b9-00219b06268b}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/07/18 11:01:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2013/07/18 08:36:07 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dawn\Recent
[2013/07/17 13:43:29 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2013/07/17 13:43:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Application Data\SystemRequirementsLab
[2013/07/17 11:32:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Local Settings\Application Data\Deployment
[2013/07/17 11:32:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2013/07/17 11:31:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2013/07/17 11:30:45 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2013/07/17 08:10:18 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2013/07/16 13:16:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\My Documents\temp

========== Files - Modified Within 30 Days ==========

[2013/07/18 11:34:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/07/18 11:05:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/18 11:05:00 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/18 11:01:15 | 000,001,864 | ---- | M] () -- C:\Documents and Settings\Dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/07/18 11:01:15 | 000,001,846 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/07/18 10:54:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/07/18 10:53:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/07/18 10:53:53 | 3478,274,048 | -HS- | M] () -- C:\hiberfil.sys
[2013/07/18 10:50:53 | 000,005,032 | ---- | M] () -- C:\WINDOWS\wcds.ini
[2013/07/18 10:35:44 | 000,000,105 | ---- | M] () -- C:\prefs.js
[2013/07/18 10:28:56 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2013/07/18 10:00:35 | 000,000,390 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultCritical.job
[2013/07/18 08:29:02 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/07/17 15:13:00 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - Remote Backup Updater.job
[2013/07/17 15:04:02 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - Upload Event Log.job
[2013/07/17 14:55:00 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2013/07/17 12:12:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/07/17 08:10:40 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2013/07/16 18:49:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/07/16 18:45:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultLow.job
[2013/07/16 18:30:00 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultHigh.job
[2013/07/16 18:15:01 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultMedium.job
[2013/07/16 07:24:28 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Dawn\ganukdyxypyx.exe
[2013/07/15 23:04:03 | 000,000,272 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - Audit.job
[2013/07/12 09:28:24 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Microsoft Office PowerPoint 2007.lnk
[2013/07/11 16:15:44 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\TempWmicBatchFile.bat
[2013/07/11 07:54:37 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/07/10 16:55:05 | 000,599,624 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/07/10 16:55:05 | 000,121,790 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/07/10 14:57:02 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\Dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2013/07/10 14:57:02 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Windows Media Player.lnk
[2013/07/08 16:16:28 | 000,000,000 | ---- | M] () -- C:\END

========== Files Created - No Company Name ==========

[2013/07/18 11:01:15 | 000,001,846 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/07/18 11:00:16 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/18 11:00:15 | 000,000,878 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/18 10:35:44 | 000,000,105 | ---- | C] () -- C:\prefs.js
[2013/07/17 13:46:34 | 000,001,904 | ---- | C] () -- C:\WINDOWS\System32\SetupBD.din
[2013/07/17 08:10:40 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2013/07/16 07:24:54 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\Dawn\ganukdyxypyx.exe
[2013/07/10 14:57:02 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\Dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2013/04/03 12:52:36 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/03/27 08:01:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\BackupServiceFormView.INI
[2013/03/25 08:59:52 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2012/10/10 12:17:07 | 000,000,027 | ---- | C] () -- C:\WINDOWS\FTSL.INI
[2012/02/15 19:05:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/22 16:28:01 | 000,000,049 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2011/09/15 12:52:11 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/02/06 11:56:26 | 000,000,278 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc

========== ZeroAccess Check ==========

[2004/08/11 18:21:56 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/06/04 12:13:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar
[2009/03/10 17:00:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2013/06/04 12:12:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/07/11 07:57:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GFI Software
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\New York Life
[2008/12/07 22:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2008/12/07 22:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2013/02/13 13:39:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RICOH
[2010/01/14 12:24:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sharp
[2010/01/14 12:29:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sharpdesk
[2008/12/07 22:58:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2008/12/07 22:55:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/09/21 12:04:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2013/06/04 12:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\AVG SafeGuard toolbar
[2013/06/04 12:12:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\DSite
[2013/07/16 07:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Enpiqu
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\New York Life
[2013/07/17 13:43:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\SystemRequirementsLab
[2013/04/01 11:16:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Windows Search

========== Purity Check ==========



< End of report >

[Advertisements]

Hello Racinggal60, Welcome to the forums!
. My name is godawgs and I will be assisting you with your Virus / Malware issues.
I will start working on your Malware issues. This may, or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine!

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.
If you have not, please adhere to the guidelines below and then carefully follow all future instructions:

You must reply to posts within four days. If you haven't replied within that time, the topic will be closed! If you need additional time to complete things, just let me know.
If you're not sure, or if something unexpected happens, Do NOT continue! Stop and ask!

This board can notify you when a new reply is added to a topic. Please read this topic to find out how to do that.

Please do not run any tools unless instructed to do so.

• We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask, nothing extra. Do Not run things twice unless instructed.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• If I ask a Question just answer it, don't run anything unless directed to.

Please read every post completely before doing anything.

• Pay special attention to the NOTE: lines, or anything in red. These entries identify an individual issue or important step in the cleanup process.
• Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. Some of the steps I will be asking you to do may require you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.
• Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.

Logs from malware diagnostic or removal programs (OTL is one of them) can take some time to analyze.

• I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
• Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

Lastly, Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. Some infections are so severe that we might encounter situations where the only recourse is to re-format and re-install your operating system. Don't worry, this only happens in severe cases, but, sadly, it does happen.
In light of this be prepared to back up your data. Have means of backing up your data available.

IMPORTANT:Change your browser(s) to download any tools to the desktop.
Follow the directions here
For FireFox check the dot beside "Always ask me where to save files."
For Chrome, check the box beside "Ask where to save each file before downloading"
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

When OTL runs the first time it creates a file named Extras.txt. It should be in the same directory you ran OTL from. Please post the contents of that file.


Step-1.

Run RogueKiller

NOTE: If using IE8 or better the Smartscreen Filter will need to be disabled. Directions for disabling the SmartScreen Filter in IE 8, 9 and 10 can be found: here

• Click here to go to the RogueKiller download page.
• Click the Build 32 bits (x86): download button and save the RogueKiller.exe file to the desktop.

• Quit all programs and close all browsers.
• Double click the RogueKiller icon to run the program.
  NOTE: If this is the first time you have used the program you will need to accept the User Agreement.
• Wait until Prescan has finished ...This may take a few minutes, especially if it is the first time you have used the program.
• Click on Scan
  
  
  
• Wait for the end of the scan.
• DO NOT delete anything at this time.
• The report has been created on the desktop.

Please post:
All RKreport.txt text files located on your desktop.
NOTE: If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again


Step-2

AdwCleaner by Xplode

Download AdwCleaner from here to your desktop.
Close all open windows and browsers.

• XP users, double click the adwcleaner.exe file to run AdwCleaner.
  
  
• Click the Search button and wait for the scan to finish.
• Once done it may ask to reboot, allow this. Do Not delete anyhting at this time.
• On reboot a log will be produced please copy/paste that in your next reply. This report is also saved to C:\AdwCleaner[R1].txt

Step-3.

Run aswMBR

• Download aswMBR.exe to your desktop.
• Double click the aswMBR.exe file to run it.
• If it asks you if you want to download the latest virus definitions, click "No"
  
  
• Click the "Scan" button to start the scan
  
  
• On completion of the scan click save log. Save it to your desktop and post in your next reply.
  

NOTE: When you run aswMBR, if it is shutdown automatically, then it is most likely the infection detecting that aswMBR is running and terminating it. In this situation you should rename the executable (aswMBR.exe) to iexplore.exe and try it again.


Step-4.

Virustotal File Upload:

To use Virustotal go Here

• Click the Choose File button in the middle of the screen. This will open a File Upload window.
• On the File Upload window, in the File name box, type, or copy and paste the following and click Open:
  NOTE.. Only one file per scan
  
  C:\Documents and Settings\Dawn\ganukdyxypyx.exe.
  
• This will put the file in the box on the Virustotal page.
• Click the Scan it! button.
• IF you get a message that the file has already been analyzed click the Reanalyze button and the file will be scanned.
• Please be patient while the file is scanned. It may take several minutes.
• Once the scan results appear, please copy and paste the Virustotal link(s) (URL) in your next reply

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. the RKreport.txt log
2. The AdwCleaner[R1].txt log
3. The aswMBR log
4. The VirusTotla link
5. The Extras.txt log

[godawgs]

Hello Racinggal60, Welcome to the forums!
. My name is godawgs and I will be assisting you with your Virus / Malware issues.
I will start working on your Malware issues. This may, or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine!

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.
If you have not, please adhere to the guidelines below and then carefully follow all future instructions:

You must reply to posts within four days. If you haven't replied within that time, the topic will be closed! If you need additional time to complete things, just let me know.
If you're not sure, or if something unexpected happens, Do NOT continue! Stop and ask!

This board can notify you when a new reply is added to a topic. Please read this topic to find out how to do that.

Please do not run any tools unless instructed to do so.

• We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask, nothing extra. Do Not run things twice unless instructed.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• If I ask a Question just answer it, don't run anything unless directed to.

Please read every post completely before doing anything.

• Pay special attention to the NOTE: lines, or anything in red. These entries identify an individual issue or important step in the cleanup process.
• Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. Some of the steps I will be asking you to do may require you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.
• Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.

Logs from malware diagnostic or removal programs (OTL is one of them) can take some time to analyze.

• I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
• Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

Lastly, Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. Some infections are so severe that we might encounter situations where the only recourse is to re-format and re-install your operating system. Don't worry, this only happens in severe cases, but, sadly, it does happen.
In light of this be prepared to back up your data. Have means of backing up your data available.

IMPORTANT:Change your browser(s) to download any tools to the desktop.
Follow the directions here
For FireFox check the dot beside "Always ask me where to save files."
For Chrome, check the box beside "Ask where to save each file before downloading"
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

When OTL runs the first time it creates a file named Extras.txt. It should be in the same directory you ran OTL from. Please post the contents of that file.


Step-1.

Run RogueKiller

NOTE: If using IE8 or better the Smartscreen Filter will need to be disabled. Directions for disabling the SmartScreen Filter in IE 8, 9 and 10 can be found: here

• Click here to go to the RogueKiller download page.
• Click the Build 32 bits (x86): download button and save the RogueKiller.exe file to the desktop.

• Quit all programs and close all browsers.
• Double click the RogueKiller icon to run the program.
  NOTE: If this is the first time you have used the program you will need to accept the User Agreement.
• Wait until Prescan has finished ...This may take a few minutes, especially if it is the first time you have used the program.
• Click on Scan
  
  
  
• Wait for the end of the scan.
• DO NOT delete anything at this time.
• The report has been created on the desktop.

Please post:
All RKreport.txt text files located on your desktop.
NOTE: If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again


Step-2

AdwCleaner by Xplode

Download AdwCleaner from here to your desktop.
Close all open windows and browsers.

• XP users, double click the adwcleaner.exe file to run AdwCleaner.
  
  
• Click the Search button and wait for the scan to finish.
• Once done it may ask to reboot, allow this. Do Not delete anyhting at this time.
• On reboot a log will be produced please copy/paste that in your next reply. This report is also saved to C:\AdwCleaner[R1].txt

Step-3.

Run aswMBR

• Download aswMBR.exe to your desktop.
• Double click the aswMBR.exe file to run it.
• If it asks you if you want to download the latest virus definitions, click "No"
  
  
• Click the "Scan" button to start the scan
  
  
• On completion of the scan click save log. Save it to your desktop and post in your next reply.
  

NOTE: When you run aswMBR, if it is shutdown automatically, then it is most likely the infection detecting that aswMBR is running and terminating it. In this situation you should rename the executable (aswMBR.exe) to iexplore.exe and try it again.


Step-4.

Virustotal File Upload:

To use Virustotal go Here

• Click the Choose File button in the middle of the screen. This will open a File Upload window.
• On the File Upload window, in the File name box, type, or copy and paste the following and click Open:
  NOTE.. Only one file per scan
  
  C:\Documents and Settings\Dawn\ganukdyxypyx.exe.
  
• This will put the file in the box on the Virustotal page.
• Click the Scan it! button.
• IF you get a message that the file has already been analyzed click the Reanalyze button and the file will be scanned.
• Please be patient while the file is scanned. It may take several minutes.
• Once the scan results appear, please copy and paste the Virustotal link(s) (URL) in your next reply

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. the RKreport.txt log
2. The AdwCleaner[R1].txt log
3. The aswMBR log
4. The VirusTotla link
5. The Extras.txt log

[Racingal60]

Before I do anything else - I'm pasting the Extras.txt below. I will then proceed from here to do what you requested. Thank you!

OTL Extras logfile created on: 7/18/2013 11:39:30 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Dawn\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.24 Gb Total Physical Memory | 2.22 Gb Available Physical Memory | 68.57% Memory free
6.32 Gb Paging File | 5.51 Gb Available in Paging File | 87.26% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 318.32 Gb Free Space | 68.35% Space Free | Partition Type: NTFS
Drive E: | 1.90 Gb Total Space | 1.83 Gb Free Space | 96.08% Space Free | Partition Type: FAT
Drive S: | 465.72 Gb Total Space | 431.57 Gb Free Space | 92.67% Space Free | Partition Type: NTFS

Computer Name: GINA1 | User Name: Dawn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"4363:UDP" = 4363:UDP:*:Enabled:UDP 4363
"5711:TCP" = 5711:TCP:*:Enabled:TCP 5711

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Sybase\SQL Anywhere 9\win32\dbeng9.exe" = C:\Program Files\Sybase\SQL Anywhere 9\win32\dbeng9.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (iAnywhere Solutions, Inc.)
"C:\Program Files\SHARP\Sharpdesk\FTPServer.exe" = C:\Program Files\SHARP\Sharpdesk\FTPServer.exe:*:Enabled:Network Scanner Tool -- (SHARP CORPORATION)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Symantec AntiVirus\Smc.exe" = C:\Program Files\Symantec AntiVirus\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec AntiVirus\SNAC.EXE" = C:\Program Files\Symantec AntiVirus\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe" = C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe:*:Enabled:SecureDoc -- (Winmagic Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\DOCUME~1\Dawn\LOCALS~1\Temp\WKT7A99\/JTi.exe" = C:\DOCUME~1\Dawn\LOCALS~1\Temp\WKT7A99\/JTi.exe:*:Enabled:Microsoft Office
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0393EDA7-888A-4FF4-800F-2984CEA1ECCA}" = XSL Formatter V4.1
"{0788DF0B-2627-4D6A-B7DA-8853CF1884F0}" = FTIS 2012.3
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0A1E0BDA-5E8F-436d-8BE5-7E97C5CB899D}" = Quicken 2012
"{0AEF384B-610F-4309-8DA3-91834FE4E80E}" = Sharpdesk
"{123260D2-F148-11D0-BA76-00A024E16E89}" = eRoom 7 Client
"{12FF4497-E886-4811-B1A4-2392B33B6EAB}" = ActiveX Safe for Scripting
"{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{15C77FC3-8137-4A5E-8F81-F559045DD6B0}" = Click-N-Ship® for Business
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{26A24AE4-039D-4CA4-87B4-2F83217000FF}" = Java™ 7
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2E33C510-1084-458F-B7E2-A43126D6FFA3}" = FTIS 2011.1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{306B34AA-113E-4C51-BB71-C9446AE19EEA}" = Gillware Remote Backup
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35343FF7-939B-401A-87B3-FF90A5123D88}" = Microsoft XML Parser and SDK
"{38ADB9A6-798C-11D6-A855-00105A80791C}" = OKI Network Extension
"{39CE07EA-8835-4870-AB9C-CF352C74E476}" = Field Technology Illustration System
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F9ECA3C-098F-4318-A63C-48CE4612323C}" = FTIS-MSI
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{553C904F-57A2-4113-888E-BA0C3D1C69C0}" = Microsoft VC9 runtime libraries
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}" = Apple Application Support
"{5D3EC4A2-5E19-4EF3-A9DA-6FBECEC38DF3}" = FTIS 2011.3
"{63F460A2-861E-49F8-8E7B-2E207BA7BB00}" = SecureDoc Disk Encryption
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6E495AA5-13E8-46F6-9A19-5840B2844057}" = Impact Modules Cleanup
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{75BEC599-A886-41C7-9928-C234F1755DB6}" = FTIS 2013.1
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{768FEBD2-66DE-4C0B-9CC1-254569793B72}" = Field Technology Illustration System
"{76967F2B-A604-471C-A4F1-7C4E03CC6D1C}" = Field Technology Messaging
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7902E313-FF0F-4493-ACB1-A8147B78DCD0}" = HPSSupply
"{7AB0CBD6-15E2-4254-95A9-BC1D99676245}" = FTIS-MSI
"{8054D734-39C7-463D-B764-9C883982B8F9}" = VC_CRT_x86
"{833CC56C-5A22-4DB3-9029-E069DB1A0A9F}" = Field Technology Illustration System
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8CB35C7E-E506-4DC4-8E39-7DFC4E826C45}" = hppusgP2030
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_SMALLBUSINESSR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_SMALLBUSINESSR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{903679E8-44C8-4C07-9600-05C92654FC50}" = QualXServ Service Agreement
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{930ACCA4-718C-4FE4-B613-A6392A1CE35F}" = FTIS 2012.1
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A82D052A-0806-42DF-80CD-1730A1AC0ED3}" = MrvlUsgTracking
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.7)
"{AE88EB3E-75EA-4484-8296-7D1446248A4F}" = Sybase SQL Anywhere 9 Personal Server
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7CA731B-BF9A-46D9-92CF-8A8737AE9240}" = System Requirements Lab for Intel
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BD}" = WinZip 14.5
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9C5B0A6-806B-41BA-9422-5EC97A3FB619}" = FTIS-MSI
"{DBC7F984-25E0-4657-8D78-70AE08356CE5}" = Field Technology Contact System Workstation - NYL
"{DFEAD015-6FA2-4A0F-8E71-A22F38039C24}" = FTIS 2013.3
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E52A3C66-A4AF-4168-9C65-9B60F5EDECDD}" = Boldon James MasterKeyPlus
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{E7D68102-199C-4EC0-8AD9-8295EEA6EFAB}" = Field Technology Illustration System
"{EC31DA16-F6AC-43D5-98EC-EDAD82E15D7B}" = FTIS 2012.2
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FA272494-8DEA-43CF-9BFF-652553C04265}" = Symantec Endpoint Protection
"{FCF3ECF7-7AE0-4E26-B387-09A3A80B79CC}" = Intel® Network Connections 18.3.62.0
"Ad-Aware Browsing Protection" = Ad-Aware Browsing Protection
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"CCleaner" = CCleaner
"CentraClient" = Centra Client
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"FTCSDeInstallKey" = Field Technology Contact System
"FTIS 2010.3.1 Update" = FTIS 2010.3.1 Update
"FTIS 2010.3.2 Update" = FTIS 2010.3.2 Update
"FTIS 2010.3.5 Update" = FTIS 2010.3.5 Update
"FTIS 2010.3.6 Update" = FTIS 2010.3.6 Update
"FTIS 2010.3.7 Update" = FTIS 2010.3.7 Update
"FTIS 2010.3.8 Update" = FTIS 2010.3.8 Update
"FTIS 2012.3.3 Update" = FTIS 2012.3.3 Update
"Google Chrome" = Google Chrome
"GoToAssist" = GoToAssist Corporate
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP LaserJet P2030 Series" = HP LaserJet P2030 Series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0788DF0B-2627-4D6A-B7DA-8853CF1884F0}" = Field Technology Illustration System
"InstallShield_{0AEF384B-610F-4309-8DA3-91834FE4E80E}" = Sharpdesk
"InstallShield_{2E33C510-1084-458F-B7E2-A43126D6FFA3}" = Field Technology Illustration System
"InstallShield_{39CE07EA-8835-4870-AB9C-CF352C74E476}" = Field Technology Illustration System
"InstallShield_{3F9ECA3C-098F-4318-A63C-48CE4612323C}" = Field Technology Illustration System
"InstallShield_{5D3EC4A2-5E19-4EF3-A9DA-6FBECEC38DF3}" = Field Technology Illustration System
"InstallShield_{75BEC599-A886-41C7-9928-C234F1755DB6}" = Field Technology Illustration System
"InstallShield_{768FEBD2-66DE-4C0B-9CC1-254569793B72}" = Field Technology Illustration System
"InstallShield_{7AB0CBD6-15E2-4254-95A9-BC1D99676245}" = Field Technology Illustration System
"InstallShield_{833CC56C-5A22-4DB3-9029-E069DB1A0A9F}" = Field Technology Illustration System
"InstallShield_{930ACCA4-718C-4FE4-B613-A6392A1CE35F}" = Field Technology Illustration System
"InstallShield_{D9C5B0A6-806B-41BA-9422-5EC97A3FB619}" = Field Technology Illustration System
"InstallShield_{DFEAD015-6FA2-4A0F-8E71-A22F38039C24}" = Field Technology Illustration System
"InstallShield_{E7D68102-199C-4EC0-8AD9-8295EEA6EFAB}" = Field Technology Illustration System
"InstallShield_{EC31DA16-F6AC-43D5-98EC-EDAD82E15D7B}" = Field Technology Illustration System
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SHARP AR-351/355/451/455 Series PCL Printer Driver" = SHARP AR-351/355/451/455 Series PCL Printer Driver
"SMALLBUSINESSR" = Microsoft Office Small Business 2007
"SunGard Expert Solutions NYL Path 4.40.011" = SunGard Expert Solutions NYL Path 4.40.011
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/17/2013 12:52:44 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\ABOUT
QUICKTIME.LNK> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 7/17/2013 12:52:45 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\PICTUREVIEWER.LNK>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 7/17/2013 12:52:45 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\PICTUREVIEWER.LNK>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 7/17/2013 12:52:45 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\QUICKTIME
PLAYER.LNK> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 7/17/2013 12:52:45 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\QUICKTIME
PLAYER.LNK> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 7/18/2013 9:26:29 AM | Computer Name = GINA1 | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.69.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2013 9:31:12 AM | Computer Name = GINA1 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.75.0.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2013 12:11:19 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\GOOGLE
CHROME\GOOGLE CHROME.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 7/18/2013 12:11:19 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\GOOGLE
CHROME\GOOGLE CHROME.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 7/18/2013 12:38:22 PM | Computer Name = GINA1 | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.69.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ Application Events ]
Error - 7/17/2013 12:52:44 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\ABOUT
QUICKTIME.LNK> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 7/17/2013 12:52:45 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\PICTUREVIEWER.LNK>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 7/17/2013 12:52:45 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\PICTUREVIEWER.LNK>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 7/17/2013 12:52:45 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\QUICKTIME
PLAYER.LNK> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 7/17/2013 12:52:45 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\QUICKTIME\QUICKTIME
PLAYER.LNK> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 7/18/2013 9:26:29 AM | Computer Name = GINA1 | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.69.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2013 9:31:12 AM | Computer Name = GINA1 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.75.0.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2013 12:11:19 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\GOOGLE
CHROME\GOOGLE CHROME.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 7/18/2013 12:11:19 PM | Computer Name = GINA1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\GOOGLE
CHROME\GOOGLE CHROME.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 7/18/2013 12:38:22 PM | Computer Name = GINA1 | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.69.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 3/15/2010 9:39:39 AM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 100
seconds with 60 seconds of active time. This session ended with a crash.

Error - 3/15/2010 9:41:51 AM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 80
seconds with 60 seconds of active time. This session ended with a crash.

Error - 5/24/2010 9:55:16 AM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 172
seconds with 120 seconds of active time. This session ended with a crash.

Error - 6/4/2010 9:13:55 AM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 24
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/7/2010 9:13:44 AM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 53
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/14/2010 5:10:24 PM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 28772
seconds with 900 seconds of active time. This session ended with a crash.

Error - 6/15/2010 12:50:52 PM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 7445
seconds with 180 seconds of active time. This session ended with a crash.

Error - 8/19/2010 2:59:43 PM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6535.5005, Microsoft Office Version: 12.0.6425.1000. This session lasted 21499
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/12/2011 6:19:58 PM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 28389
seconds with 420 seconds of active time. This session ended with a crash.

Error - 10/9/2012 12:08:10 PM | Computer Name = GINA1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 1391
seconds with 900 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 7/17/2013 12:27:43 PM | Computer Name = GINA1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SBRE

Error - 7/17/2013 12:50:53 PM | Computer Name = GINA1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SBRE

Error - 7/17/2013 1:02:44 PM | Computer Name = GINA1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SBRE

Error - 7/17/2013 1:07:15 PM | Computer Name = GINA1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SBRE

Error - 7/17/2013 1:12:00 PM | Computer Name = GINA1 | Source = Schedule | ID = 7901
Description = The At1.job command failed to start due to the following error: %%2147942402

Error - 7/18/2013 9:09:41 AM | Computer Name = GINA1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SBRE

Error - 7/18/2013 11:20:16 AM | Computer Name = GINA1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
iaStor Lbd SBRE

Error - 7/18/2013 11:30:42 AM | Computer Name = GINA1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'SrtETmp' on the volume 'HarddiskVolume2'. It has stopped
monitoring the volume.

Error - 7/18/2013 11:31:00 AM | Computer Name = GINA1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SBRE

Error - 7/18/2013 11:54:32 AM | Computer Name = GINA1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SBRE


< End of report >

[Racingal60]

OK - I screwed up and posted the Extras.txt file before I did any of the other stuff. I'm sorry.

Here is the RKreport.txt log
RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dawn [Admin rights]
Mode : Scan -- Date : 07/18/2013 13:54:52
| ARK || FAK || MBR |

¤¤¤ Bad processes : 3 ¤¤¤
[SUSP PATH] ganukdyxypyx.exe -- C:\Documents and Settings\Dawn\ganukdyxypyx.exe [-] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe [7] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : ganukdyxypyx (C:\Documents and Settings\Dawn\ganukdyxypyx.exe [-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-866049194-2568044671-1873219407-1011\[...]\Run : ganukdyxypyx (C:\Documents and Settings\Dawn\ganukdyxypyx.exe [-]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[BROK VAL] HKCR\[...]\command : () -> MISSING

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][SUSP PATH] At1.job : C:\DOCUME~1\Dawn\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8AFF9B30)
[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A81EE08)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x8A8242D8)
[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8B0C99A8)
[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8A620178)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8AD99FB0)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A82FB60)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x8B0D6788)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x8ADDF8B0)
[Address] SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8A605278)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8B182CF0)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x8ADB20A8)
[Address] SSDT[129] : NtOpenThreadToken @ 0x805EE04E -> HOOKED (Unknown @ 0x8A6811E0)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x8ADEB500)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x8AFFFBB0)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8AAC6328)
[Address] SSDT[229] : NtSetInformationThread @ 0x805CC154 -> HOOKED (Unknown @ 0x8A678280)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A82EBD8)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x8B09DD90)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8B0D2050)
[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8B06BA18)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8ADFF0A8)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A8972D8)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500620AS +++++
--- User ---
[MBR] d7825e316abf122148cf5785ecce63f9
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 476890 Mo
Error reading LL1 MBR!
User != LL2 ... KO!
--- LL2 ---
[MBR] 7f50e826c0ef0a2ff3ce6105dd7fb502
[BSP] a8a451c2750507abfb88d59c59f028eb : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 476890 Mo

Finished : << RKreport[0]_S_07182013_135452.txt >>




Here is the AdwCleaner(R1).txt log

# AdwCleaner v2.305 - Logfile created 07/18/2013 at 14:02:12
# Updated 11/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Dawn - GINA1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Dawn\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\END
Folder Found : C:\Documents and Settings\Dawn\Application Data\DSite
Folder Found : C:\Documents and Settings\Gina Dorr\Application Data\adawaretb
Folder Found : C:\Documents and Settings\Gina Dorr\Application Data\blekko
Folder Found : C:\Program Files\Common Files\AVG Secure Search
Folder Found : C:\Program Files\SaveValet

***** [Registry] *****

Key Found : HKCU\Software\Crossrider
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Found : HKCU\Software\SocialBit
Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Documents and Settings\Gina Dorr\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1947 octets] - [18/07/2013 14:02:12]

########## EOF - C:\AdwCleaner[R1].txt - [2007 octets] ##########


Here is the aswMRB log:

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-07-18 14:05:02
-----------------------------
14:05:02.812 OS Version: Windows 5.1.2600 Service Pack 3
14:05:02.812 Number of processors: 4 586 0xF0B
14:05:02.812 ComputerName: GINA1 UserName: Dawn
14:05:04.750 Initialize success
14:05:11.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:05:11.812 Disk 0 Vendor: ST3500620AS DE12 Size: 476940MB BusType: 3
14:05:11.875 Disk 0 MBR read successfully
14:05:11.875 Disk 0 MBR scan
14:05:11.875 Disk 0 Windows XP default MBR code found via API
14:05:11.875 Disk 0 unknown MBR code
14:05:11.875 Disk 0 MBR hidden
14:05:11.875 Disk 0 Partition 1 00 DE Dell Utility 47 MB offset 63
14:05:11.890 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS 476890 MB offset 96390
14:05:11.890 Disk 0 scanning sectors +976768065
14:05:11.921 Disk 0 MBR [possible unknown bootkit@MBR] **ROOTKIT**
14:05:11.921 Scan finished successfully
14:05:42.375 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dawn\Desktop\MBR.dat"
14:05:42.375 The log file has been saved successfully to "C:\Documents and Settings\Dawn\Desktop\aswMBR.txt"


Here is the link to the VirusTotla link:

https://www.virustot...sis/1374174466/

If I missed something let me know. I did also get a MRB.dat file - but didn't provide you with that.

Thank you.

[godawgs]

OK - I screwed up and posted the Extras.txt file before I did any of the other stuff. I'm sorry.

That is not a problem. The aswMBR scan shows a rootkit infection or possible bootkit infection. Let's see if we can kill it.


Step-1.

Make a Fresh Restore Point

Windows XP

• Click Start > All Programs > Accessories > System tools > System Restore. The System Restore Wizard opens.
• Note: If the System Restore Wizard does not open, the System Restore feature may be turned off. To turn System Restore on, follow these steps:
• Click Start, click Control Panel, and then double-click System.
• Click the System Restore tab.
• Make sure that the Turn off System Restore check box is not selected. Or, make sure that the Turn off System Restore on all drives check box is not selected.
• Click OK.

[*] On the dialogue box that appears select Create a Restore Point
[*] Click NEXT
[*] Enter a name e.g. Before fixes
[*] Click CREATE
[*] Once the Restore Point has been created close System Restore[/list]
Step-2.

Run RogueKiller

Quit all programs and close all browsers.

• Double click the RogueKiller icon to run the program.
• Wait until Prescan has finished ...
• Click the Scan button and wait for the scan to complete.
• Click on the Delete button.
  
  
  
• The report has been created on the desktop.
• Next click on the ShortcutsFix
  
  
  
• The report has been created on the desktop.

Please post:
The RKreport.txt files located on your desktop.
NOTE: If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again


Step-3.

TDSSKiller

Please read carefully and follow these steps.
Download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (See the image below)
  
  
  
• Make sure the boxes under Objects to scan are checked like the image below.
• In the Additionak options section, check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system. (See the image below)
  
  
  
• Click OK
  
• Click the Start Scan button.
  
  
  
• If a suspicious object is detected, the default action will be Skip. DO NOT change the default action, click on Continue. (See the image below)
  
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
• Get the report by clicking Report
  
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


Step-4.

Re-run AdwCleaner

Close all open windows and browsers.

Re-open AdwCleaner

• Double click the adwcleaner.exe file to run AdwCleaner.
• Click the Delete button and wait for the scan.
  
  
• Everything that was found will be deleted.
• When the scan ends, a report appears.
• Once done it will ask to reboot, allow this
  
  
  
• On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner[S1].txt

Step-5.

OTL Custom Scan

1. Please copy the text in the Quote box below, (Do Not copy the word Quote), and paste it in the box in OTL. To do that:

• Highlight everything inside the quote box, (except the word Quote), right click the mouse and click Copy.

createrestorepoint
netsvcs
baseservices
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
services.*
regedit.exe
regedit*.exe
/md5stop
dir "%systemdrive%\*" /S /A:L /C
DRIVES
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
del c:\commands.txt^|y /hide /c
/wait
del c:\diskreport.txt^|y /hide /c

2. Re-open on the desktop. To do that:

• XP users: Double click on the OTL icon.
  Make sure all other windows are closed.
  
• You will see a console like the one below:
  
  
  
• Click the box beside Scan All Users at the top of the console
• Make sure the Output box at the top is set to Standard Output.
• Check the boxes beside LOP Check and Purity Check.
• Place the mouse pointer inside the box, right click and click Paste. This will put the above script inside OTL
• Click the button. Do not change any settings unless otherwise told to do so.
• Let the scan run uninterrupted.
• When the scan completes, it will open OTL.Txt. This file is also saved in the same location as OTL (it should be on your desktop).
• Please copy the contents of this file and paste it into your reply. To do that:
• On the OTL.txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
• Right click inside the forum post window then click Paste. This will paste the contents of the OTL.txt file in the in the post window.

Step-6.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The RKreport 2.txt and RKreport3.txt logs
2. The TDSSKiller log
3. The AdwCleaner[S1].txt log
4. The new OTL.txt log
5. How is the computer running now?

[Racingal60]

OK - I think I did everything you asked me to do.

System Restore point set.

Ran Rogue Killer - here is log

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dawn [Admin rights]
Mode : Scan -- Date : 07/19/2013 08:19:32
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : ganukdyxypyx (C:\Documents and Settings\Dawn\ganukdyxypyx.exe [-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-866049194-2568044671-1873219407-1011\[...]\Run : ganukdyxypyx (C:\Documents and Settings\Dawn\ganukdyxypyx.exe [-]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[BROK VAL] HKCR\[...]\command : () -> MISSING

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][SUSP PATH] At1.job : C:\DOCUME~1\Dawn\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8AFF9B30)
[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A81EE08)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x8A8242D8)
[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8B0C99A8)
[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8A620178)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8AD99FB0)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A82FB60)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x8B0D6788)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x8ADDF8B0)
[Address] SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8A605278)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8B182CF0)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x8ADB20A8)
[Address] SSDT[129] : NtOpenThreadToken @ 0x805EE04E -> HOOKED (Unknown @ 0x8A6811E0)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x8ADEB500)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x8AFFFBB0)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8AAC6328)
[Address] SSDT[229] : NtSetInformationThread @ 0x805CC154 -> HOOKED (Unknown @ 0x8A678280)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A82EBD8)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x8B09DD90)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8B0D2050)
[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8B06BA18)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8ADFF0A8)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A8972D8)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500620AS +++++
--- User ---
[MBR] d7825e316abf122148cf5785ecce63f9
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 476890 Mo
Error reading LL1 MBR!
User != LL2 ... KO!
--- LL2 ---
[MBR] 7f50e826c0ef0a2ff3ce6105dd7fb502
[BSP] a8a451c2750507abfb88d59c59f028eb : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 476890 Mo

Finished : << RKreport[0]_S_07192013_081932.txt >>
RKreport[0]_S_07182013_135452.txt


And the other log:

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dawn [Admin rights]
Mode : Shortcuts HJfix -- Date : 07/19/2013 08:20:21
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 5 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 12 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 3 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[S:] \Device\LanmanRedirector\;S:000000000001717c\Tim1\SHARED -- 0x4 --> Skipped

¤¤¤ Infection : Root.MBR ¤¤¤

Finished : << RKreport[0]_SC_07192013_082021.txt >>
RKreport[0]_D_07192013_081939.txt;RKreport[0]_S_07182013_135452.txt;RKreport[0]_S_07192013_081932.txt


Then I downloaded and ran TDSSKiller:

No Threats were found here is log

08:22:20.0703 8648 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
08:22:21.0265 8648 ============================================================
08:22:21.0265 8648 Current date / time: 2013/07/19 08:22:21.0265
08:22:21.0265 8648 SystemInfo:
08:22:21.0265 8648
08:22:21.0265 8648 OS Version: 5.1.2600 ServicePack: 3.0
08:22:21.0265 8648 Product type: Workstation
08:22:21.0265 8648 ComputerName: GINA1
08:22:21.0265 8648 UserName: Dawn
08:22:21.0265 8648 Windows directory: C:\WINDOWS
08:22:21.0265 8648 System windows directory: C:\WINDOWS
08:22:21.0265 8648 Processor architecture: Intel x86
08:22:21.0265 8648 Number of processors: 4
08:22:21.0265 8648 Page size: 0x1000
08:22:21.0265 8648 Boot type: Normal boot
08:22:21.0265 8648 ============================================================
08:22:23.0046 8648 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:22:23.0046 8648 ============================================================
08:22:23.0046 8648 \Device\Harddisk0\DR0:
08:22:23.0046 8648 MBR partitions:
08:22:23.0046 8648 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x17886, BlocksNum 0x3A36D3BB
08:22:23.0046 8648 ============================================================
08:22:23.0062 8648 Initialize success
08:22:23.0062 8648 ============================================================
08:22:54.0437 11160 ============================================================
08:22:54.0437 11160 Scan started
08:22:54.0437 11160 Mode: Manual; SigCheck; TDLFS;
08:22:54.0437 11160 ============================================================
08:22:54.0437 11160 ================ Scan system memory ========================
08:22:56.0546 11160 System memory - ok
08:22:56.0546 11160 ================ Scan services =============================
08:22:56.0562 11160 Abiosdsk - ok
08:22:56.0562 11160 abp480n5 - ok
08:22:56.0562 11160 ACPI - ok
08:22:56.0562 11160 ACPIEC - ok
08:22:56.0562 11160 AdobeFlashPlayerUpdateSvc - ok
08:22:56.0578 11160 adpu160m - ok
08:22:56.0578 11160 aec - ok
08:22:56.0578 11160 AFD - ok
08:22:56.0578 11160 agp440 - ok
08:22:56.0578 11160 agpCPQ - ok
08:22:56.0578 11160 Aha154x - ok
08:22:56.0578 11160 aic78u2 - ok
08:22:56.0578 11160 aic78xx - ok
08:22:56.0578 11160 Alerter - ok
08:22:56.0593 11160 ALG - ok
08:22:56.0593 11160 AliIde - ok
08:22:56.0593 11160 alim1541 - ok
08:22:56.0593 11160 amdagp - ok
08:22:56.0593 11160 amsint - ok
08:22:56.0593 11160 AppMgmt - ok
08:22:56.0593 11160 ArchiveService - ok
08:22:56.0593 11160 asc - ok
08:22:56.0609 11160 asc3350p - ok
08:22:56.0609 11160 asc3550 - ok
08:22:56.0609 11160 aspnet_state - ok
08:22:56.0609 11160 AsyncMac - ok
08:22:56.0609 11160 atapi - ok
08:22:56.0609 11160 Atdisk - ok
08:22:56.0609 11160 Atmarpc - ok
08:22:56.0625 11160 AudioSrv - ok
08:22:56.0625 11160 audstub - ok
08:22:56.0625 11160 BcmSqlStartupSvc - ok
08:22:56.0625 11160 Beep - ok
08:22:56.0625 11160 BITS - ok
08:22:56.0625 11160 Browser - ok
08:22:56.0625 11160 cbidf - ok
08:22:56.0625 11160 cbidf2k - ok
08:22:56.0640 11160 ccEvtMgr - ok
08:22:56.0640 11160 ccSetMgr - ok
08:22:56.0640 11160 cd20xrnt - ok
08:22:56.0640 11160 Cdaudio - ok
08:22:56.0640 11160 Cdfs - ok
08:22:56.0640 11160 Cdrom - ok
08:22:56.0640 11160 Changer - ok
08:22:56.0640 11160 CiSvc - ok
08:22:56.0640 11160 ClipSrv - ok
08:22:56.0656 11160 clr_optimization_v2.0.50727_32 - ok
08:22:56.0656 11160 clr_optimization_v4.0.30319_32 - ok
08:22:56.0656 11160 CmdIde - ok
08:22:56.0656 11160 COMSysApp - ok
08:22:56.0656 11160 Cpqarray - ok
08:22:56.0656 11160 cpudrv - ok
08:22:56.0656 11160 CryptSvc - ok
08:22:56.0656 11160 dac2w2k - ok
08:22:56.0671 11160 dac960nt - ok
08:22:56.0671 11160 DcomLaunch - ok
08:22:56.0671 11160 Dhcp - ok
08:22:56.0671 11160 Disk - ok
08:22:56.0703 11160 dmadmin - ok
08:22:56.0703 11160 dmboot - ok
08:22:56.0703 11160 dmio - ok
08:22:56.0703 11160 dmload - ok
08:22:56.0703 11160 dmserver - ok
08:22:56.0718 11160 DMusic - ok
08:22:56.0718 11160 Dnscache - ok
08:22:56.0718 11160 Dot3svc - ok
08:22:56.0718 11160 dpti2o - ok
08:22:56.0718 11160 drmkaud - ok
08:22:56.0718 11160 E100B - ok
08:22:56.0718 11160 e1express - ok
08:22:56.0718 11160 EapHost - ok
08:22:56.0734 11160 eeCtrl - ok
08:22:56.0734 11160 EraserUtilRebootDrv - ok
08:22:56.0734 11160 ERSvc - ok
08:22:56.0750 11160 Eventlog - ok
08:22:56.0750 11160 EventSystem - ok
08:22:56.0750 11160 Fastfat - ok
08:22:56.0750 11160 FastUserSwitchingCompatibility - ok
08:22:56.0750 11160 Fax - ok
08:22:56.0750 11160 Fdc - ok
08:22:56.0765 11160 Fips - ok
08:22:56.0765 11160 Flpydisk - ok
08:22:56.0765 11160 FltMgr - ok
08:22:56.0765 11160 FontCache3.0.0.0 - ok
08:22:56.0765 11160 FoxAwdWINFLASH - ok
08:22:56.0765 11160 Fs_Rec - ok
08:22:56.0765 11160 Ftdisk - ok
08:22:56.0765 11160 GoToAssist - ok
08:22:56.0765 11160 Gpc - ok
08:22:56.0781 11160 gupdate - ok
08:22:56.0781 11160 gupdatem - ok
08:22:56.0781 11160 HDAudBus - ok
08:22:56.0781 11160 helpsvc - ok
08:22:56.0781 11160 HidServ - ok
08:22:56.0781 11160 HidUsb - ok
08:22:56.0781 11160 hkmsvc - ok
08:22:56.0781 11160 hpn - ok
08:22:56.0781 11160 HTTP - ok
08:22:56.0796 11160 HTTPFilter - ok
08:22:56.0796 11160 i2omgmt - ok
08:22:56.0796 11160 i2omp - ok
08:22:56.0796 11160 i8042prt - ok
08:22:56.0796 11160 ialm - ok
08:22:56.0796 11160 iaStor - ok
08:22:56.0796 11160 IDriverT - ok
08:22:56.0796 11160 idsvc - ok
08:22:56.0796 11160 Imapi - ok
08:22:56.0812 11160 ImapiService - ok
08:22:56.0812 11160 ini910u - ok
08:22:56.0812 11160 IntcAzAudAddService - ok
08:22:56.0812 11160 Intel® PROSet Monitoring Service - ok
08:22:56.0812 11160 IntelIde - ok
08:22:56.0812 11160 intelppm - ok
08:22:56.0812 11160 Ip6Fw - ok
08:22:56.0812 11160 IpFilterDriver - ok
08:22:56.0828 11160 IpInIp - ok
08:22:56.0828 11160 IpNat - ok
08:22:56.0828 11160 IPSec - ok
08:22:56.0828 11160 IRENUM - ok
08:22:56.0828 11160 isapnp - ok
08:22:56.0828 11160 JavaQuickStarterService - ok
08:22:56.0828 11160 Kbdclass - ok
08:22:56.0828 11160 kbdhid - ok
08:22:56.0843 11160 kmixer - ok
08:22:56.0843 11160 KSecDD - ok
08:22:56.0843 11160 lanmanserver - ok
08:22:56.0843 11160 lanmanworkstation - ok
08:22:56.0843 11160 Lbd - ok
08:22:56.0843 11160 lbrtfdc - ok
08:22:56.0843 11160 LiveUpdate - ok
08:22:56.0843 11160 LmHosts - ok
08:22:56.0859 11160 MDM - ok
08:22:56.0859 11160 Messenger - ok
08:22:56.0859 11160 mnmdd - ok
08:22:56.0859 11160 mnmsrvc - ok
08:22:56.0859 11160 Modem - ok
08:22:56.0859 11160 Mouclass - ok
08:22:56.0859 11160 mouhid - ok
08:22:56.0859 11160 MountMgr - ok
08:22:56.0859 11160 mraid35x - ok
08:22:56.0875 11160 MRxDAV - ok
08:22:56.0875 11160 MRxSmb - ok
08:22:56.0875 11160 MSDTC - ok
08:22:56.0875 11160 Msfs - ok
08:22:56.0875 11160 MSIServer - ok
08:22:56.0875 11160 MSKSSRV - ok
08:22:56.0875 11160 MSPCLOCK - ok
08:22:56.0875 11160 MSPQM - ok
08:22:56.0890 11160 mssmbios - ok
08:22:56.0890 11160 MSSQL$MSSMLBIZ - ok
08:22:56.0890 11160 MSSQLServerADHelper - ok
08:22:56.0890 11160 Mup - ok
08:22:56.0890 11160 NAL - ok
08:22:56.0890 11160 napagent - ok
08:22:56.0890 11160 NAVENG - ok
08:22:56.0890 11160 NAVEX15 - ok
08:22:56.0890 11160 NDIS - ok
08:22:56.0906 11160 NdisTapi - ok
08:22:56.0906 11160 Ndisuio - ok
08:22:56.0906 11160 NdisWan - ok
08:22:56.0906 11160 NDProxy - ok
08:22:56.0906 11160 NetBIOS - ok
08:22:56.0906 11160 NetBT - ok
08:22:56.0906 11160 NetDDE - ok
08:22:56.0906 11160 NetDDEdsdm - ok
08:22:56.0921 11160 Netlogon - ok
08:22:56.0921 11160 Netman - ok
08:22:56.0921 11160 NetTcpPortSharing - ok
08:22:56.0921 11160 Nla - ok
08:22:56.0921 11160 Npfs - ok
08:22:56.0921 11160 Ntfs - ok
08:22:56.0921 11160 NtLmSsp - ok
08:22:56.0921 11160 NtmsSvc - ok
08:22:56.0921 11160 Null - ok
08:22:56.0937 11160 nv - ok
08:22:56.0937 11160 NwlnkFlt - ok
08:22:56.0937 11160 NwlnkFwd - ok
08:22:56.0937 11160 odserv - ok
08:22:56.0937 11160 ose - ok
08:22:56.0937 11160 Parport - ok
08:22:56.0937 11160 PartMgr - ok
08:22:56.0937 11160 ParVdm - ok
08:22:56.0953 11160 PCI - ok
08:22:56.0953 11160 PCIDump - ok
08:22:56.0953 11160 PCIIde - ok
08:22:56.0953 11160 Pcmcia - ok
08:22:56.0953 11160 PDCOMP - ok
08:22:56.0953 11160 PDFRAME - ok
08:22:56.0953 11160 PDRELI - ok
08:22:56.0953 11160 PDRFRAME - ok
08:22:56.0953 11160 perc2 - ok
08:22:56.0968 11160 perc2hib - ok
08:22:56.0968 11160 PinFile - ok
08:22:56.0968 11160 PlugPlay - ok
08:22:56.0968 11160 PolicyAgent - ok
08:22:56.0968 11160 PptpMiniport - ok
08:22:56.0968 11160 ProtectedStorage - ok
08:22:56.0968 11160 PSched - ok
08:22:56.0984 11160 Ptilink - ok
08:22:56.0984 11160 PxHelp20 - ok
08:22:56.0984 11160 ql1080 - ok
08:22:56.0984 11160 Ql10wnt - ok
08:22:56.0984 11160 ql12160 - ok
08:22:56.0984 11160 ql1240 - ok
08:22:56.0984 11160 ql1280 - ok
08:22:56.0984 11160 RasAcd - ok
08:22:56.0984 11160 RasAuto - ok
08:22:57.0000 11160 Rasl2tp - ok
08:22:57.0000 11160 RasMan - ok
08:22:57.0000 11160 RasPppoe - ok
08:22:57.0000 11160 Raspti - ok
08:22:57.0000 11160 Rdbss - ok
08:22:57.0000 11160 RDPCDD - ok
08:22:57.0000 11160 rdpdr - ok
08:22:57.0015 11160 RDPWD - ok
08:22:57.0015 11160 RDSessMgr - ok
08:22:57.0015 11160 redbook - ok
08:22:57.0015 11160 RemoteAccess - ok
08:22:57.0015 11160 RemoteRegistry - ok
08:22:57.0015 11160 RpcLocator - ok
08:22:57.0015 11160 RpcSs - ok
08:22:57.0015 11160 RSVP - ok
08:22:57.0015 11160 SamSs - ok
08:22:57.0031 11160 SBRE - ok
08:22:57.0031 11160 SCardSvr - ok
08:22:57.0031 11160 Schedule - ok
08:22:57.0031 11160 SDDisk2K - ok
08:22:57.0031 11160 SDDToki - ok
08:22:57.0031 11160 SDDVD - ok
08:22:57.0031 11160 SDUPC - ok
08:22:57.0031 11160 Secdrv - ok
08:22:57.0046 11160 seclogon - ok
08:22:57.0046 11160 SENS - ok
08:22:57.0046 11160 serenum - ok
08:22:57.0046 11160 Serial - ok
08:22:57.0046 11160 Sfloppy - ok
08:22:57.0046 11160 SharedAccess - ok
08:22:57.0062 11160 ShellHWDetection - ok
08:22:57.0062 11160 Simbad - ok
08:22:57.0062 11160 sisagp - ok
08:22:57.0062 11160 SmcService - ok
08:22:57.0062 11160 SNAC - ok
08:22:57.0062 11160 Sparrow - ok
08:22:57.0062 11160 SPBBCDrv - ok
08:22:57.0078 11160 splitter - ok
08:22:57.0078 11160 Spooler - ok
08:22:57.0078 11160 sprtsvc_DellSupportCenter - ok
08:22:57.0078 11160 SQLBrowser - ok
08:22:57.0078 11160 SQLWriter - ok
08:22:57.0078 11160 sr - ok
08:22:57.0078 11160 srservice - ok
08:22:57.0078 11160 SRTSP - ok
08:22:57.0078 11160 SRTSPL - ok
08:22:57.0093 11160 SRTSPX - ok
08:22:57.0093 11160 Srv - ok
08:22:57.0093 11160 SSDPSRV - ok
08:22:57.0093 11160 stisvc - ok
08:22:57.0093 11160 stllssvr - ok
08:22:57.0093 11160 swenum - ok
08:22:57.0093 11160 swmidi - ok
08:22:57.0093 11160 SwPrv - ok
08:22:57.0093 11160 Symantec AntiVirus - ok
08:22:57.0109 11160 symc810 - ok
08:22:57.0109 11160 symc8xx - ok
08:22:57.0109 11160 SymEvent - ok
08:22:57.0109 11160 SYMREDRV - ok
08:22:57.0109 11160 SYMTDI - ok
08:22:57.0109 11160 sym_hi - ok
08:22:57.0109 11160 sym_u3 - ok
08:22:57.0109 11160 sysaudio - ok
08:22:57.0125 11160 SysmonLog - ok
08:22:57.0125 11160 TapiSrv - ok
08:22:57.0125 11160 Tcpip - ok
08:22:57.0125 11160 TDPIPE - ok
08:22:57.0125 11160 TDTCP - ok
08:22:57.0125 11160 TermDD - ok
08:22:57.0125 11160 TermService - ok
08:22:57.0125 11160 Themes - ok
08:22:57.0125 11160 TlntSvr - ok
08:22:57.0140 11160 TosIde - ok
08:22:57.0140 11160 TrkWks - ok
08:22:57.0140 11160 Udfs - ok
08:22:57.0140 11160 ultra - ok
08:22:57.0140 11160 Update - ok
08:22:57.0140 11160 upnphost - ok
08:22:57.0140 11160 UPS - ok
08:22:57.0156 11160 usbccgp - ok
08:22:57.0156 11160 usbehci - ok
08:22:57.0156 11160 usbhub - ok
08:22:57.0156 11160 usbprint - ok
08:22:57.0156 11160 USBSTOR - ok
08:22:57.0156 11160 usbuhci - ok
08:22:57.0156 11160 VgaSave - ok
08:22:57.0156 11160 viaagp - ok
08:22:57.0156 11160 ViaIde - ok
08:22:57.0171 11160 VolSnap - ok
08:22:57.0171 11160 VSS - ok
08:22:57.0171 11160 w32time - ok
08:22:57.0171 11160 Wanarp - ok
08:22:57.0171 11160 WDICA - ok
08:22:57.0171 11160 wdmaud - ok
08:22:57.0171 11160 WebClient - ok
08:22:57.0187 11160 WinMagic SecureDoc Service - ok
08:22:57.0187 11160 winmgmt - ok
08:22:57.0187 11160 WmdmPmSN - ok
08:22:57.0187 11160 Wmi - ok
08:22:57.0187 11160 WmiApSrv - ok
08:22:57.0187 11160 WMPNetworkSvc - ok
08:22:57.0187 11160 WPFFontCache_v0400 - ok
08:22:57.0203 11160 wscsvc - ok
08:22:57.0203 11160 WSearch - ok
08:22:57.0203 11160 wuauserv - ok
08:22:57.0203 11160 WudfPf - ok
08:22:57.0203 11160 WudfRd - ok
08:22:57.0203 11160 WudfSvc - ok
08:22:57.0203 11160 WZCSVC - ok
08:22:57.0203 11160 xmlprov - ok
08:22:57.0218 11160 ================ Scan global ===============================
08:22:57.0218 11160 [Global] - ok
08:22:57.0218 11160 ================ Scan MBR ==================================
08:22:57.0234 11160 [ E1ED835465E42A176B4910C2CCA1E9A4 ] \Device\Harddisk0\DR0
08:22:57.0234 11160 Suspicious mbr (Forged): \Device\Harddisk0\DR0
08:22:57.0531 11160 \Device\Harddisk0\DR0 - ok
08:22:57.0531 11160 ================ Scan VBR ==================================
08:22:57.0531 11160 [ E22F4FDC9CF7A873F47DD876419BD773 ] \Device\Harddisk0\DR0\Partition1
08:22:57.0531 11160 \Device\Harddisk0\DR0\Partition1 - ok
08:22:57.0531 11160 ============================================================
08:22:57.0531 11160 Scan finished
08:22:57.0531 11160 ============================================================
08:22:57.0531 6792 Detected object count: 0
08:22:57.0531 6792 Actual detected object count: 0
08:23:38.0703 3544 ============================================================
08:23:38.0703 3544 Scan started
08:23:38.0703 3544 Mode: Manual; SigCheck; TDLFS;
08:23:38.0703 3544 ============================================================
08:23:38.0703 3544 ================ Scan system memory ========================
08:23:39.0171 3544 System memory - ok
08:23:39.0171 3544 ================ Scan services =============================
08:23:39.0187 3544 Abiosdsk - ok
08:23:39.0187 3544 abp480n5 - ok
08:23:39.0187 3544 ACPI - ok
08:23:39.0187 3544 ACPIEC - ok
08:23:39.0187 3544 AdobeFlashPlayerUpdateSvc - ok
08:23:39.0203 3544 adpu160m - ok
08:23:39.0203 3544 aec - ok
08:23:39.0203 3544 AFD - ok
08:23:39.0203 3544 agp440 - ok
08:23:39.0203 3544 agpCPQ - ok
08:23:39.0203 3544 Aha154x - ok
08:23:39.0203 3544 aic78u2 - ok
08:23:39.0203 3544 aic78xx - ok
08:23:39.0203 3544 Alerter - ok
08:23:39.0218 3544 ALG - ok
08:23:39.0218 3544 AliIde - ok
08:23:39.0218 3544 alim1541 - ok
08:23:39.0218 3544 amdagp - ok
08:23:39.0218 3544 amsint - ok
08:23:39.0218 3544 AppMgmt - ok
08:23:39.0218 3544 ArchiveService - ok
08:23:39.0218 3544 asc - ok
08:23:39.0218 3544 asc3350p - ok
08:23:39.0234 3544 asc3550 - ok
08:23:39.0234 3544 aspnet_state - ok
08:23:39.0234 3544 AsyncMac - ok
08:23:39.0234 3544 atapi - ok
08:23:39.0234 3544 Atdisk - ok
08:23:39.0234 3544 Atmarpc - ok
08:23:39.0234 3544 AudioSrv - ok
08:23:39.0250 3544 audstub - ok
08:23:39.0250 3544 BcmSqlStartupSvc - ok
08:23:39.0250 3544 Beep - ok
08:23:39.0250 3544 BITS - ok
08:23:39.0250 3544 Browser - ok
08:23:39.0250 3544 cbidf - ok
08:23:39.0250 3544 cbidf2k - ok
08:23:39.0250 3544 ccEvtMgr - ok
08:23:39.0265 3544 ccSetMgr - ok
08:23:39.0265 3544 cd20xrnt - ok
08:23:39.0265 3544 Cdaudio - ok
08:23:39.0265 3544 Cdfs - ok
08:23:39.0265 3544 Cdrom - ok
08:23:39.0265 3544 Changer - ok
08:23:39.0265 3544 CiSvc - ok
08:23:39.0265 3544 ClipSrv - ok
08:23:39.0265 3544 clr_optimization_v2.0.50727_32 - ok
08:23:39.0281 3544 clr_optimization_v4.0.30319_32 - ok
08:23:39.0281 3544 CmdIde - ok
08:23:39.0281 3544 COMSysApp - ok
08:23:39.0281 3544 Cpqarray - ok
08:23:39.0281 3544 cpudrv - ok
08:23:39.0281 3544 CryptSvc - ok
08:23:39.0281 3544 dac2w2k - ok
08:23:39.0281 3544 dac960nt - ok
08:23:39.0296 3544 DcomLaunch - ok
08:23:39.0296 3544 Dhcp - ok
08:23:39.0296 3544 Disk - ok
08:23:39.0296 3544 dmadmin - ok
08:23:39.0296 3544 dmboot - ok
08:23:39.0296 3544 dmio - ok
08:23:39.0296 3544 dmload - ok
08:23:39.0296 3544 dmserver - ok
08:23:39.0296 3544 DMusic - ok
08:23:39.0312 3544 Dnscache - ok
08:23:39.0312 3544 Dot3svc - ok
08:23:39.0312 3544 dpti2o - ok
08:23:39.0312 3544 drmkaud - ok
08:23:39.0312 3544 E100B - ok
08:23:39.0312 3544 e1express - ok
08:23:39.0312 3544 EapHost - ok
08:23:39.0312 3544 eeCtrl - ok
08:23:39.0312 3544 EraserUtilRebootDrv - ok
08:23:39.0328 3544 ERSvc - ok
08:23:39.0328 3544 Eventlog - ok
08:23:39.0328 3544 EventSystem - ok
08:23:39.0328 3544 Fastfat - ok
08:23:39.0328 3544 FastUserSwitchingCompatibility - ok
08:23:39.0328 3544 Fax - ok
08:23:39.0328 3544 Fdc - ok
08:23:39.0328 3544 Fips - ok
08:23:39.0328 3544 Flpydisk - ok
08:23:39.0343 3544 FltMgr - ok
08:23:39.0343 3544 FontCache3.0.0.0 - ok
08:23:39.0343 3544 FoxAwdWINFLASH - ok
08:23:39.0343 3544 Fs_Rec - ok
08:23:39.0343 3544 Ftdisk - ok
08:23:39.0343 3544 GoToAssist - ok
08:23:39.0343 3544 Gpc - ok
08:23:39.0343 3544 gupdate - ok
08:23:39.0343 3544 gupdatem - ok
08:23:39.0359 3544 HDAudBus - ok
08:23:39.0359 3544 helpsvc - ok
08:23:39.0359 3544 HidServ - ok
08:23:39.0359 3544 HidUsb - ok
08:23:39.0359 3544 hkmsvc - ok
08:23:39.0359 3544 hpn - ok
08:23:39.0359 3544 HTTP - ok
08:23:39.0359 3544 HTTPFilter - ok
08:23:39.0359 3544 i2omgmt - ok
08:23:39.0375 3544 i2omp - ok
08:23:39.0375 3544 i8042prt - ok
08:23:39.0375 3544 ialm - ok
08:23:39.0375 3544 iaStor - ok
08:23:39.0375 3544 IDriverT - ok
08:23:39.0375 3544 idsvc - ok
08:23:39.0375 3544 Imapi - ok
08:23:39.0375 3544 ImapiService - ok
08:23:39.0390 3544 ini910u - ok
08:23:39.0390 3544 IntcAzAudAddService - ok
08:23:39.0390 3544 Intel® PROSet Monitoring Service - ok
08:23:39.0390 3544 IntelIde - ok
08:23:39.0390 3544 intelppm - ok
08:23:39.0390 3544 Ip6Fw - ok
08:23:39.0390 3544 IpFilterDriver - ok
08:23:39.0390 3544 IpInIp - ok
08:23:39.0390 3544 IpNat - ok
08:23:39.0406 3544 IPSec - ok
08:23:39.0406 3544 IRENUM - ok
08:23:39.0406 3544 isapnp - ok
08:23:39.0406 3544 JavaQuickStarterService - ok
08:23:39.0406 3544 Kbdclass - ok
08:23:39.0406 3544 kbdhid - ok
08:23:39.0406 3544 kmixer - ok
08:23:39.0406 3544 KSecDD - ok
08:23:39.0421 3544 lanmanserver - ok
08:23:39.0421 3544 lanmanworkstation - ok
08:23:39.0421 3544 Lbd - ok
08:23:39.0421 3544 lbrtfdc - ok
08:23:39.0421 3544 LiveUpdate - ok
08:23:39.0421 3544 LmHosts - ok
08:23:39.0421 3544 MDM - ok
08:23:39.0421 3544 Messenger - ok
08:23:39.0437 3544 mnmdd - ok
08:23:39.0437 3544 mnmsrvc - ok
08:23:39.0437 3544 Modem - ok
08:23:39.0437 3544 Mouclass - ok
08:23:39.0437 3544 mouhid - ok
08:23:39.0437 3544 MountMgr - ok
08:23:39.0437 3544 mraid35x - ok
08:23:39.0437 3544 MRxDAV - ok
08:23:39.0453 3544 MRxSmb - ok
08:23:39.0453 3544 MSDTC - ok
08:23:39.0453 3544 Msfs - ok
08:23:39.0453 3544 MSIServer - ok
08:23:39.0453 3544 MSKSSRV - ok
08:23:39.0453 3544 MSPCLOCK - ok
08:23:39.0453 3544 MSPQM - ok
08:23:39.0468 3544 mssmbios - ok
08:23:39.0468 3544 MSSQL$MSSMLBIZ - ok
08:23:39.0468 3544 MSSQLServerADHelper - ok
08:23:39.0468 3544 Mup - ok
08:23:39.0468 3544 NAL - ok
08:23:39.0468 3544 napagent - ok
08:23:39.0468 3544 NAVENG - ok
08:23:39.0468 3544 NAVEX15 - ok
08:23:39.0468 3544 NDIS - ok
08:23:39.0484 3544 NdisTapi - ok
08:23:39.0484 3544 Ndisuio - ok
08:23:39.0484 3544 NdisWan - ok
08:23:39.0484 3544 NDProxy - ok
08:23:39.0484 3544 NetBIOS - ok
08:23:39.0484 3544 NetBT - ok
08:23:39.0484 3544 NetDDE - ok
08:23:39.0484 3544 NetDDEdsdm - ok
08:23:39.0484 3544 Netlogon - ok
08:23:39.0500 3544 Netman - ok
08:23:39.0500 3544 NetTcpPortSharing - ok
08:23:39.0500 3544 Nla - ok
08:23:39.0500 3544 Npfs - ok
08:23:39.0500 3544 Ntfs - ok
08:23:39.0500 3544 NtLmSsp - ok
08:23:39.0500 3544 NtmsSvc - ok
08:23:39.0500 3544 Null - ok
08:23:39.0500 3544 nv - ok
08:23:39.0515 3544 NwlnkFlt - ok
08:23:39.0515 3544 NwlnkFwd - ok
08:23:39.0515 3544 odserv - ok
08:23:39.0515 3544 ose - ok
08:23:39.0515 3544 Parport - ok
08:23:39.0515 3544 PartMgr - ok
08:23:39.0515 3544 ParVdm - ok
08:23:39.0515 3544 PCI - ok
08:23:39.0531 3544 PCIDump - ok
08:23:39.0531 3544 PCIIde - ok
08:23:39.0531 3544 Pcmcia - ok
08:23:39.0531 3544 PDCOMP - ok
08:23:39.0531 3544 PDFRAME - ok
08:23:39.0531 3544 PDRELI - ok
08:23:39.0531 3544 PDRFRAME - ok
08:23:39.0531 3544 perc2 - ok
08:23:39.0531 3544 perc2hib - ok
08:23:39.0546 3544 PinFile - ok
08:23:39.0546 3544 PlugPlay - ok
08:23:39.0546 3544 PolicyAgent - ok
08:23:39.0546 3544 PptpMiniport - ok
08:23:39.0546 3544 ProtectedStorage - ok
08:23:39.0546 3544 PSched - ok
08:23:39.0546 3544 Ptilink - ok
08:23:39.0562 3544 PxHelp20 - ok
08:23:39.0562 3544 ql1080 - ok
08:23:39.0562 3544 Ql10wnt - ok
08:23:39.0562 3544 ql12160 - ok
08:23:39.0562 3544 ql1240 - ok
08:23:39.0562 3544 ql1280 - ok
08:23:39.0562 3544 RasAcd - ok
08:23:39.0562 3544 RasAuto - ok
08:23:39.0562 3544 Rasl2tp - ok
08:23:39.0578 3544 RasMan - ok
08:23:39.0578 3544 RasPppoe - ok
08:23:39.0578 3544 Raspti - ok
08:23:39.0578 3544 Rdbss - ok
08:23:39.0578 3544 RDPCDD - ok
08:23:39.0578 3544 rdpdr - ok
08:23:39.0578 3544 RDPWD - ok
08:23:39.0578 3544 RDSessMgr - ok
08:23:39.0593 3544 redbook - ok
08:23:39.0593 3544 RemoteAccess - ok
08:23:39.0593 3544 RemoteRegistry - ok
08:23:39.0593 3544 RpcLocator - ok
08:23:39.0593 3544 RpcSs - ok
08:23:39.0593 3544 RSVP - ok
08:23:39.0593 3544 SamSs - ok
08:23:39.0593 3544 SBRE - ok
08:23:39.0593 3544 SCardSvr - ok
08:23:39.0609 3544 Schedule - ok
08:23:39.0609 3544 SDDisk2K - ok
08:23:39.0609 3544 SDDToki - ok
08:23:39.0609 3544 SDDVD - ok
08:23:39.0609 3544 SDUPC - ok
08:23:39.0609 3544 Secdrv - ok
08:23:39.0609 3544 seclogon - ok
08:23:39.0609 3544 SENS - ok
08:23:39.0625 3544 serenum - ok
08:23:39.0625 3544 Serial - ok
08:23:39.0625 3544 Sfloppy - ok
08:23:39.0625 3544 SharedAccess - ok
08:23:39.0625 3544 ShellHWDetection - ok
08:23:39.0625 3544 Simbad - ok
08:23:39.0640 3544 sisagp - ok
08:23:39.0640 3544 SmcService - ok
08:23:39.0640 3544 SNAC - ok
08:23:39.0640 3544 Sparrow - ok
08:23:39.0640 3544 SPBBCDrv - ok
08:23:39.0640 3544 splitter - ok
08:23:39.0640 3544 Spooler - ok
08:23:39.0656 3544 sprtsvc_DellSupportCenter - ok
08:23:39.0656 3544 SQLBrowser - ok
08:23:39.0656 3544 SQLWriter - ok
08:23:39.0656 3544 sr - ok
08:23:39.0656 3544 srservice - ok
08:23:39.0656 3544 SRTSP - ok
08:23:39.0656 3544 SRTSPL - ok
08:23:39.0656 3544 SRTSPX - ok
08:23:39.0656 3544 Srv - ok
08:23:39.0671 3544 SSDPSRV - ok
08:23:39.0671 3544 stisvc - ok
08:23:39.0671 3544 stllssvr - ok
08:23:39.0671 3544 swenum - ok
08:23:39.0671 3544 swmidi - ok
08:23:39.0671 3544 SwPrv - ok
08:23:39.0671 3544 Symantec AntiVirus - ok
08:23:39.0671 3544 symc810 - ok
08:23:39.0687 3544 symc8xx - ok
08:23:39.0687 3544 SymEvent - ok
08:23:39.0687 3544 SYMREDRV - ok
08:23:39.0687 3544 SYMTDI - ok
08:23:39.0687 3544 sym_hi - ok
08:23:39.0687 3544 sym_u3 - ok
08:23:39.0687 3544 sysaudio - ok
08:23:39.0687 3544 SysmonLog - ok
08:23:39.0687 3544 TapiSrv - ok
08:23:39.0703 3544 Tcpip - ok
08:23:39.0703 3544 TDPIPE - ok
08:23:39.0703 3544 TDTCP - ok
08:23:39.0703 3544 TermDD - ok
08:23:39.0703 3544 TermService - ok
08:23:39.0703 3544 Themes - ok
08:23:39.0703 3544 TlntSvr - ok
08:23:39.0703 3544 TosIde - ok
08:23:39.0703 3544 TrkWks - ok
08:23:39.0718 3544 Udfs - ok
08:23:39.0718 3544 ultra - ok
08:23:39.0718 3544 Update - ok
08:23:39.0718 3544 upnphost - ok
08:23:39.0718 3544 UPS - ok
08:23:39.0718 3544 usbccgp - ok
08:23:39.0718 3544 usbehci - ok
08:23:39.0734 3544 usbhub - ok
08:23:39.0734 3544 usbprint - ok
08:23:39.0734 3544 USBSTOR - ok
08:23:39.0734 3544 usbuhci - ok
08:23:39.0734 3544 VgaSave - ok
08:23:39.0734 3544 viaagp - ok
08:23:39.0734 3544 ViaIde - ok
08:23:39.0734 3544 VolSnap - ok
08:23:39.0734 3544 VSS - ok
08:23:39.0750 3544 w32time - ok
08:23:39.0750 3544 Wanarp - ok
08:23:39.0750 3544 WDICA - ok
08:23:39.0750 3544 wdmaud - ok
08:23:39.0750 3544 WebClient - ok
08:23:39.0750 3544 WinMagic SecureDoc Service - ok
08:23:39.0765 3544 winmgmt - ok
08:23:39.0765 3544 WmdmPmSN - ok
08:23:39.0765 3544 Wmi - ok
08:23:39.0765 3544 WmiApSrv - ok
08:23:39.0765 3544 WMPNetworkSvc - ok
08:23:39.0765 3544 WPFFontCache_v0400 - ok
08:23:39.0781 3544 wscsvc - ok
08:23:39.0781 3544 WSearch - ok
08:23:39.0781 3544 wuauserv - ok
08:23:39.0781 3544 WudfPf - ok
08:23:39.0781 3544 WudfRd - ok
08:23:39.0781 3544 WudfSvc - ok
08:23:39.0781 3544 WZCSVC - ok
08:23:39.0781 3544 xmlprov - ok
08:23:39.0781 3544 ================ Scan global ===============================
08:23:39.0796 3544 [Global] - ok
08:23:39.0796 3544 ================ Scan MBR ==================================
08:23:39.0812 3544 [ E1ED835465E42A176B4910C2CCA1E9A4 ] \Device\Harddisk0\DR0
08:23:39.0812 3544 Suspicious mbr (Forged): \Device\Harddisk0\DR0
08:23:40.0046 3544 \Device\Harddisk0\DR0 - ok
08:23:40.0046 3544 ================ Scan VBR ==================================
08:23:40.0062 3544 [ E22F4FDC9CF7A873F47DD876419BD773 ] \Device\Harddisk0\DR0\Partition1
08:23:40.0062 3544 \Device\Harddisk0\DR0\Partition1 - ok
08:23:40.0062 3544 ============================================================
08:23:40.0062 3544 Scan finished
08:23:40.0062 3544 ============================================================
08:23:40.0062 8140 Detected object count: 0
08:23:40.0062 8140 Actual detected object count: 0
08:25:49.0968 12016 Deinitialize success


Then I ran AdwCleaner again:

# AdwCleaner v2.305 - Logfile created 07/19/2013 at 08:32:13
# Updated 11/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Dawn - GINA1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Dawn\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\END
Folder Found : C:\Documents and Settings\Dawn\Application Data\DSite
Folder Found : C:\Documents and Settings\Gina Dorr\Application Data\adawaretb
Folder Found : C:\Documents and Settings\Gina Dorr\Application Data\blekko
Folder Found : C:\Program Files\Common Files\AVG Secure Search
Folder Found : C:\Program Files\SaveValet

***** [Registry] *****

Key Found : HKCU\Software\Crossrider
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Found : HKCU\Software\SocialBit
Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Documents and Settings\Gina Dorr\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2076 octets] - [18/07/2013 14:02:12]
AdwCleaner[R2].txt - [2136 octets] - [19/07/2013 08:27:36]
AdwCleaner[R3].txt - [2196 octets] - [19/07/2013 08:29:31]
AdwCleaner[R4].txt - [2256 octets] - [19/07/2013 08:30:56]
AdwCleaner[R5].txt - [2187 octets] - [19/07/2013 08:32:13]

########## EOF - C:\AdwCleaner[R5].txt - [2247 octets] ##########


and after hitting delete and rebooting the computer (Please note that Symantec stopped something I think) Here is the S1 report:

# AdwCleaner v2.305 - Logfile created 07/19/2013 at 08:32:34
# Updated 11/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Dawn - GINA1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Dawn\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\END
Folder Deleted : C:\Documents and Settings\Dawn\Application Data\DSite
Folder Deleted : C:\Documents and Settings\Gina Dorr\Application Data\adawaretb
Folder Deleted : C:\Documents and Settings\Gina Dorr\Application Data\blekko
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Program Files\SaveValet

***** [Registry] *****

Key Deleted : HKCU\Software\Crossrider
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\SocialBit
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Documents and Settings\Gina Dorr\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2076 octets] - [18/07/2013 14:02:12]
AdwCleaner[R2].txt - [2136 octets] - [19/07/2013 08:27:36]
AdwCleaner[R3].txt - [2196 octets] - [19/07/2013 08:29:31]
AdwCleaner[R4].txt - [2256 octets] - [19/07/2013 08:30:56]
AdwCleaner[R5].txt - [2316 octets] - [19/07/2013 08:32:13]
AdwCleaner[S1].txt - [2275 octets] - [19/07/2013 08:32:34]

########## EOF - C:\AdwCleaner[S1].txt - [2335 octets] ##########

Then I copied what you requested and ran OTL. Here is log:

OTL logfile created on: 7/19/2013 8:42:41 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Dawn\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.24 Gb Total Physical Memory | 2.64 Gb Available Physical Memory | 81.55% Memory free
6.32 Gb Paging File | 5.87 Gb Available in Paging File | 92.86% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 318.52 Gb Free Space | 68.39% Space Free | Partition Type: NTFS
Drive S: | 465.72 Gb Total Space | 431.55 Gb Free Space | 92.66% Space Free | Partition Type: NTFS

Computer Name: GINA1 | User Name: Dawn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/07/19 08:40:33 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\OTL (1).exe
PRC - [2013/04/05 03:53:30 | 000,121,600 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\IPROSetMonitor.exe
PRC - [2013/01/11 17:16:44 | 000,530,488 | ---- | M] (Gillware Data Services, LLC) -- C:\Program Files\Gillware Remote Backup\ArchiveService.exe
PRC - [2013/01/02 12:21:37 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2010/08/05 20:11:44 | 001,885,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe
PRC - [2010/08/05 20:05:52 | 001,459,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2010/07/01 18:17:24 | 001,832,072 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2010/05/06 18:21:14 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/11/27 17:05:30 | 000,641,024 | ---- | M] (WinMagic Inc.) -- C:\Program Files\WinMagic\SecureDoc-NT\SDService.exe
PRC - [2008/10/04 14:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe


========== Modules (No Company Name) ==========

MOD - [2013/01/11 17:16:44 | 000,057,400 | ---- | M] () -- C:\Program Files\Gillware Remote Backup\zlib_gw.dll
MOD - [2013/01/11 17:16:34 | 000,031,800 | ---- | M] () -- C:\Program Files\Gillware Remote Backup\ArchiveTypesPS.dll
MOD - [2009/11/27 17:05:12 | 000,018,432 | ---- | M] () -- C:\WINDOWS\system32\SDXML.dll
MOD - [2009/11/27 17:05:02 | 000,527,360 | ---- | M] () -- C:\WINDOWS\system32\sdck.dll


========== Services (SafeList) ==========

SRV - [2013/07/11 14:46:38 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/04/05 03:53:30 | 000,121,600 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\system32\IPROSetMonitor.exe -- (Intel®
SRV - [2013/01/11 17:16:44 | 000,530,488 | ---- | M] (Gillware Data Services, LLC) [Auto | Running] -- C:\Program Files\Gillware Remote Backup\ArchiveService.exe -- (ArchiveService)
SRV - [2013/01/02 12:21:37 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/10/31 09:55:49 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
SRV - [2010/08/05 20:11:44 | 001,885,488 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2010/07/01 18:17:24 | 001,832,072 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2010/07/01 17:24:02 | 000,357,704 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2010/05/06 18:21:14 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/05/06 18:21:14 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2010/02/17 11:53:18 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/11/27 17:05:30 | 000,641,024 | ---- | M] (WinMagic Inc.) [Auto | Running] -- C:\Program Files\WinMagic\SecureDoc-NT\SDService.exe -- (WinMagic SecureDoc Service)
SRV - [2008/10/04 14:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter)
SRV - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [File_System | Boot | Stopped] -- system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\GINADO~1\LOCALS~1\Temp\_B0E3.tmp\FoxAwdWINFLASH.sys -- (FoxAwdWINFLASH)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/06/17 03:00:00 | 001,611,992 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130718.033\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/06/17 03:00:00 | 000,093,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130718.033\NAVENG.SYS -- (NAVENG)
DRV - [2013/04/05 05:11:04 | 000,031,048 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2012/08/15 03:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/08/10 03:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/06/02 10:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2011/02/21 10:09:38 | 000,125,488 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/03/08 13:59:14 | 000,320,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2010/03/08 13:59:14 | 000,283,184 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2010/03/08 13:59:14 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/12/18 16:42:12 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/11/18 16:07:12 | 000,179,200 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDDisk2K.sys -- (SDDisk2K)
DRV - [2009/09/28 11:53:00 | 000,020,224 | ---- | M] (WinMagic, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PinFile.sys -- (PinFile)
DRV - [2009/09/25 15:57:24 | 000,117,120 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDDToki.sys -- (SDDToki)
DRV - [2009/09/25 15:57:24 | 000,075,520 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDDVD.sys -- (SDDVD)
DRV - [2009/09/03 17:03:48 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2009/09/03 17:03:48 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2009/03/05 14:03:34 | 000,016,512 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDUPC.sys -- (SDUPC)
DRV - [2007/07/16 20:48:54 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co...html?channel=us
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.excite.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.72\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.72\gcswf32.dll
CHR - plugin: Wajam (Enabled) = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp\1.24_0\plugins/PriamNPAPI.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 7.0.0.147 (Enabled) = C:\Program Files\Java\jre7\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 7 (Enabled) = C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Gmail = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {123FE8C9-0BDC-4946-A854-DDBA7398CF64} https://www.fts.newy...ftwebupdate.cab (Reg Error: Key error.)
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} Reg Error: Key error. (ERPageAddin Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F4D662B4-C5C2-4337-8824-C04913A6029F}: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\sds {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\SHARP\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (SDocGina.dll) - C:\WINDOWS\System32\SDocGina.dll (Winmagic Inc.)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\615\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\dell.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a0ca232a-9564-11e2-a5b9-00219b06268b}\Shell - "" = AutoRun
O33 - MountPoints2\{a0ca232a-9564-11e2-a5b9-00219b06268b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a0ca232a-9564-11e2-a5b9-00219b06268b}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2013/07/19 08:40:32 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\OTL (1).exe
[2013/07/19 08:21:52 | 002,237,968 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dawn\Desktop\tdsskiller.exe
[2013/07/19 03:00:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MRT
[2013/07/18 14:04:08 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Dawn\Desktop\aswMBR.exe
[2013/07/18 13:51:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Desktop\RK_Quarantine
[2013/07/18 11:01:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2013/07/18 08:36:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Dawn\Recent
[2013/07/17 13:43:29 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2013/07/17 13:43:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Application Data\SystemRequirementsLab
[2013/07/17 11:32:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Local Settings\Application Data\Deployment
[2013/07/17 11:32:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2013/07/17 11:31:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2013/07/17 11:30:45 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2013/07/17 08:10:18 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2013/07/16 13:16:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\My Documents\temp

========== Files - Modified Within 30 Days ==========

[2013/07/19 08:40:33 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\OTL (1).exe
[2013/07/19 08:35:32 | 000,001,864 | ---- | M] () -- C:\Documents and Settings\Dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/07/19 08:35:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/07/19 08:35:29 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/19 08:35:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/07/19 08:35:09 | 3478,274,048 | -HS- | M] () -- C:\hiberfil.sys
[2013/07/19 08:21:58 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dawn\Desktop\tdsskiller.exe
[2013/07/19 08:05:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/19 07:34:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/07/19 02:00:00 | 000,000,390 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultCritical.job
[2013/07/18 18:30:00 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultHigh.job
[2013/07/18 18:15:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultMedium.job
[2013/07/18 15:13:00 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - Remote Backup Updater.job
[2013/07/18 15:04:02 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - Upload Event Log.job
[2013/07/18 14:05:42 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\MBR.dat
[2013/07/18 14:04:22 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Dawn\Desktop\aswMBR.exe
[2013/07/18 14:01:42 | 000,662,345 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\adwcleaner.exe
[2013/07/18 13:51:01 | 000,915,968 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\RogueKiller (1).exe
[2013/07/18 11:01:15 | 000,001,846 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/07/18 10:50:53 | 000,005,032 | ---- | M] () -- C:\WINDOWS\wcds.ini
[2013/07/18 10:35:44 | 000,000,105 | ---- | M] () -- C:\prefs.js
[2013/07/18 10:28:56 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2013/07/18 08:29:02 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/07/17 14:55:00 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2013/07/17 08:10:40 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2013/07/16 18:49:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/07/16 18:45:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultLow.job
[2013/07/16 07:24:28 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Dawn\ganukdyxypyx.exe
[2013/07/15 23:04:03 | 000,000,272 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - Audit.job
[2013/07/12 09:28:24 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Microsoft Office PowerPoint 2007.lnk
[2013/07/11 16:15:44 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\TempWmicBatchFile.bat
[2013/07/11 14:46:33 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/07/11 14:46:32 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/07/11 07:54:37 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/07/10 16:55:05 | 000,599,624 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/07/10 16:55:05 | 000,121,790 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/07/10 14:57:02 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\Dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2013/07/10 14:57:02 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Windows Media Player.lnk

========== Files Created - No Company Name ==========

[2013/07/18 14:05:42 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\MBR.dat
[2013/07/18 14:01:40 | 000,662,345 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\adwcleaner.exe
[2013/07/18 13:51:00 | 000,915,968 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\RogueKiller (1).exe
[2013/07/18 11:01:15 | 000,001,846 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/07/18 11:00:16 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/18 11:00:15 | 000,000,878 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/18 10:35:44 | 000,000,105 | ---- | C] () -- C:\prefs.js
[2013/07/17 13:46:34 | 000,001,904 | ---- | C] () -- C:\WINDOWS\System32\SetupBD.din
[2013/07/17 08:10:40 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2013/07/16 07:24:54 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\Dawn\ganukdyxypyx.exe
[2013/07/10 14:57:02 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\Dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2013/04/03 12:52:36 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/03/27 08:01:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\BackupServiceFormView.INI
[2013/03/25 08:59:52 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2012/10/10 12:17:07 | 000,000,027 | ---- | C] () -- C:\WINDOWS\FTSL.INI
[2012/02/15 19:05:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/22 16:28:01 | 000,000,049 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2011/09/15 12:52:11 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/02/06 11:56:26 | 000,000,278 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc

========== ZeroAccess Check ==========

[2004/08/11 18:21:56 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\New York Life
[2013/06/04 12:13:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar
[2009/03/10 17:00:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2013/06/04 12:12:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/07/11 07:57:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GFI Software
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\New York Life
[2008/12/07 22:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2008/12/07 22:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2013/02/13 13:39:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RICOH
[2010/01/14 12:24:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sharp
[2010/01/14 12:29:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sharpdesk
[2008/12/07 22:58:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2008/12/07 22:55:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/09/21 12:04:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2013/06/04 12:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\AVG SafeGuard toolbar
[2013/07/16 07:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Enpiqu
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\New York Life
[2013/07/17 13:43:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\SystemRequirementsLab
[2013/04/01 11:16:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Windows Search
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\New York Life
[2012/07/06 07:59:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Ad-Aware Antivirus
[2011/12/08 11:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Catalina Marketing Corp
[2009/02/17 14:57:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Centra
[2009/07/31 11:31:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\eRoom
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\New York Life
[2010/10/08 09:56:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Saba
[2009/01/22 16:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Sharpdesk
[2009/01/21 13:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Windows Desktop Search
[2009/01/21 13:09:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Windows Search
[2012/06/04 09:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Ad-Aware Antivirus
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\New York Life
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\New York Life

========== Purity Check ==========



========== Custom Scans ==========

========== Base Services ==========
SRV - [2008/04/13 19:12:12 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\alg.exe -- (ALG)
SRV - [2008/04/13 19:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/13 19:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2012/07/06 08:58:51 | 000,078,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/13 19:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/13 19:11:51 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2009/04/20 12:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/04/13 19:11:52 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2009/07/27 18:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/13 19:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/13 19:11:54 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2008/04/13 19:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/13 19:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/13 19:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/13 19:12:17 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/13 19:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/13 19:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/13 19:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla)
SRV - [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2010/08/17 08:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/13 19:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/13 19:12:03 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/13 19:12:03 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2009/02/09 07:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs)
SRV - [2008/04/13 19:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/13 19:12:05 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/13 19:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2008/04/13 19:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)
SRV - [2010/08/27 00:57:43 | 000,099,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2009/07/27 18:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/13 19:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/13 19:12:05 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/13 19:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/13 19:12:07 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/13 19:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2009/07/27 18:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/13 19:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/13 19:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/13 19:11:55 | 000,331,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess)
SRV - [2008/04/13 19:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc)
SRV - [2008/04/13 19:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/13 19:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2009/02/09 07:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
SRV - [2008/04/13 19:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/13 19:12:11 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2009/06/10 01:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

< %SYSTEMDRIVE%\*.exe >
[1999/06/25 10:55:30 | 000,149,504 | ---- | M] () -- C:\UNWISE.EXE
[2009/07/17 12:15:13 | 004,523,520 | ---- | M] () -- C:\WDSync_v7_1_020.exe

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\i386\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 01:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\backup\explorer.exe

< MD5 for: REGEDIT.EXE >
[2008/04/13 19:12:32 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=058710B720282CA82B909912D3EF28DB -- C:\WINDOWS\regedit.exe
[2008/04/13 19:12:32 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=058710B720282CA82B909912D3EF28DB -- C:\WINDOWS\regedit.exe
[2008/04/13 19:12:32 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=058710B720282CA82B909912D3EF28DB -- C:\WINDOWS\ServicePackFiles\i386\regedit.exe
[2008/04/13 19:12:32 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=058710B720282CA82B909912D3EF28DB -- C:\WINDOWS\ServicePackFiles\i386\regedit.exe
[2004/08/04 06:00:00 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=783AFC80383C176B22DBF8333343992D -- C:\i386\REGEDIT.EXE
[2004/08/04 06:00:00 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=783AFC80383C176B22DBF8333343992D -- C:\i386\REGEDIT.EXE
[2004/08/04 06:00:00 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=783AFC80383C176B22DBF8333343992D -- C:\WINDOWS\$NtServicePackUninstall$\regedit.exe
[2004/08/04 06:00:00 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=783AFC80383C176B22DBF8333343992D -- C:\WINDOWS\$NtServicePackUninstall$\regedit.exe
[2004/08/04 06:00:00 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=783AFC80383C176B22DBF8333343992D -- C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\backup\regedit.exe
[2004/08/04 06:00:00 | 000,146,432 | ---- | M] (Microsoft Corporation) MD5=783AFC80383C176B22DBF8333343992D -- C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\backup\regedit.exe

< MD5 for: SERVICES >
[2004/08/04 06:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\i386\services
[2004/08/04 06:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES.CFG >
[2013/05/10 02:57:30 | 000,558,879 | ---- | M] () MD5=3679F8D3253DC110D1D8F2AE115EE00C -- C:\Program Files\Adobe\Reader 10.0\Reader\Services\Services.cfg
[2011/06/06 12:55:30 | 000,584,045 | R--- | M] () MD5=B82DD53FA8C260DDD7FDC42182DB816E -- C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\services.cfg

< MD5 for: SERVICES.CSS >
[2011/09/16 19:47:38 | 000,000,093 | ---- | M] () MD5=F15FB82C578490B209442B8C1D5076CC -- C:\Documents and Settings\All Users\Application Data\Intuit\Quicken\Inet\Common\Localweb\Services\Services.css
[2011/09/16 19:47:38 | 000,000,093 | ---- | M] () MD5=F15FB82C578490B209442B8C1D5076CC -- C:\Documents and Settings\Dawn May 2012 Restore\Documents and Settings\All Users\Application Data\Intuit\Quicken\Inet\Common\Localweb\Services\Services.css

< MD5 for: SERVICES.EXE >
[2009/02/06 06:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 19:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 05:22:21 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=4712531AB7A01B7EE059853CA17D39BD -- C:\WINDOWS\$NtServicePackUninstall$\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/04 06:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\i386\services.exe
[2004/08/04 06:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\backup\services.exe

< MD5 for: SERVICES.INI >
[2011/09/16 19:47:38 | 000,000,012 | ---- | M] () MD5=810C4D394B59FF7116A0CD6052286C41 -- C:\Documents and Settings\All Users\Application Data\Intuit\Quicken\Inet\Common\Localweb\Services\Services.ini
[2011/09/16 19:47:38 | 000,000,012 | ---- | M] () MD5=810C4D394B59FF7116A0CD6052286C41 -- C:\Documents and Settings\Dawn May 2012 Restore\Documents and Settings\All Users\Application Data\Intuit\Quicken\Inet\Common\Localweb\Services\Services.ini

< MD5 for: SERVICES.LNK >
[2009/04/02 18:15:46 | 000,001,602 | ---- | M] () MD5=53C6322711BF72BA10A1FAD83567C3AF -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk
[2004/08/11 18:15:06 | 000,001,506 | ---- | M] () MD5=C04255E822F6017251E30CE1481EB38E -- C:\Documents and Settings\Dawn May 2012 Restore\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MOCHIADS.COM.SOL >
[2012/01/13 14:29:04 | 000,000,351 | ---- | M] () MD5=4DF5734FFC8C89FB609F70719934A943 -- C:\Documents and Settings\Dawn May 2012 Restore\My Documents\Application Data\Macromedia\Flash Player\#SharedObjects\7HY3SE2W\mochiads.com\services.mochiads.com.sol

< MD5 for: SERVICES.MSC >
[2004/08/04 06:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\i386\services.msc
[2004/08/04 06:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\i386\svchost.exe
[2004/08/04 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2004/08/04 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\backup\svchost.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\i386\userinit.exe
[2004/08/04 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2004/08/04 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\backup\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2011/11/15 13:28:33 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
[2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\backup\winlogon.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WINSOCK.DLL >
[2004/08/04 06:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) MD5=68485C5EF0E2EFCEBF21BBB1042B823B -- C:\i386\winsock.dll
[2004/08/04 06:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) MD5=68485C5EF0E2EFCEBF21BBB1042B823B -- C:\WINDOWS\system32\winsock.dll

< dir "%systemdrive%\*" /S /A:L /C >
Volume in drive C has no label.
Volume Serial Number is A42C-9027
Directory of C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices
07/10/2013 04:48 PM <JUNCTION> 2.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes
Directory of C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote
07/10/2013 04:48 PM <JUNCTION> 2.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes
Directory of C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices
07/10/2013 04:55 PM <JUNCTION> v4.0_4.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes
Directory of C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler
01/12/2013 04:21 AM <JUNCTION> v4.0_4.0.0.0__31bf3856ad364e35
0 File(s) 0 bytes
Total Files Listed:
0 File(s) 0 bytes
4 Dir(s) 341,965,529,088 bytes free

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: ST3500620AS
Partitions: 2
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 47.00MB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 466.00GB
Starting Offset: 49351680
Hidden sectors: 0


< type c:\diskreport.txt /c >
Microsoft DiskPart version 5.1.3565
Copyright © 1999-2003 Microsoft Corporation.
On computer: GINA1
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 D DVD-ROM 0 B
Volume 1 C NTFS Partition 466 GB Healthy System

< End of report >

I think I did everything you asked...and it appears to be running better. I connected it to the internet yesterday and the provider sent me an email this morning telling me it appeared to be running fine - no spam being sent.

Let me know if there is anything else you want me to do.

Thanks!
Roxie

[godawgs]

Hello Roxie,

You sent the Scan log and ShortcutsHJFix log from RogueKiller, but not the Removal log. That log will have this in the log header:

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dawn [Admin rights]
Mode : Removal -- Date : 07/19/2013 08:19:32

And the file name on the desktop will be RKreport[0]_D_07192013_081939.txt

TDSSKiller didn't find anything definitive but it along with aswMBR and RogueKiller are seeing a suspicious MBR so let's check that out further.


Step-1.

Download MBAR to your desktop

• Unzip the MBAR folder to your desktop
• Open the Folder and double click MBAR
  
• At the first screen select Next
  
  
• Update the tool by clicking the Update button
  
  
• On completion of the Update press Next
• Then press the Scan button ensuring that the boxes as shown are ticked
  
  
• On completion of the scan click Exit
  
  
• Two logs will be generated within the MBAR folder could you post both MBAR log and System log

Run ComboFix
***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications before downloading ComboFix. This is usually done via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

Download ComboFix from one of the following locations:

Link 1
Link 2

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
• Also allow the installation of the recovery console (XP only)
  
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" ComboFix. If you have a problem, reply back for further instructions.
3. If you recieve an error "Illegal operation attempted on a registry key that has been marked for deletion". Please restart the computer. That will cure it.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Don't forget to reenable your Anti-Virus


Step-3.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The RKreport[0]_D_07192013_081939.txt log
2. The two logs from MBAR
3. The ComboFix.txt log

[Racingal60]

I hope this is the right one:

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dawn [Admin rights]
Mode : Remove -- Date : 07/19/2013 08:19:39
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : ganukdyxypyx (C:\Documents and Settings\Dawn\ganukdyxypyx.exe [-]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-866049194-2568044671-1873219407-1011\[...]\Run : ganukdyxypyx (C:\Documents and Settings\Dawn\ganukdyxypyx.exe [-]) -> [0x2] The system cannot find the file specified.
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[BROK VAL] HKCR\[...]\command : () -> CREATED ("%1" %*)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][SUSP PATH] At1.job : C:\DOCUME~1\Dawn\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8AFF9B30)
[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A81EE08)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x8A8242D8)
[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8B0C99A8)
[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8A620178)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8AD99FB0)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A82FB60)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x8B0D6788)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x8ADDF8B0)
[Address] SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8A605278)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8B182CF0)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x8ADB20A8)
[Address] SSDT[129] : NtOpenThreadToken @ 0x805EE04E -> HOOKED (Unknown @ 0x8A6811E0)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x8ADEB500)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x8AFFFBB0)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8AAC6328)
[Address] SSDT[229] : NtSetInformationThread @ 0x805CC154 -> HOOKED (Unknown @ 0x8A678280)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A82EBD8)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x8B09DD90)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8B0D2050)
[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8B06BA18)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8ADFF0A8)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A8972D8)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500620AS +++++

[Racingal60]

You don't want me to "Clean Up" correct? Just exit after running the MalwareBytes Anti-Root Kit and then post the log right?

[Racingal60]

MBAR Log:

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.19.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dawn :: GINA1 [administrator]

7/19/2013 2:24:14 PM
mbar-log-2013-07-19 (14-24-14).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 282236
Time elapsed: 30 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> No action taken.

Registry Values Detected: 2
HKCU\SOFTWARE\CROSSRIDER|215AppVerifier (Adware.GamePlayLab) -> Data: 10b353c30fde4622c91fe03c56a19c82 -> No action taken.
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Regedit32 (Trojan.Agent) -> Data: C:\WINDOWS\system32\regedit.exe -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
c:\documents and settings\dawn\ganukdyxypyx.exe (Trojan.Agent.ED) -> No action taken.

Physical Sectors Detected: 0
(No malicious items detected)

(end)


System Log:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 3478200320, free: 2713812992

Downloaded database version: v2013.07.19.09
Downloaded database version: v2013.07.15.01
Initializing...
------------ Kernel report ------------
07/19/2013 14:24:06
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
SDUPC.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
SDDToki.sys
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PinFile.sys
sr.sys
SDDisk2K.sys
SDDVD.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igxpmp32.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\SRTSP.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130718.033\NAVEX15.SYS
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130718.033\NAVENG.SYS
\SystemRoot\System32\Drivers\SRTSPX.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\igxpgd32.dll
\SystemRoot\System32\igxprd32.dll
\SystemRoot\System32\igxpdv32.DLL
\SystemRoot\System32\igxpdx32.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b169ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff8b17ad98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b169ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b16d9b8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b179be0, DeviceName: Unknown, DriverName: \Driver\SDDisk2K\
DevicePointer: 0xffffffff8b169ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b16ff18, DeviceName: \Device\00000070\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b17ad98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\SDDisk2K\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 0, MFTIndexSize = 0 bytes
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Alternate device has been used.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Alternate device has been used.
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Alternate device has been used.
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 41AB2316

Partition information:

Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 96327

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 96390 Numsec = 976671675
Partition file system is NTFS
Partition is bootable

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Done!
Infected: c:\documents and settings\dawn\ganukdyxypyx.exe --> [Trojan.Agent.ED]
Infected: HKCU\SOFTWARE\CROSSRIDER|215AppVerifier --> [Adware.GamePlayLab]
Infected: HKCU\SOFTWARE\CROSSRIDER --> [Adware.GamePlayLab]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Regedit32 --> [Trojan.Agent]
Scan finished
=======================================


Removal queue found; removal started
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_96390_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished


ComboFix Log:

ComboFix 13-07-18.04 - Dawn 07/19/2013 15:18:01.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2665 [GMT -5:00]
Running from: c:\documents and settings\Dawn\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gina Dorr\GoToAssistDownloadHelper.exe
c:\documents and settings\Gina Dorr\WINDOWS
C:\prefs.js
c:\windows\system\regsvr.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-06-19 to 2013-07-19 )))))))))))))))))))))))))))))))
.
.
2013-07-19 19:24 . 2013-07-19 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-19 19:23 . 2013-07-19 19:23 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-07-19 19:11 . 2013-07-19 19:11 -------- d-----w- c:\documents and settings\Dawn\Local Settings\Application Data\CRE
2013-07-19 19:11 . 2013-07-19 19:11 -------- d-----w- c:\program files\Conduit
2013-07-19 19:11 . 2013-07-19 19:17 -------- d-----w- c:\documents and settings\Dawn\Local Settings\Application Data\Conduit
2013-07-19 19:11 . 2013-07-19 19:11 -------- d-----w- c:\documents and settings\Dawn\Application Data\SwvUpdater
2013-07-19 08:00 . 2013-07-19 08:03 -------- d-----w- c:\windows\system32\MRT
2013-07-17 18:43 . 2013-07-17 18:43 -------- d-----w- c:\program files\SystemRequirementsLab
2013-07-17 18:43 . 2013-07-17 18:43 -------- d-----w- c:\documents and settings\Dawn\Application Data\SystemRequirementsLab
2013-07-17 16:32 . 2013-07-18 16:00 -------- d-----w- c:\documents and settings\Dawn\Local Settings\Application Data\Deployment
2013-07-17 16:31 . 2013-07-17 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2013-07-17 13:11 . 2013-07-17 13:11 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2013-07-17 13:11 . 2013-07-17 13:10 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2013-07-17 13:11 . 2013-07-17 13:10 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2013-07-17 13:11 . 2013-07-17 13:10 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2013-07-17 13:11 . 2013-07-17 13:10 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2013-07-17 13:10 . 2013-07-17 16:32 -------- d-----w- c:\program files\QuickTime
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-19 19:13 . 2013-04-22 16:13 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2013-07-11 19:46 . 2012-05-08 18:27 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-11 19:46 . 2011-06-16 13:56 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 04:55 . 2004-08-11 23:00 385024 ------w- c:\windows\system32\html.iec
2013-06-07 21:56 . 2004-08-11 23:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2004-08-11 23:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2004-08-11 23:00 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2004-08-11 23:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-09 05:28 . 2006-10-19 03:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:30 . 2004-08-11 23:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-01 08:59 . 2013-05-01 08:59 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2013-05-01 08:59 . 2013-05-01 08:59 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ArchiveArchived]
@="{214386AD-2590-496E-BEE0-F32E5861FA41}"
[HKEY_CLASSES_ROOT\CLSID\{214386AD-2590-496E-BEE0-F32E5861FA41}]
2013-01-11 22:16 62520 ----a-w- c:\program files\Gillware Remote Backup\Overlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ArchiveNeedsArchive]
@="{AAD7958E-F0B2-495f-94A5-0F9D4D8EA409}"
[HKEY_CLASSES_ROOT\CLSID\{AAD7958E-F0B2-495f-94A5-0F9D4D8EA409}]
2013-01-11 22:16 62520 ----a-w- c:\program files\Gillware Remote Backup\Overlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ArchiveNotArchived]
@="{EDACD936-4476-4ec3-A56E-780CE485877A}"
[HKEY_CLASSES_ROOT\CLSID\{EDACD936-4476-4ec3-A56E-780CE485877A}]
2013-01-11 22:16 62520 ----a-w- c:\program files\Gillware Remote Backup\Overlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\WMAllKey]
@="{5028CECA-A6C3-4D9C-BA25-6C04D8C3ED80}"
[HKEY_CLASSES_ROOT\CLSID\{5028CECA-A6C3-4D9C-BA25-6C04D8C3ED80}]
2009-11-27 22:05 292352 ----a-w- c:\program files\WinMagic\SecureDoc-NT\SDContext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\WMNoKey]
@="{2659CB3D-3D6E-42CE-AD9D-FE41C3617CC1}"
[HKEY_CLASSES_ROOT\CLSID\{2659CB3D-3D6E-42CE-AD9D-FE41C3617CC1}]
2009-11-27 22:05 292352 ----a-w- c:\program files\WinMagic\SecureDoc-NT\SDContext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\WMNotTransformed]
@="{01DBDE7E-2D13-4495-BE04-12AA56CC2751}"
[HKEY_CLASSES_ROOT\CLSID\{01DBDE7E-2D13-4495-BE04-12AA56CC2751}]
2009-11-27 22:05 292352 ----a-w- c:\program files\WinMagic\SecureDoc-NT\SDContext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\WMPartialKey]
@="{5133E633-CFED-4043-9971-38936512E6D4}"
[HKEY_CLASSES_ROOT\CLSID\{5133E633-CFED-4043-9971-38936512E6D4}]
2009-11-27 22:05 292352 ----a-w- c:\program files\WinMagic\SecureDoc-NT\SDContext.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"A0"="c:\documents and settings\Dawn\Desktop\mbar\mbar.exe" [2013-06-01 769096]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-03-30 20:33 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OKI LPR Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OKI LPR Utility.lnk
backup=c:\windows\pss\OKI LPR Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2007-07-17 01:48 69632 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 02:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2010-05-06 23:21 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2008-11-03 15:54 1745648 ----a-w- c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FtpServer.exe]
2008-05-26 09:28 704512 ----a-w- c:\program files\SHARP\Sharpdesk\FTPServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-04-17 00:51 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2008-02-11 19:48 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-04-17 00:51 142104 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
2008-05-27 21:56 106496 ----a-w- c:\program files\SHARP\Sharpdesk\IndexTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-17 00:51 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 08:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-07-17 01:48 16132608 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
2008-05-27 22:19 32768 ----a-w- c:\program files\SHARP\Sharpdesk\SharpTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartSecurDoc]
2009-11-27 22:05 2149888 ----a-w- c:\program files\WinMagic\SecureDoc-NT\SDPin.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 19:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypeRegChecker]
2008-05-27 21:58 57344 ----a-w- c:\program files\SHARP\Sharpdesk\TypeRegChecker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"c:\\Program Files\\SHARP\\Sharpdesk\\FTPServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\WinMagic\\SecureDoc-NT\\SDPin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4363:UDP"= 4363:UDP:UDP 4363
"5711:TCP"= 5711:TCP:TCP 5711
.
R0 PinFile;PinFile;c:\windows\system32\drivers\PinFile.sys [9/28/2009 11:53 AM 20224]
R0 SDDisk2K;SDDisk2K;c:\windows\system32\drivers\SDDisk2K.sys [11/18/2009 4:07 PM 179200]
R0 SDDToki;SDDToki;c:\windows\system32\drivers\SDDToki.sys [9/25/2009 3:57 PM 117120]
R0 SDDVD;SDDVD;c:\windows\system32\drivers\SDDVD.sys [9/25/2009 3:57 PM 75520]
R0 SDUPC;SDUPC;c:\windows\system32\drivers\SDUPC.sys [3/5/2009 2:03 PM 16512]
R2 ArchiveService;Gillware Remote Backup;c:\program files\Gillware Remote Backup\ArchiveService.exe [1/11/2013 5:16 PM 530488]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [4/5/2013 3:53 AM 121600]
R2 WinMagic SecureDoc Service;WinMagic SecureDoc Service;c:\program files\WinMagic\SecureDoc-NT\SDService.exe [11/27/2009 5:05 PM 641024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/8/2013 8:48 AM 106656]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [7/19/2013 2:23 PM 35144]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 10:08 AM 11336]
S3 FoxAwdWINFLASH;FoxAwdWINFLASH;\??\c:\docume~1\GINADO~1\LOCALS~1\Temp\_B0E3.tmp\FoxAwdWINFLASH.sys --> c:\docume~1\GINADO~1\LOCALS~1\Temp\_B0E3.tmp\FoxAwdWINFLASH.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMCHAMELEON
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-18 16:00 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-08 19:46]
.
2013-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-07-16 c:\windows\Tasks\Gillware Remote Backup - Audit.job
- c:\program files\Gillware Remote Backup\Scan.exe [2013-01-11 22:16]
.
2013-07-19 c:\windows\Tasks\Gillware Remote Backup - DefaultCritical.job
- c:\program files\Gillware Remote Backup\Scan.exe [2013-01-11 22:16]
.
2013-07-18 c:\windows\Tasks\Gillware Remote Backup - DefaultHigh.job
- c:\program files\Gillware Remote Backup\Scan.exe [2013-01-11 22:16]
.
2013-07-16 c:\windows\Tasks\Gillware Remote Backup - DefaultLow.job
- c:\program files\Gillware Remote Backup\Scan.exe [2013-01-11 22:16]
.
2013-07-18 c:\windows\Tasks\Gillware Remote Backup - DefaultMedium.job
- c:\program files\Gillware Remote Backup\Scan.exe [2013-01-11 22:16]
.
2013-07-19 c:\windows\Tasks\Gillware Remote Backup - Remote Backup Updater.job
- c:\program files\Gillware Remote Backup\Updater.exe [2013-01-11 22:16]
.
2013-07-19 c:\windows\Tasks\Gillware Remote Backup - Upload Event Log.job
- c:\program files\Gillware Remote Backup\Scan.exe [2013-01-11 22:16]
.
2013-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-18 16:00]
.
2013-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-18 16:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&CUI=UN12583309372988829&UM=2&ctid=CT3289847
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {123FE8C9-0BDC-4946-A854-DDBA7398CF64} - hxxps://www.fts.newyorklife.com/ftWebUpdate/installs/ftwebupdate.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
MSConfigStartUp-Ad-Aware Browsing Protection - c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
MSConfigStartUp-ganukdyxypyx - c:\documents and settings\Dawn\ganukdyxypyx.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Regedit32 - c:\windows\system32\regedit.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-19 15:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3500620AS rev.DE12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 976773166 (+255): user != kernel
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\SDocGina.dll
c:\windows\system32\sddisk.dll
c:\windows\system32\Sdd.dll
c:\windows\system32\SDXML.dll
c:\windows\system32\SDToki.dll
c:\windows\system32\sdck.dll
c:\windows\system32\SDDllRes.dll
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2013-07-19 15:24:39
ComboFix-quarantined-files.txt 2013-07-19 20:24
.
Pre-Run: 342,653,599,744 bytes free
Post-Run: 343,147,843,584 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 75BFA02B306F6E720DF9C05DAC86BE07
E1ED835465E42A176B4910C2CCA1E9A4


I should also mention that somehow I also now have something called Whitesmokenow running as a search engine or something everytime I open Google Chrome.

Let me know if you need anything else. Thanks!

Roxie

Edited by Racingal60, 19 July 2013 - 02:30 PM.

[godawgs]

Hello,

Let me know if you need anything else. Thanks!

Yes,we still have a good bit of work to do.
It looks like you had Ad-Aware Antivirus installed at some point but uninstalled it. But the Ad-Aware toolbar is still on the system so we need to uninstall it.

Step-1.

Uninstall a program

• Please click the Start button, then click Control Panel, then click Add/Remove Programs. The list of installed programs will populate.
• Right click the following program and click Change/Remove
  
  • Ad-Aware Browsing Protection
• Once the program is uninstalled close the Add/Remove Programs screen and then close the Control Panel.
• Reboot the computer.
  
  Delete the program's folders
  
• Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):
  
  C:\Documents and Settings\Gina Dorr\Application Data\Ad-Aware Antivirus
  C:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
• Close Windows Expolorer.

Step-2.

Run MalwareBytes Anti-Rootkit

• Double click the MBAR.exe
• At the first screen click the Next button.
• Update the program database if required.
• On the Scan System screen click the Scan button.
• Upon completion of the scan you will be presented with the Cleanup: screen. Click the Cleanup button.
• Wait while the system shuts down and the cleanup process is performed.
• Please post the new MBAR log and System log in your next reply.

Step-3.

AdwCleaner by Xplode

Download AdwCleaner from here to your desktop.
Close all open windows and browsers.

• XP users, double click the adwcleaner.exe file to run AdwCleaner. (Vista and 7 users)right click The adwcleaner.exe, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  
  
• Click the Search button and wait for the scan to finish.
• Once done it may ask to reboot, allow this.
• On reboot a log will be produced please copy/paste that in your next reply. This report is also saved to C:\AdwCleaner[R1].txt

Step-4.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Let me know how the uninstall went.
2. The new MBAR log file
3. The new System log file
4. The AdwCleaner[R6].txt log

[Racingal60]

Please note, I am out of town this weekend. I will run these things first thing Monday morning! Thank you for your help so far.
Roxie

[godawgs]

[Racingal60]

OK - Got the stuff done that you wanted me too.

1) Uninstall - there was nothing in the Control Panel/Add Remove Programs - so I went to the two locations you asked me to go and deleted the files - I rebooted after that. Hope that was ok.
2) MBAR scan below:
Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.22.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dawn :: GINA1 [administrator]

7/22/2013 8:18:30 AM
mbar-log-2013-07-22 (08-18-30).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 281565
Time elapsed: 32 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Delete on reboot.

Registry Values Detected: 1
HKCU\SOFTWARE\CROSSRIDER|215AppVerifier (Adware.GamePlayLab) -> Data: 10b353c30fde4622c91fe03c56a19c82 -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

SYSTEM LOG:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 3478200320, free: 2713812992

Downloaded database version: v2013.07.19.09
Downloaded database version: v2013.07.15.01
Initializing...
------------ Kernel report ------------
07/19/2013 14:24:06
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
SDUPC.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
SDDToki.sys
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PinFile.sys
sr.sys
SDDisk2K.sys
SDDVD.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igxpmp32.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\SRTSP.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130718.033\NAVEX15.SYS
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130718.033\NAVENG.SYS
\SystemRoot\System32\Drivers\SRTSPX.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\igxpgd32.dll
\SystemRoot\System32\igxprd32.dll
\SystemRoot\System32\igxpdv32.DLL
\SystemRoot\System32\igxpdx32.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b169ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff8b17ad98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b169ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b16d9b8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b179be0, DeviceName: Unknown, DriverName: \Driver\SDDisk2K\
DevicePointer: 0xffffffff8b169ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b16ff18, DeviceName: \Device\00000070\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b17ad98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\SDDisk2K\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 0, MFTIndexSize = 0 bytes
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Alternate device has been used.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Alternate device has been used.
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Alternate device has been used.
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 41AB2316

Partition information:

Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 96327

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 96390 Numsec = 976671675
Partition file system is NTFS
Partition is bootable

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Done!
Infected: c:\documents and settings\dawn\ganukdyxypyx.exe --> [Trojan.Agent.ED]
Infected: HKCU\SOFTWARE\CROSSRIDER|215AppVerifier --> [Adware.GamePlayLab]
Infected: HKCU\SOFTWARE\CROSSRIDER --> [Adware.GamePlayLab]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Regedit32 --> [Trojan.Agent]
Scan finished
=======================================


Removal queue found; removal started
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_96390_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 3478200320, free: 2880462848

=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 3478200320, free: 2728624128

Downloaded database version: v2013.07.22.04
Initializing...
------------ Kernel report ------------
07/22/2013 08:18:22
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
SDUPC.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
SDDToki.sys
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PinFile.sys
sr.sys
SDDisk2K.sys
SDDVD.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igxpmp32.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\Drivers\SRTSP.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130718.033\NAVEX15.SYS
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130718.033\NAVENG.SYS
\SystemRoot\System32\Drivers\SRTSPX.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\igxpgd32.dll
\SystemRoot\System32\igxprd32.dll
\SystemRoot\System32\igxpdv32.DLL
\SystemRoot\System32\igxpdx32.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b15dab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff8b15ed98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b15dab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b161778, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b15cbe0, DeviceName: Unknown, DriverName: \Driver\SDDisk2K\
DevicePointer: 0xffffffff8b15dab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b1e6f18, DeviceName: \Device\00000071\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b15ed98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\SDDisk2K\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 0, MFTIndexSize = 0 bytes
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Alternate device has been used.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Alternate device has been used.
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
Failed to get NTFS Boot Sector
SectorSize = 40093, ClusterSize = 37047, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Alternate device has been used.
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 41AB2316

Partition information:

Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 96327

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 96390 Numsec = 976671675
Partition file system is NTFS
Partition is bootable

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Done!
Infected: HKCU\SOFTWARE\CROSSRIDER|215AppVerifier --> [Adware.GamePlayLab]
Infected: HKCU\SOFTWARE\CROSSRIDER --> [Adware.GamePlayLab]
Scan finished
Creating System Restore point...
Cleaning up...
Removal successful. No system shutdown is required.
=======================================


Removal queue found; removal started
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_96390_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished


AdwCleaner[r6].txt log

# AdwCleaner v2.306 - Logfile created 07/22/2013 at 08:56:42
# Updated 19/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Dawn - GINA1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Dawn\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\Dawn\Application Data\SwvUpdater
Folder Found : C:\Documents and Settings\Dawn\Local Settings\Application Data\Conduit
Folder Found : C:\Program Files\Conduit

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\ConduitSearchScopes
Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3289847
Key Found : HKLM\Software\Conduit

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&CUI=UN12583309372988829&UM=2&ctid=CT3289847

-\\ Google Chrome v28.0.1500.72

File : C:\Documents and Settings\Gina Dorr\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Found [l.2848] : urls_to_restore_on_startup = [ "hxxp://www.excite.com/", "hxxp://mysearch.avg.com/?cid={E220B0DC-9F9B-4115-9B9D-FB0592523D8A}&mid=23624ecec34847d3867dd168dde2cf78-12425ce089ada86587062861d0f235ac49ad37dc&lang=en&ds=co011&pr=sa&d=2013-06-04 12:13:33&v=15.2.0.5&pid=safeguard&sg=1&sap=hp", "hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN29136240211324521&UM=2" ]

*************************

AdwCleaner[R1].txt - [2076 octets] - [18/07/2013 14:02:12]
AdwCleaner[R2].txt - [2136 octets] - [19/07/2013 08:27:36]
AdwCleaner[R3].txt - [2196 octets] - [19/07/2013 08:29:31]
AdwCleaner[R4].txt - [2256 octets] - [19/07/2013 08:30:56]
AdwCleaner[R5].txt - [2316 octets] - [19/07/2013 08:32:13]
AdwCleaner[R6].txt - [2180 octets] - [22/07/2013 08:56:42]
AdwCleaner[S1].txt - [2404 octets] - [19/07/2013 08:32:34]

########## EOF - C:\AdwCleaner[R6].txt - [2300 octets] ##########

I will mention that I still have the "whitesmokenew" tool bar/tab that opens each time I open up Google Chrome.

Also, when I rebooted I get a window that pops up and takes me the the cmd on my c: drive - looks like an old DOS window. (Nevermind - just rebooted and it was not there this time.)

I look forward to hearing from you soon and I'm sorry about the delay.

Roxie

Edited by Racingal60, 22 July 2013 - 08:10 AM.

[godawgs]

I will mention that I still have the "whitesmokenew" tool bar/tab that opens each time I open up Google Chrome.

Acknowledged. But first I want to see if the MalwareBytes Anit-Rootkit tool removed the rootkit. This seems to be a variant that is relatively new. Once we have dealt with it we will continue the process of removing the toolbars and browser hijackers.


Step-1.

Please delete your copy of aswMBR.exe from the desktop and the MBR.dat file. We are gona download a fresh copy and have it update the scan engines and then rescan the system.


Step-2.

Run aswMBR

• Download aswMBR.exe to your desktop.
• Right click the aswMBR.exe file and click Run as Administrator to run it. If you get a UAC window, allow the file to run.
• If it asks you if you want to download the latest virus definitions, click Yes
  
• Click the "Scan" button to start the scan
  
  
• On completion of the scan click save log. Save it to your desktop and post in your next reply.
  

NOTE: When you run aswMBR, if it is shutdown automatically, then it is most likely the infection detecting that aswMBR is running and terminating it. In this situation you should rename the executable (aswMBR.exe) to iexplore.exe and try it again.


Step-3.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The aswMBR log