mdm.exe virus

Unknown · June 2009

Dear all,
lately, I started to receive several notifications a day about detected virus mdm.exe (see attached) from Symantec AntiVirus v 10.1.8.8000.
It happens every day usually. I ran HijackThis and have a log (attached).
Any help would be greatly appreciated!
Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:02 PM, on 6/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
D:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\cmstp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\dllhst3g.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - d:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetDefPrt] d:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [CmSTP] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\cmstp.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Spool] C:\WINDOWS\spoolsv.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [rsvp] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\rsvp.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [DllHst] C:\DOCUME~1\Papa\LOCALS~1\Temp\dllhst3g.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [MqtgSVC] C:\DOCUME~1\Papa\APPLIC~1\mqtgsvc.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [SessMgr] C:\WINDOWS\sessmgr.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [MstInit] C:\WINDOWS\mstinit.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [ClipSrv] C:\WINDOWS\System32\drivers\clipsrv.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Mstsc] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\mstsc.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [IEudinit] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\ieudinit.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Logman] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\logman.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Esent Utl] C:\WINDOWS\esentutl.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [ComRepl] C:\WINDOWS\System\comrepl.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Cisvc] C:\WINDOWS\System\cisvc.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [ClipSrv] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\clipsrv.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [Cisvc] C:\WINDOWS\System\cisvc.exe /waitservice
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1220945662-1532298954-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Anna')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Spool] C:\DOCUME~1\Papa\APPLIC~1\spoolsv.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Spool] C:\DOCUME~1\Papa\APPLIC~1\spoolsv.exe /waitservice (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - d:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - d:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - d:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - d:\Program Files\IEPro\iepro.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - D:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11571 bytes

Katana · June 2009

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

You appear to have a well known infection.
Is your Antivirus software up to date ?

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

burevestnik · June 2009

Katana,
Thank you very much for your kind help!
I am attaching 2 log files for your review.
Thanks!

Logfile of random's system information tool 1.06 (written by random/random)
Run by Papa at 2009-06-22 22:04:46
Microsoft Windows XP Professional Service Pack 3
System drive C: has 29 GB (72%) free of 40 GB
Total RAM: 3326 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:47 PM, on 6/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
D:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\cmstp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\wuauclt.exe
F:\Documents\Papa\RSIT.exe
D:\Program Files\Trend Micro\HijackThis\Papa.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\dllhst3g.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - d:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetDefPrt] d:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [CmSTP] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\cmstp.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Spool] C:\WINDOWS\spoolsv.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [rsvp] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\rsvp.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [DllHst] C:\DOCUME~1\Papa\LOCALS~1\Temp\dllhst3g.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [MqtgSVC] C:\DOCUME~1\Papa\APPLIC~1\mqtgsvc.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [SessMgr] C:\WINDOWS\sessmgr.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [MstInit] C:\WINDOWS\mstinit.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [ClipSrv] C:\WINDOWS\System32\drivers\clipsrv.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Mstsc] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\mstsc.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [IEudinit] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\ieudinit.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Logman] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\logman.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Esent Utl] C:\WINDOWS\esentutl.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [ComRepl] C:\WINDOWS\System\comrepl.exe /waitservice
O4 - HKLM\..\Policies\Explorer\Run: [Cisvc] C:\WINDOWS\System\cisvc.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [ClipSrv] C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\clipsrv.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [Cisvc] C:\WINDOWS\System\cisvc.exe /waitservice
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1220945662-1532298954-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Anna')
O4 - HKUS\S-1-5-21-1220945662-1532298954-839522115-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Rachel')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Spool] C:\DOCUME~1\Papa\APPLIC~1\spoolsv.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Spool] C:\DOCUME~1\Papa\APPLIC~1\spoolsv.exe /waitservice (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - d:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - d:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - d:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - d:\Program Files\IEPro\iepro.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - D:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 12039 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\SyncToy 2.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00011268-E188-40DF-A514-835FCD78B1BF}]
IE7Pro BHO - d:\Program Files\IEPro\iepro.dll [2009-02-04 752744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006-10-22 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006-10-22 321120]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-03-27 13684736]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-03-27 86016]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-06-24 53096]
"vptray"=D:\PROGRA~1\SYMANT~1\VPTray.exe [2008-09-30 125368]
"Windows Defender"=D:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 1468296]
"AdobeCS4ServiceManager"=C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [2008-08-14 611712]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2006-11-17 577536]
"SetDefPrt"=d:\Program Files\Brother\Brmfl04g\BrStDvPt.exe [2004-11-11 49152]
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe [2005-01-07 864256]
""= []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"CmSTP"=C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\cmstp.exe [2009-05-08 61440]
"Spool"=C:\WINDOWS\spoolsv.exe [2009-05-08 61440]
"rsvp"=C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\rsvp.exe [2009-05-08 61440]
"DllHst"=C:\DOCUME~1\Papa\LOCALS~1\Temp\dllhst3g.exe [2009-05-08 61440]
"MqtgSVC"=C:\DOCUME~1\Papa\APPLIC~1\mqtgsvc.exe [2009-05-08 61440]
"SessMgr"=C:\WINDOWS\sessmgr.exe [2009-05-08 61440]
"MstInit"=C:\WINDOWS\mstinit.exe [2009-05-08 61440]
"ClipSrv"=C:\WINDOWS\System32\drivers\clipsrv.exe [2009-05-08 61440]
"Mstsc"=C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\mstsc.exe [2009-05-08 61440]
"IEudinit"=C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\ieudinit.exe [2009-05-08 61440]
"Logman"=C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\MICROS~1\logman.exe [2009-05-08 61440]
"Esent Utl"=C:\WINDOWS\esentutl.exe [2009-05-08 61440]
"ComRepl"=C:\WINDOWS\System\comrepl.exe [2009-05-08 61440]
"Cisvc"=C:\WINDOWS\System\cisvc.exe [2009-05-08 61440]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [2007-08-03 202024]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"ClipSrv"=C:\DOCUME~1\Papa\LOCALS~1\APPLIC~1\clipsrv.exe [2009-05-08 61440]
"Cisvc"=C:\WINDOWS\System\cisvc.exe [2009-05-08 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe
Adobe Acrobat Synchronizer.lnk - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
DisplayKEY eSYNC Info.lnk - C:\Program Files\GE Security Supra\SyncInfoApp.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]
C:\WINDOWS\system32\ckpNotify.dll [2007-05-24 24665]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2008-09-30 43448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=D:\PROGRA~1\WINDOW~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"d:\Program Files\IEPro\MiniDM.exe"="d:\Program Files\IEPro\MiniDM.exe:*:Enabled:MiniDM"
"D:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="D:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"D:\Program Files\eMule\emule.exe"="D:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"D:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TrueImage.exe"="D:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TrueImage.exe:*:Enabled:Acronis True Image"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp03\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp03\mdm.exe:*:Enabled:UpdateWizzard"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp08\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp08\mdm.exe:*:Enabled:UpdateWizzard"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp09\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp09\mdm.exe:*:Enabled:UpdateWizzard"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp10\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp10\mdm.exe:*:Enabled:UpdateWizzard"
"C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp10\mdm.exe"="C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp10\mdm.exe:*:Disabled:mdm"
"D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"D:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"D:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"D:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"D:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp11\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp11\mdm.exe:*:Enabled:UpdateWizzard"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp12\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp12\mdm.exe:*:Enabled:UpdateWizzard"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp13\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp13\mdm.exe:*:Enabled:UpdateWizzard"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp16\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp16\mdm.exe:*:Enabled:UpdateWizzard"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp18\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp18\mdm.exe:*:Enabled:UpdateWizzard"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp19\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp19\mdm.exe:*:Enabled:UpdateWizzard"
"C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp20\mdm.exe"="C:\DOCUME~1\Papa\LOCALS~1\Temp\~temp\mlp20\mdm.exe:*:Enabled:UpdateWizzard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"D:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"D:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"D:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"D:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="D:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 FW1;SecuRemote Miniport; C:\WINDOWS\system32\DRIVERS\fw.sys [2007-05-24 2234800]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SAVRT;SAVRT; \??\D:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\D:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2008-08-20 188808]
R2 adfs;adfs; C:\WINDOWS\system32\drivers\adfs.sys [2008-08-14 74720]
R2 CP_OMDRV;Check Point Office Mode Module; C:\WINDOWS\System32\drivers\omdrv.sys [2007-05-24 36368]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient; C:\WINDOWS\system32\DRIVERS\vnasc.sys [2007-05-24 110032]
R2 VPN-1;VPN-1 Module; C:\WINDOWS\System32\drivers\vpn.sys [2007-05-24 673456]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2004-06-29 1268204]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-12-29 4026112]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2004-10-15 15295]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver; C:\WINDOWS\System32\Drivers\BrSerIf.sys [2006-01-18 53248]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver; C:\WINDOWS\System32\Drivers\BrUsbSer.sys [2006-01-19 11904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090619.004\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090619.004\navex15.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-03-27 6280416]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2009-01-07 27784]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 slabbus;DisplayKEY USB Cradle driver (WDM); C:\WINDOWS\system32\DRIVERS\slabbus.sys [2006-09-07 55312]
R3 slabser;CP210x USB to UART Bridge Controller Drivers; C:\WINDOWS\system32\DRIVERS\slabser.sys [2006-09-07 89808]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2008-08-20 23944]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2008-06-24 191848]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2008-06-24 169320]
R2 DefWatch;Symantec AntiVirus Definition Watcher; D:\Program Files\Symantec AntiVirus\DefWatch.exe [2008-09-30 31160]
R2 DkeySync;DkeySync; c:\program files\ge security supra\syncservice.exe [2006-09-07 53248]
R2 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE [2007-01-11 113664]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-03-27 163908]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2007-07-26 1181016]
R2 SR_Service;Check Point VPN-1 Securemote service; D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe [2007-05-24 106586]
R2 SR_Watchdog;Check Point VPN-1 Securemote watchdog; D:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe [2007-05-24 36955]
R2 Symantec AntiVirus;Symantec AntiVirus; D:\Program Files\Symantec AntiVirus\Rtvscan.exe [2008-09-30 1956792]
R2 WinDefend;Windows Defender; D:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-08-03 382248]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-05-02 655624]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SavRoam;SAVRoam; D:\Program Files\Symantec AntiVirus\SavRoam.exe [2008-09-30 116664]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2008-08-20 214408]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

EOF

Katana · June 2009

Information

IMPORTANT
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

eMule
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs
Please note: you must NOT use any P2P whilst we are cleaning your machine.

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 2

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
Combofix Log
How are things running now ?

burevestnik · June 2009

Katana,
please review the Malwarebytes log:
Malwarebytes' Anti-Malware 1.38
Database version: 2327
Windows 5.1.2600 Service Pack 3
6/23/2009 11:23:59 PM
mbam-log-2009-06-23 (23-23-53).txt
Scan type: Full Scan (C:\|)
Objects scanned: 162242
Time elapsed: 18 minute(s), 9 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 13
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18
Memory Processes Infected:
C:\WINDOWS\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IEudinit (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CmSTP (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MstInit (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\comrepl (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rsvp (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\esent utl (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqtgsvc (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\spool (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\logman (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\spool (Heuristics.Reserved.Word.Exploit) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Papa\Local Settings\Application Data\ieudinit.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\cmstp.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\mstinit.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\Papa\Local Settings\Application Data\Microsoft\sessmgr.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\Papa\Local Settings\Application Data\Microsoft\spoolsv.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\spoolsv.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system\cisvc.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system\comrepl.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\rsvp.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\esentutl.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\Anna\Application Data\Microsoft\spoolsv.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\mqtgsvc.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Papa\Application Data\mqtgsvc.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\spoolsv.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\logman.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system\spoolsv.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\Papa\Local Settings\Application Data\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
c:\documents and settings\Papa\Application Data\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

The rest I can try to do tomorrow...
Thanks a lot!

Katana · June 2009

-> No action taken

Did you allow MBAM to remove these ?

burevestnik · June 2009

Not yet. I'll do it today and let you know.

burevestnik · June 2009

Just removed Malwarebytes findings:
Malwarebytes' Anti-Malware 1.38
Database version: 2327
Windows 5.1.2600 Service Pack 3
6/24/2009 10:38:34 PM
mbam-log-2009-06-24 (22-38-34).txt
Scan type: Full Scan (C:\|)
Objects scanned: 162973
Time elapsed: 22 minute(s), 38 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 13
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18
Memory Processes Infected:
C:\WINDOWS\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IEudinit (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CmSTP (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MstInit (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\comrepl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rsvp (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\esent utl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqtgsvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\spool (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\logman (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\spool (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Papa\Local Settings\Application Data\ieudinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\cmstp.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\mstinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Papa\Local Settings\Application Data\Microsoft\sessmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Papa\Local Settings\Application Data\Microsoft\spoolsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\spoolsv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system\cisvc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\comrepl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\rsvp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\esentutl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Anna\Application Data\Microsoft\spoolsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mqtgsvc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Papa\Application Data\mqtgsvc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\spoolsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\logman.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\spoolsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Papa\Local Settings\Application Data\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
c:\documents and settings\Papa\Application Data\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Katana · June 2009

Do you have the Combofix log ?

burevestnik · June 2009

Here you go:
ComboFix 09-06-24.05 - Papa 06/25/2009 6:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2650 [GMT -4:00]
Running from: c:\documents and settings\Papa\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Leah\Local Settings\Application Data\clipsrv.exe
c:\documents and settings\Papa\Application Data\Microsoft\ieudinit.exe
c:\documents and settings\Papa\Local Settings\Application Data\clipsrv.exe
c:\documents and settings\Papa\Local Settings\Application Data\mstinit.exe
c:\documents and settings\Papa\Local Settings\Application Data\mstsc.exe
c:\documents and settings\Papa\Local Settings\Application Data\sessmgr.exe
c:\documents and settings\Rachel\Application Data\Microsoft\cmstp.exe
c:\windows\dllhst3g.exe
c:\windows\ieudinit.exe
c:\windows\system\dllhst3g.exe
c:\windows\system\logman.exe
c:\windows\system\mqtgsvc.exe
c:\windows\system32\drivers\clipsrv.exe
H:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.
2009-06-24 02:35 . 2009-06-24 02:35

d

w- c:\documents and settings\Papa\Application Data\Malwarebytes
2009-06-24 02:35 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 02:35 . 2009-06-24 02:35

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-24 02:35 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 02:04 . 2009-06-23 02:04

d

w- C:\rsit
2009-06-21 15:54 . 2009-06-21 15:54

d

w- c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft Help
2009-06-13 19:29 . 2009-06-13 19:29

d

w- c:\documents and settings\Papa\Application Data\Nero
2009-06-12 02:32 . 2009-06-12 02:32

d

w- c:\documents and settings\Papa\Application Data\Apple Computer
2009-06-12 02:30 . 2009-06-12 02:30

d

w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-12 02:30 . 2009-06-12 02:30

d

w- c:\documents and settings\Papa\Local Settings\Application Data\Apple
2009-06-12 02:30 . 2009-06-12 02:30

d

w- c:\program files\Apple Software Update
2009-06-12 02:30 . 2009-06-12 02:30

d

w- c:\documents and settings\All Users\Application Data\Apple
2009-06-12 02:29 . 2009-06-12 02:29

d

w- c:\documents and settings\Papa\Local Settings\Application Data\Apple Computer
2009-06-12 02:04 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-06-12 02:04 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-06-06 02:55 . 2009-06-06 02:55

d

w- c:\program files\Microsoft Sync Framework
2009-06-03 10:19 . 2009-06-03 10:19 2904064 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\18154-181625.dll
2009-06-02 22:29 . 2009-06-02 22:29

d

r- c:\documents and settings\Rachel\Application Data\Brother
2009-06-02 14:33 . 2009-05-09 00:20 61440 ----a-w- c:\windows\sessmgr.exe
2009-05-31 21:29 . 2009-05-31 22:28

d

w- c:\documents and settings\Anna\Local Settings\Application Data\Microsoft Help
2009-05-27 23:05 . 2009-05-27 23:05

d

w- c:\documents and settings\Rachel\Local Settings\Application Data\Mozilla
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 02:43 . 2009-05-15 18:06

d

w- c:\program files\GE Security Supra
2009-06-15 10:20 . 2009-05-02 14:41

d

w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 02:23 . 2009-05-02 14:27

d

w- c:\documents and settings\Papa\Application Data\IEPro
2009-06-03 10:19 . 2009-05-12 02:34 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-05-15 18:07 . 2009-05-15 18:07 159744 ----a-w- c:\windows\system32\libssl32.dll
2009-05-15 18:07 . 2009-05-15 18:07

d

w- c:\program files\SiLabs
2009-05-15 11:51 . 2009-05-15 11:51

d

w- c:\documents and settings\Papa\Application Data\ICAClient
2009-05-15 11:50 . 2009-05-15 11:50

d

w- c:\program files\Citrix
2009-05-15 11:39 . 2009-05-15 11:39

d

w- c:\program files\CheckPoint
2009-05-15 11:32 . 2009-05-15 11:32

d

w- c:\program files\Windows Media Connect 2
2009-05-15 02:16 . 2009-05-03 16:55 71192 ----a-w- c:\documents and settings\Leah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 01:12 . 2009-05-02 22:25 71192 ----a-w- c:\documents and settings\Anna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 00:43 . 2009-05-02 19:03 71192 ----a-w- c:\documents and settings\Rachel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 02:34 . 2009-05-12 02:34 3616768 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181311-181414.dll
2009-05-12 02:34 . 2009-05-12 02:34 1536000 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll
2009-05-12 02:34 . 2009-05-12 02:34 1007616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181129-181212.dll
2009-05-12 02:34 . 2009-05-12 02:34 811008 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181212-181311.dll
2009-05-12 02:34 . 2009-05-12 02:34 223584 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2009-05-12 02:34 . 2009-05-12 02:34 997 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2009-05-12 02:34 . 2009-05-02 13:20 71192 ----a-w- c:\documents and settings\Papa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 02:33 . 2009-05-12 02:33

d

w- c:\program files\Common Files\AnswerWorks 5.0
2009-05-12 02:33 . 2009-05-04 01:42

d--h--w- c:\program files\InstallShield Installation Information
2009-05-12 02:32 . 2009-05-12 02:32

d

w- c:\documents and settings\Papa\Application Data\Intuit
2009-05-12 02:32 . 2009-05-12 02:32

d

w- c:\program files\Common Files\Intuit
2009-05-12 02:30 . 2009-05-12 02:30

d

w- c:\documents and settings\All Users\Application Data\Intuit
2009-05-10 23:26 . 2009-05-10 23:26

d

w- c:\documents and settings\Rachel\Application Data\MiniDm
2009-05-07 23:22 . 2009-05-02 15:53 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-05-07 23:17 . 2009-05-02 15:54 65 ----a-w- c:\windows\system32\BD7820N.dat
2009-05-07 23:16 . 2009-05-07 23:16

d

w- c:\program files\Brother
2009-05-07 23:16 . 2009-05-04 01:41

d

w- c:\program files\Common Files\InstallShield
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 12:17 . 2009-05-03 11:11

d

w- c:\program files\Microsoft Silverlight
2009-05-07 02:12 . 2009-05-07 02:12

d

w- c:\program files\MSXML 4.0
2009-05-04 02:10 . 2009-05-04 02:10

d

w- c:\program files\Qimage
2009-05-04 02:02 . 2009-05-04 02:02

d

w- c:\documents and settings\Papa\Application Data\ACD Systems
2009-05-04 02:02 . 2009-05-04 02:01

d

w- c:\program files\Common Files\ACD Systems
2009-05-04 02:02 . 2009-05-04 02:02

d

w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-05-04 01:42 . 2009-05-04 01:42

d

w- c:\program files\Realtek AC97
2009-05-03 18:11 . 2009-05-03 17:35

d

w- c:\documents and settings\Leah\Application Data\MiniDm
2009-05-03 16:59 . 2009-05-03 16:59

d

w- c:\documents and settings\Leah\Application Data\IEPro
2009-05-03 13:31 . 2009-05-03 13:31 10134 ----a-r- c:\documents and settings\Papa\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-05-03 13:31 . 2009-05-03 13:31

d

w- c:\program files\HP
2009-05-03 11:15 . 2009-05-02 22:26

d

w- c:\documents and settings\Anna\Application Data\IEPro
2009-05-03 11:12 . 2009-05-02 22:27

d

w- c:\documents and settings\Anna\Application Data\MiniDm
2009-05-03 11:11 . 2009-05-03 11:11

d

w- c:\program files\Microsoft
2009-05-03 11:11 . 2009-05-03 11:10

d

w- c:\program files\Windows Live
2009-05-03 11:10 . 2009-05-03 11:10

d

w- c:\program files\Windows Live SkyDrive
2009-05-03 11:08 . 2009-05-03 11:08

d

w- c:\program files\Common Files\Windows Live
2009-05-03 10:19 . 2009-05-03 10:19 0 ----a-w- c:\windows\nsreg.dat
2009-05-02 19:14 . 2009-05-02 19:14

d

w- c:\documents and settings\Rachel\Application Data\IEPro
2009-05-02 17:47 . 2009-05-02 17:47

d

w- c:\program files\Common Files\Nero
2009-05-02 17:47 . 2009-05-02 17:47

d

w- c:\documents and settings\All Users\Application Data\Nero
2009-05-02 17:05 . 2009-05-02 17:05

d

w- c:\documents and settings\Papa\Application Data\InstallShield
2009-05-02 17:01 . 2009-05-02 17:01

d

w- c:\documents and settings\All Users\Application Data\EPSON
2009-05-02 17:00 . 2009-05-02 17:00

d

w- c:\program files\EPSON
2009-05-02 16:49 . 2009-05-02 16:49

d

w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-05-02 16:48 . 2009-05-02 16:48 1915520 ----a-w- c:\documents and settings\Papa\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-02 16:44 . 2009-05-02 15:27

d

w- c:\program files\Common Files\Adobe
2009-05-02 16:35 . 2009-05-02 16:36 9464

w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-02 16:35 . 2009-05-02 16:36 9336

w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-02 16:35 . 2009-05-02 16:36 43528

w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-02 16:35 . 2009-05-02 16:36 129784

w- c:\windows\system32\pxafs.dll
2009-05-02 16:35 . 2009-05-02 16:36 118520

w- c:\windows\system32\pxinsi64.exe
2009-05-02 16:35 . 2009-05-02 16:36 116472

w- c:\windows\system32\pxcpyi64.exe
2009-05-02 15:53 . 2009-05-02 15:53

d

w- c:\documents and settings\All Users\Application Data\Brother
2009-05-02 15:51 . 2009-05-02 15:51

d

w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-02 15:43 . 2009-05-02 15:43

d

w- c:\program files\Adobe Media Player
2009-05-02 15:41 . 2009-05-02 15:41

d

w- c:\program files\Common Files\Adobe AIR
2009-05-02 15:38 . 2009-05-02 15:38

d

w- c:\program files\Common Files\Macrovision Shared
2009-05-02 15:33 . 2009-05-02 15:33

d

w- c:\program files\Microsoft IntelliPoint
2009-05-02 15:22 . 2009-05-02 15:22 454688 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-05-02 15:22 . 2009-05-02 15:22 43008 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-05-02 15:22 . 2009-05-02 15:22 132352 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-05-02 14:56 . 2009-05-02 14:45

d

w- c:\program files\Microsoft Works
2009-05-02 14:35 . 2009-05-02 14:33

d

w- c:\documents and settings\Papa\Application Data\MiniDm
2009-05-02 14:31 . 2009-05-02 14:30

d

w- c:\program files\Common Files\Symantec Shared
2009-05-02 14:30 . 2009-05-02 14:30

d

w- c:\program files\Symantec
2009-05-02 14:30 . 2009-05-02 14:30 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-05-02 14:30 . 2009-05-02 14:30 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-02 14:30 . 2009-05-02 14:30 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-02 14:30 . 2009-05-02 14:30 10671 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-02 14:30 . 2009-05-02 14:30

d

w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-02 13:58 . 2009-05-02 12:40 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-02 12:41 . 2009-05-02 12:41

d

w- c:\program files\microsoft frontpage
2009-05-02 12:38 . 2009-05-02 12:38 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336

w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-27 12:14 . 2009-05-02 13:20 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="d:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"SetDefPrt"="d:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-17 577536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"SessMgr"="c:\windows\sessmgr.exe" [2009-05-09 61440]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-5-11 295606]
Adobe Acrobat Synchronizer.lnk - d:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
DisplayKEY eSYNC Info.lnk - c:\program files\GE Security Supra\SyncInfoApp.exe [2009-5-15 102400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2007-05-24 14:13 24665 ----a-w- c:\windows\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\IEPro\\MiniDM.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [5/24/2007 10:13 AM 2234800]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [5/24/2007 10:13 AM 36368]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [5/24/2007 10:13 AM 110032]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [5/24/2007 10:13 AM 673456]
R2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/8/2009 8:03 PM 101936]
S3 SavRoam;SAVRoam;d:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
.
Contents of the 'Scheduled Tasks' folder
2009-06-25 c:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2009-06-25 c:\windows\Tasks\SyncToy 2.job
- d:\program files\SyncToy 2.0\SyncToyCmd.exe [2008-08-12 18:07]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Explorer_Run-ClipSrv - c:\windows\System32\drivers\clipsrv.exe
HKLM-Explorer_Run-Mstsc - c:\docume~1\Papa\LOCALS~1\APPLIC~1\mstsc.exe
HKCU-Explorer_Run-ClipSrv - c:\docume~1\Papa\LOCALS~1\APPLIC~1\clipsrv.exe
HKU-Default-Explorer_Run-IEudinit - c:\docume~1\Papa\APPLIC~1\MICROS~1\ieudinit.exe

.

Supplementary Scan

.
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 06:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-06-25 6:28
ComboFix-quarantined-files.txt 2009-06-25 10:28
Pre-Run: 30,010,101,760 bytes free
Post-Run: 30,472,835,072 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
243 --- E O F --- 2009-06-15 10:20

Katana · June 2009

Step 1

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
c:\windows\sessmgr.exe
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti

Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Virus Total Results
Kaspersky Log
How are things running now ?

burevestnik · June 2009

Katana,
I submitted file to Virustotal, but I really do not know how to get the results back...
Here is log from Kaspersky:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, June 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, June 26, 2009 01:22:45
Records in database: 2389637

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
V:\
W:\
X:\
Y:\
Z:\
Scan statistics:
Files scanned: 229052
Threat name: 21
Infected objects: 169
Suspicious objects: 0
Duration of the scan: 05:25:33

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01300000.VBN Infected: Trojan-Downloader.Win32.Calac.dfo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01300003.VBN Infected: Rootkit.Win32.Agent.ajn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01300004.VBN Infected: Rootkit.Win32.Agent.ajn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700000\4B7D59AC.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700001\4B7E47A6.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700002\4B7EAAC1.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700003\4B7EAE12.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700004\4B7EB183.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700005\4B7EBB60.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700006\4B7EC1EE.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700007\4B7EDC40.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700008\4B7EE99E.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700009\4B7F1E17.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970000A\4B7F24AC.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970000B\4B7F3544.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970000C\4B7F4C22.VBN Infected: Backdoor.Win32.Agent.ahwi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970000D\4B7191E4.VBN Infected: Trojan-Mailfinder.Win32.Blen.il 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970000E\4B7191F0.VBN Infected: Trojan-Downloader.Win32.Elly.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970000F\4B7191FA.VBN Infected: Trojan-Downloader.Win32.Elly.m 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700010\4B719209.VBN Infected: Trojan-Mailfinder.Win32.Blen.io 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700011\4B71921A.VBN Infected: Trojan-Mailfinder.Win32.Blen.ir 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700012\4B71922A.VBN Infected: Trojan-Mailfinder.Win32.Blen.iw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700013\4B71923C.VBN Infected: Trojan-Mailfinder.Win32.Blen.ie 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700014\4B719250.VBN Infected: Trojan-Mailfinder.Win32.Blen.in 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700015\4B719262.VBN Infected: Trojan-Mailfinder.Win32.Blen.ie 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700016\4B719272.VBN Infected: Trojan-Mailfinder.Win32.Blen.il 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700017\4B719280.VBN Infected: Trojan-Downloader.Win32.Elly.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700018\4B71928D.VBN Infected: Trojan-Downloader.Win32.Elly.m 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700019\4B71929E.VBN Infected: Trojan-Mailfinder.Win32.Blen.ip 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970001A\4B7192AE.VBN Infected: Trojan-Mailfinder.Win32.Blen.ir 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970001B\4B7192BE.VBN Infected: Trojan-Mailfinder.Win32.Blen.iw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970001C\4B7192CD.VBN Infected: Trojan-Mailfinder.Win32.Blen.ie 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970001D\4B7192DC.VBN Infected: Trojan-Mailfinder.Win32.Blen.in 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970001E\4B7192E7.VBN Infected: Trojan-Downloader.Win32.Elly.m 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0970001F\4B7192F6.VBN Infected: Trojan-Mailfinder.Win32.Blen.is 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700020\4B719304.VBN Infected: Trojan-Mailfinder.Win32.Blen.ip 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700021\4B719313.VBN Infected: Trojan-Mailfinder.Win32.Blen.iw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700022\4B719323.VBN Infected: Trojan-Mailfinder.Win32.Blen.ie 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700023\4B719332.VBN Infected: Trojan-Mailfinder.Win32.Blen.il 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09700024\4B719340.VBN Infected: Trojan-Mailfinder.Win32.Blen.in 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0000\4E3D07C5.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0001\4E3DC60F.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0002\4E3DD34A.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0003\4E3DD7AE.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0004\4E3E165C.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0005\4E3E2032.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0006\4E3E26C6.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0007\4E3E6E9E.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0008\4E3EADD7.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0009\4E3ED1E5.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C000A\4E3EF8F8.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C000B\4E3F1DE3.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C000C\4E3F3B8E.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C000D\4E3F48F2.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C000E\4E3F5BE0.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C000F\4E3F8009.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0010\4E3FAB6B.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0011\4E3FC5E1.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0012\4E3C1E2A.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0013\4E3C328C.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0014\4E3C3C83.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0015\4E3C5D1E.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0016\4E3C6405.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0017\4E3C8108.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0018\4E3C81AA.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740000\4E754882.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740001\4E75488C.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740002\4E754950.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740003\4E75672A.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740004\4E756733.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740005\4E757374.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740006\4E758EBD.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740007\4E75920E.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740008\4E759F3B.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740009\4E75E049.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74000A\4E75E7B4.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74000B\4E75EE48.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74000C\4E75F410.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74000D\4E75F4E1.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74000E\4E75F82B.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74000F\4E75FEC5.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740010\4E760146.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740011\4E760561.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740012\4E760BF4.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740013\4E760E7E.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740014\4E760F52.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740015\4E761291.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740016\4E76192D.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740017\4E761942.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740018\4E76339E.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740019\4E76512D.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74001A\4E7657DF.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74001B\4E76651F.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74001C\4E766854.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74001D\4E76724E.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74001E\4E76AA58.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74001F\4E76ADA2.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740020\4E76DB59.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740021\4E7734E2.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740022\4E777061.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740023\4E7776EB.VBN Infected: Backdoor.Win32.Agent.ahgj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740024\4E77C424.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740025\4E744F53.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740026\4E74536D.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740027\4E745D49.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740028\4E746092.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740029\4E746D55.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C74002A\4E748B7A.VBN Infected: Backdoor.Win32.Agent.ahkd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40000\4EB57B5A.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40001\4EB59B32.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40002\4EB5A1C4.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40003\4EB5ABAF.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40004\4EB5ACCD.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40005\4EB5AEFF.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40006\4EB5B76F.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40007\4EB5C986.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40008\4EB5CA5E.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40009\4EB5D891.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA4000A\4EB5E4AB.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA4000B\4EB60059.VBN Infected: Backdoor.Win32.Agent.ahva 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA4000C\4EB6178F.VBN Infected: Backdoor.Win32.Agent.ahtc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA4000D\4EB61C58.VBN Infected: Backdoor.Win32.Agent.ahtc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80000\4EF9191A.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80001\4EF992FD.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80002\4EF9A166.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80003\4EF9A6C8.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80004\4EF9AC55.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80005\4EF9BBE8.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80006\4EF9BDD5.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80007\4EF9D30C.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80008\4EF9D823.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80009\4EF9FAB9.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8000A\4EFA5525.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8000B\4EFAD3CE.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8000C\4EFAE117.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8000D\4EFAFF86.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8000E\4EFB2075.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8000F\4EFB29FC.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80010\4EFB4133.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80011\4EFB763D.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80012\4EFB9A22.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80013\4EFC1A92.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80014\4EFC32DE.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80015\4EFC3836.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80016\4EFCA008.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80017\4EFCA832.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80018\4EFCBBF5.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80019\4EFCBDBF.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8001A\4EFCBF3D.VBN Infected: Backdoor.Win32.Agent.ahoe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8001C\4EFCFA76.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8001D\4EFD00FD.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8001E\4EFD21E4.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8001F\4EFD9EEC.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80020\4EFDE0C3.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80021\4EFDF136.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80022\4EFDF7CD.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80024\4EFE0B8A.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80025\4EFE0BE2.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80026\4EFE2294.VBN Infected: Backdoor.Win32.Agent.ahpp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80027\4EFE67B4.VBN Infected: Backdoor.Win32.Agent.ahrd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80028\4EFE89A6.VBN Infected: Backdoor.Win32.Agent.ahrd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80029\4EFE8CF7.VBN Infected: Backdoor.Win32.Agent.ahrd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8002A\4EFE96E0.VBN Infected: Backdoor.Win32.Agent.ahrd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8002B\4EFEB49C.VBN Infected: Backdoor.Win32.Agent.ahrd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8002C\4EFF08FB.VBN Infected: Backdoor.Win32.Agent.ahrd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF8002D\4EFF57F4.VBN Infected: Backdoor.Win32.Agent.ahrd 1
E:\20090429_000000_MainToM\E\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
F:\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
H:\Backup\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
The selected area was scanned.

Meanwhile, I continue to have notifications from Symantec about mdm.exe Trojan...

Katana · June 2009

Information

I submitted file to Virustotal, but I really do not know how to get the results back.

Don't worry, I'll grab a copy and check it

Step 1

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

http://icrontic.com/forum/showthread.php?p=693514#post693514
Suspect::[4]
c:\windows\sessmgr.exe
File::
c:\windows\sessmgr.exe
E:\20090429_000000_MainToM\E\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3
F:\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3
H:\Backup\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"SessMgr"=-
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Combofix Log
Where does Symantec say it is finding the file now ?
A fresh HJT log

burevestnik · June 2009

I'll do it either tonight or tomorrow morning.
Thanks!

burevestnik · June 2009

Katana,
Here is the log from ComboFix:

ComboFix 09-06-26.02 - Papa 06/26/2009 22:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2688 [GMT -4:00]
Running from: c:\documents and settings\Papa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Papa\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FILE ::
"c:\windows\sessmgr.exe"
"e:\20090429_000000_maintom\E\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3"
"f:\documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3"
"h:\backup\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3"
file zipped: c:\windows\Suspect_sessmgr.exe.vir
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Rachel\Application Data\Microsoft\cmstp.exe
c:\windows\sessmgr.exe
e:\20090429_000000_maintom\E\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3
f:\documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3
h:\backup\Documents\Papa\LimeWire\downloads\glamorous indie rock and roll.mp3
.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.
2009-06-26 00:09 . 2009-06-26 00:09

d

w- c:\windows\Sun
2009-06-26 00:09 . 2009-06-26 00:08 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-26 00:08 . 2009-06-26 00:08 152576 ----a-w- c:\documents and settings\Papa\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-25 10:28 . 2009-06-25 10:28

dc----w- c:\windows\system32\dllcache\cache
2009-06-24 02:35 . 2009-06-24 02:35

d

w- c:\documents and settings\Papa\Application Data\Malwarebytes
2009-06-24 02:35 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 02:35 . 2009-06-24 02:35

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-24 02:35 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 02:04 . 2009-06-23 02:04

d

w- C:\rsit
2009-06-21 15:54 . 2009-06-21 15:54

d

w- c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft Help
2009-06-13 19:29 . 2009-06-13 19:29

d

w- c:\documents and settings\Papa\Application Data\Nero
2009-06-12 02:32 . 2009-06-12 02:32

d

w- c:\documents and settings\Papa\Application Data\Apple Computer
2009-06-12 02:30 . 2009-06-12 02:30

d

w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-12 02:30 . 2009-06-12 02:30

d

w- c:\documents and settings\Papa\Local Settings\Application Data\Apple
2009-06-12 02:30 . 2009-06-12 02:30

d

w- c:\program files\Apple Software Update
2009-06-12 02:30 . 2009-06-12 02:30

d

w- c:\documents and settings\All Users\Application Data\Apple
2009-06-12 02:29 . 2009-06-12 02:29

d

w- c:\documents and settings\Papa\Local Settings\Application Data\Apple Computer
2009-06-12 02:04 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-06-12 02:04 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-06-06 02:55 . 2009-06-06 02:55

d

w- c:\program files\Microsoft Sync Framework
2009-06-03 10:19 . 2009-06-03 10:19 2904064 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\18154-181625.dll
2009-06-02 22:29 . 2009-06-02 22:29

d

r- c:\documents and settings\Rachel\Application Data\Brother
2009-05-31 21:29 . 2009-05-31 22:28

d

w- c:\documents and settings\Anna\Local Settings\Application Data\Microsoft Help
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 11:08 . 2009-05-02 15:27

d

w- c:\program files\Common Files\Adobe
2009-06-25 02:43 . 2009-05-15 18:06

d

w- c:\program files\GE Security Supra
2009-06-15 10:20 . 2009-05-02 14:41

d

w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 02:23 . 2009-05-02 14:27

d

w- c:\documents and settings\Papa\Application Data\IEPro
2009-06-03 10:19 . 2009-05-12 02:34 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-05-15 18:07 . 2009-05-15 18:07 159744 ----a-w- c:\windows\system32\libssl32.dll
2009-05-15 18:07 . 2009-05-15 18:07

d

w- c:\program files\SiLabs
2009-05-15 11:51 . 2009-05-15 11:51

d

w- c:\documents and settings\Papa\Application Data\ICAClient
2009-05-15 11:50 . 2009-05-15 11:50

d

w- c:\program files\Citrix
2009-05-15 11:39 . 2009-05-15 11:39

d

w- c:\program files\CheckPoint
2009-05-15 11:32 . 2009-05-15 11:32

d

w- c:\program files\Windows Media Connect 2
2009-05-15 02:16 . 2009-05-03 16:55 71192 ----a-w- c:\documents and settings\Leah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 01:12 . 2009-05-02 22:25 71192 ----a-w- c:\documents and settings\Anna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 00:43 . 2009-05-02 19:03 71192 ----a-w- c:\documents and settings\Rachel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 02:34 . 2009-05-12 02:34 3616768 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181311-181414.dll
2009-05-12 02:34 . 2009-05-12 02:34 1536000 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll
2009-05-12 02:34 . 2009-05-12 02:34 1007616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181129-181212.dll
2009-05-12 02:34 . 2009-05-12 02:34 811008 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181212-181311.dll
2009-05-12 02:34 . 2009-05-12 02:34 223584 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2009-05-12 02:34 . 2009-05-12 02:34 997 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2009-05-12 02:34 . 2009-05-02 13:20 71192 ----a-w- c:\documents and settings\Papa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 02:33 . 2009-05-12 02:33

d

w- c:\program files\Common Files\AnswerWorks 5.0
2009-05-12 02:33 . 2009-05-04 01:42

d--h--w- c:\program files\InstallShield Installation Information
2009-05-12 02:32 . 2009-05-12 02:32

d

w- c:\documents and settings\Papa\Application Data\Intuit
2009-05-12 02:32 . 2009-05-12 02:32

d

w- c:\program files\Common Files\Intuit
2009-05-12 02:30 . 2009-05-12 02:30

d

w- c:\documents and settings\All Users\Application Data\Intuit
2009-05-10 23:26 . 2009-05-10 23:26

d

w- c:\documents and settings\Rachel\Application Data\MiniDm
2009-05-07 23:22 . 2009-05-02 15:53 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-05-07 23:17 . 2009-05-02 15:54 65 ----a-w- c:\windows\system32\BD7820N.dat
2009-05-07 23:16 . 2009-05-07 23:16

d

w- c:\program files\Brother
2009-05-07 23:16 . 2009-05-04 01:41

d

w- c:\program files\Common Files\InstallShield
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 12:17 . 2009-05-03 11:11

d

w- c:\program files\Microsoft Silverlight
2009-05-07 02:12 . 2009-05-07 02:12

d

w- c:\program files\MSXML 4.0
2009-05-04 02:10 . 2009-05-04 02:10

d

w- c:\program files\Qimage
2009-05-04 02:02 . 2009-05-04 02:02

d

w- c:\documents and settings\Papa\Application Data\ACD Systems
2009-05-04 02:02 . 2009-05-04 02:01

d

w- c:\program files\Common Files\ACD Systems
2009-05-04 02:02 . 2009-05-04 02:02

d

w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-05-04 01:42 . 2009-05-04 01:42

d

w- c:\program files\Realtek AC97
2009-05-03 18:11 . 2009-05-03 17:35

d

w- c:\documents and settings\Leah\Application Data\MiniDm
2009-05-03 16:59 . 2009-05-03 16:59

d

w- c:\documents and settings\Leah\Application Data\IEPro
2009-05-03 13:31 . 2009-05-03 13:31 10134 ----a-r- c:\documents and settings\Papa\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-05-03 13:31 . 2009-05-03 13:31

d

w- c:\program files\HP
2009-05-03 11:15 . 2009-05-02 22:26

d

w- c:\documents and settings\Anna\Application Data\IEPro
2009-05-03 11:12 . 2009-05-02 22:27

d

w- c:\documents and settings\Anna\Application Data\MiniDm
2009-05-03 11:11 . 2009-05-03 11:11

d

w- c:\program files\Microsoft
2009-05-03 11:11 . 2009-05-03 11:10

d

w- c:\program files\Windows Live
2009-05-03 11:10 . 2009-05-03 11:10

d

w- c:\program files\Windows Live SkyDrive
2009-05-03 11:08 . 2009-05-03 11:08

d

w- c:\program files\Common Files\Windows Live
2009-05-03 10:19 . 2009-05-03 10:19 0 ----a-w- c:\windows\nsreg.dat
2009-05-02 19:14 . 2009-05-02 19:14

d

w- c:\documents and settings\Rachel\Application Data\IEPro
2009-05-02 17:47 . 2009-05-02 17:47

d

w- c:\program files\Common Files\Nero
2009-05-02 17:47 . 2009-05-02 17:47

d

w- c:\documents and settings\All Users\Application Data\Nero
2009-05-02 17:05 . 2009-05-02 17:05

d

w- c:\documents and settings\Papa\Application Data\InstallShield
2009-05-02 17:01 . 2009-05-02 17:01

d

w- c:\documents and settings\All Users\Application Data\EPSON
2009-05-02 17:00 . 2009-05-02 17:00

d

w- c:\program files\EPSON
2009-05-02 16:49 . 2009-05-02 16:49

d

w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-05-02 16:48 . 2009-05-02 16:48 1915520 ----a-w- c:\documents and settings\Papa\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-02 16:35 . 2009-05-02 16:36 9464

w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-02 16:35 . 2009-05-02 16:36 9336

w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-02 16:35 . 2009-05-02 16:36 43528

w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-02 16:35 . 2009-05-02 16:36 129784

w- c:\windows\system32\pxafs.dll
2009-05-02 16:35 . 2009-05-02 16:36 118520

w- c:\windows\system32\pxinsi64.exe
2009-05-02 16:35 . 2009-05-02 16:36 116472

w- c:\windows\system32\pxcpyi64.exe
2009-05-02 15:53 . 2009-05-02 15:53

d

w- c:\documents and settings\All Users\Application Data\Brother
2009-05-02 15:51 . 2009-05-02 15:51

d

w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-02 15:43 . 2009-05-02 15:43

d

w- c:\program files\Adobe Media Player
2009-05-02 15:41 . 2009-05-02 15:41

d

w- c:\program files\Common Files\Adobe AIR
2009-05-02 15:38 . 2009-05-02 15:38

d

w- c:\program files\Common Files\Macrovision Shared
2009-05-02 15:33 . 2009-05-02 15:33

d

w- c:\program files\Microsoft IntelliPoint
2009-05-02 15:22 . 2009-05-02 15:22 454688 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-05-02 15:22 . 2009-05-02 15:22 43008 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-05-02 15:22 . 2009-05-02 15:22 132352 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-05-02 14:56 . 2009-05-02 14:45

d

w- c:\program files\Microsoft Works
2009-05-02 14:35 . 2009-05-02 14:33

d

w- c:\documents and settings\Papa\Application Data\MiniDm
2009-05-02 14:31 . 2009-05-02 14:30

d

w- c:\program files\Common Files\Symantec Shared
2009-05-02 14:30 . 2009-05-02 14:30

d

w- c:\program files\Symantec
2009-05-02 14:30 . 2009-05-02 14:30 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-05-02 14:30 . 2009-05-02 14:30 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-02 14:30 . 2009-05-02 14:30 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-02 14:30 . 2009-05-02 14:30 10671 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-02 14:30 . 2009-05-02 14:30

d

w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-02 13:58 . 2009-05-02 12:40 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-02 12:41 . 2009-05-02 12:41

d

w- c:\program files\microsoft frontpage
2009-05-02 12:38 . 2009-05-02 12:38 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336

w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-06-25_10.28.00"]SnapShot@2009-06-25_10.28.00[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 10:28 . 2008-10-16 18:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-25 10:28 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-25 10:28 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-25 10:28 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-25 10:28 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-25 10:28 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-25 10:28 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-25 10:28 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-25 10:28 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-25 10:28 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-26 00:09 . 2009-06-26 00:08 148888 c:\windows\system32\javaws.exe
+ 2009-06-26 00:09 . 2009-06-26 00:08 144792 c:\windows\system32\javaw.exe
+ 2009-06-26 00:09 . 2009-06-26 00:08 144792 c:\windows\system32\java.exe
+ 2009-06-25 10:28 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-25 10:28 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-25 10:28 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-25 10:28 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-25 10:28 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-25 10:28 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-25 10:28 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-25 10:28 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-25 10:28 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-25 10:28 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-25 10:28 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-25 10:28 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-25 10:28 . 2009-02-07 23:02 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-25 10:28 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="d:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"SetDefPrt"="d:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-06-26 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-17 577536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-5-11 295606]
Adobe Acrobat Synchronizer.lnk - d:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
DisplayKEY eSYNC Info.lnk - c:\program files\GE Security Supra\SyncInfoApp.exe [2009-5-15 102400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2007-05-24 14:13 24665 ----a-w- c:\windows\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\IEPro\\MiniDM.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"d:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [5/24/2007 10:13 AM 2234800]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [5/24/2007 10:13 AM 36368]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [5/24/2007 10:13 AM 110032]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [5/24/2007 10:13 AM 673456]
R2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/8/2009 8:03 PM 101936]
S3 SavRoam;SAVRoam;d:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
.
Contents of the 'Scheduled Tasks' folder
2009-06-26 c:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2009-06-26 c:\windows\Tasks\SyncToy 2.job
- d:\program files\SyncToy 2.0\SyncToyCmd.exe [2008-08-12 18:07]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Papa\Application Data\Mozilla\Firefox\Profiles\w1zusv1v.default\
FF - plugin: d:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 22:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-06-27 22:03
ComboFix-quarantined-files.txt 2009-06-27 02:03
ComboFix2.txt 2009-06-25 10:28
Pre-Run: 30,509,608,960 bytes free
Post-Run: 30,650,208,256 bytes free
265 --- E O F --- 2009-06-15 10:20
Upload was successful

*************************************************************
This is where Symantec is finding the issues:
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28\
C:\Documents and Settings\Rachel\Local Settings\temp\~temp\mlp28\
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28\
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28\
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28\
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28\
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28\
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28\
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\hmunmlcn98\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\hmunmlcn96\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\hmunmlcn95\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\hmunmlcln11\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\hmunmlcln06\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\hmunmlcln02\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\hmrg13\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\hmunmlcn98\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\hmunmlcn95\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\hmunmlcln11\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\hmunmlcln07\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\hmunmlcln06\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\hmrg13\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\hmrg12\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\hmunmlcn96\
C:\Documents and Settings\Leah\Local Settings\Temp\~temp\hmunmlcn95\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\hmunmlcn98\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\hmunmlcn95\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\hmunmlcln11\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\hmunmlcln07\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\hmunmlcln04\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\hmrg13\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\hmrg12\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\hmunmlcn96\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp27\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp26\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp26\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp26\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp26\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp26\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp26\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp26\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp26\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp26\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp25\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp24\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp23\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Rachel\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Anna\Local Settings\Temp\~temp\mlp22\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp21\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp21\
C:\Documents and Settings\Papa\Local Settings\Temp\~temp\mlp21\

***************************************************************
Fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:21 PM, on 6/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
D:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\program files\ge security supra\syncservice.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
D:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - d:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetDefPrt] d:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-1220945662-1532298954-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Anna')
O4 - HKUS\S-1-5-21-1220945662-1532298954-839522115-1004\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" (User 'Anna')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - d:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - d:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - d:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - d:\Program Files\IEPro\iepro.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - D:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - D:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9848 bytes
*************************************************************
Thanks!

Katana · June 2009

Information

This is where Symantec is finding the issues:

I suspect that those are old detections, I doubt that the file is still there.

Step 1

OTMoveIt
Please download OTM by OldTimer and save it to your desktop

Double-click OTM.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )

:Processes
:Reg
:Files
C:\Documents and Settings\Anna\Local Settings\temp\*.* /s
C:\Documents and Settings\Rachel\Local Settings\temp\*.* /s
C:\Documents and Settings\Papa\Local Settings\Temp\*.* /s
C:\Documents and Settings\Leah\Local Settings\Temp\*.* /s
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs\*.*
:Commands
[Purity]
[EmptyTemp]

Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 2

Please post the following logs/Information

OTMoveIt Log

Step 3

Uninstall Combofix

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Uninstall OTMoveIt (OTM.exe)

Open OTMoveIt Click Cleanup,
When a box pops up click YES.

Step 4

Please run a full scan with Norton

Does it still find the problem ?

burevestnik · June 2009

I am sorry. I forgot to save the log OTMoveIt and uninstalled it...
Should I repeat all the steps?
I wil lrun Symantec now for overnight scan

Katana · June 2009

burevestnik wrote:

Should I repeat all the steps?

No need,
just let me know how the Norton scan goes

burevestnik · June 2009

Risk Action Count Filename Risk Type Original Location Computer User Status Current Location Primary Action Secondary Action Logged By Action Description Date
?????? Left alone 1 Dh32.zip Compressed file H:\RECYCLER\S-1-5-21-1220945662-1532298954-839522115-1003\ ALPHA ALPHA\Papa No infected items H:\RECYCLER\S-1-5-21-1220945662-1532298954-839522115-1003\ Leave alone (log only) Leave alone (log only) Manual scan The file was left unchanged. 6/28/2009 0:35
W32.IRCBot Cleaned by deletion 1 .Keymaker/keygen.exe File; Compressed file H:\RECYCLER\S-1-5-21-1220945662-1532298954-839522115-1003\Dh32.zip ALPHA ALPHA\Papa Infected H:\RECYCLER\S-1-5-21-1220945662-1532298954-839522115-1003\Dh32.zip Clean security risk Quarantine Manual scan 6/28/2009 0:35
?????? Left alone 1 keygen.zip Compressed file F:\Download\Software\Acronis\ ALPHA ALPHA\Papa No infected items F:\Download\Software\Acronis\ Leave alone (log only) Leave alone (log only) Manual scan The file was left unchanged. 6/28/2009 0:35
W32.IRCBot Cleaned by deletion 1 .Keymaker/keygen.exe File; Compressed file F:\Download\Software\Acronis\keygen.zip ALPHA ALPHA\Papa Infected F:\Download\Software\Acronis\keygen.zip Clean security risk Quarantine Manual scan 6/28/2009 0:35
******************************************************************
This is no risk, I do not use Acronis anymore... It is installtion keygen anyway...

Katana · June 2009

1) This is no risk,
2) I do not use Acronis anymore...
3) It is installtion keygen anyway...

1) That's a matter of opinion.
If you ever used this file, then you need to reformat your computer

W32.IRCBot is a back door Trojan horse that connects to an IRC server and awaits commands from a remote attacker,
including spreading through network shares, spam email messages, IRC channels and to other computers.

It allow outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...

2) Then you should uninstall it

3) Cracks, Keygens and Warez

In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
The distribution and use of cracked copies is illegal in almost every developed country.
They are also one of the biggest causes of infection.

This applies to Cracks, Keygens and Warez

In the future I strongly suggest you stay away from using cracks and/or Keygens.

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware isnot the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
[*]Spybot - Search & Destroy <<< A must have program

It includes host protection and registry protection
A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

[*] MalwareBytes Anti-malware <<< A New and effective program
[*]a-squared Free <<< A good "realtime" or "on demand" scanner
[*]superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys. Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialise and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.

FireFox
- With many addons available that make customization easy this is a very popular choice
- NoScript and AdBlockPlus addons are essential
Opera
- Another popular alternative
Netscape
- Another popular alternative
- Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

burevestnik · June 2009

Katana,
Thank you very much for your help!
Unfortunately, the mdm.exe virus is still there...
How about this solution:
http://forum.bullguard.com/forum/10/Trojan-Horse-in-cwindowsmdmexe_43478.html ?

burevestnik · June 2009

Sorry, forget it. I just read it with more attention. I do not think it is a cure.

Katana · June 2009

burevestnik wrote:

Unfortunately, the mdm.exe virus is still there...

It doesn't show in your last log ?

What program is finding it, and where ?

burevestnik · June 2009

This virus was never found during scans.
But Auto-protect from Symantec AntiVirus v 10.1.8.8000 Corporate finds them couple of times a day. In the same folders as described in one of my posts above...
This morning it was 3 notifications from C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28\ folder.

Katana · June 2009

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.

Copy the content of the following codebox into the main textfield:

:dir
C:\Documents and Settings\Anna\Local Settings\temp\~temp /s
:comment

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

burevestnik · June 2009

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 22:10 on 29/06/2009 by Papa (Administrator - Elevation successful)
========== dir ==========
C:\Documents and Settings\Anna\Local Settings\temp\~temp - Parameters: "/s"
---Files---
None found.
C:\Documents and Settings\Anna\Local Settings\temp\~temp\gb43c04 d--hs- [16:47 28/06/2009]
spoolsv.exe --a--- 219136 bytes [16:47 28/06/2009] [16:47 28/06/2009]
C:\Documents and Settings\Anna\Local Settings\temp\~temp\gb45c04 d--hs- [16:47 28/06/2009]
spoolsv.exe --a--- 221184 bytes [16:47 28/06/2009] [16:47 28/06/2009]
C:\Documents and Settings\Anna\Local Settings\temp\~temp\gb50c03 d--hs- [16:47 28/06/2009]
spoolsv.exe --a--- 221184 bytes [16:47 28/06/2009] [16:47 28/06/2009]
C:\Documents and Settings\Anna\Local Settings\temp\~temp\gb52c02 d--hs- [19:11 29/06/2009]
spoolsv.exe --a--- 221184 bytes [19:11 29/06/2009] [19:11 29/06/2009]
C:\Documents and Settings\Anna\Local Settings\temp\~temp\gb56c01 d--hs- [16:47 28/06/2009]
spoolsv.exe --a--- 221184 bytes [16:47 28/06/2009] [16:47 28/06/2009]
C:\Documents and Settings\Anna\Local Settings\temp\~temp\gb57c01 d--hs- [17:32 29/06/2009]
spoolsv.exe --a--- 221184 bytes [17:32 29/06/2009] [17:32 29/06/2009]
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp28 d--hs- [21:42 27/06/2009]
C:\Documents and Settings\Anna\Local Settings\temp\~temp\mlp29 d--hs- [12:21 29/06/2009]
-=End Of File=-

Katana · June 2009

Step 1

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\Documents and Settings\Anna\Local Settings\temp\~temp\gb57c01\spoolsv.exe
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti

Step 2

Eset Online AntiVirus

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.
(You may need to disable your resident Anti-Virus.)

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on:

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Virus Total results
Nod32 Log

burevestnik · July 2009

I sent file to VirusTotal. Please pick it up there.
Here is the log from ESET:
[EMAIL="ESETSmartInstaller@High"]ESETSmartInstaller@High[/EMAIL] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=7c06a49d9ed93d4bab01d51a935d775f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-01 04:11:26
# local_time=2009-07-01 12:11:26 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3585 63 50 0 0
# compatibility_mode=5889 63 259 1 128908950437202280
# scanned=73530
# found=1
# cleaned=0
# scan_time=2223
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\cisvc.exe probably a variant of Win32/Genetik trojan 00000000000000000000000000000000

Katana · July 2009

Run SystemLook

Double-click SystemLook.exe to run it.

Copy the content of the following codebox into the main textfield:

:dir
C:\Documents and Settings\Anna\Local Settings\Application Data /s /n*.exe*
c:\documents and settings\Rachel\Local Settings\Application Data /s /n*.exe*
C:\Documents and Settings\Papa\Local Settings\Application Data /s /n*.exe*
c:\documents and settings\Leah\Local Settings\Application Data /s /n*.exe*
C:\Documents and Settings\Anna\Application Data /s /n*.exe*
C:\Documents and Settings\Rachel\Application Data /s /n*.exe*
C:\Documents and Settings\Papa\Application Data /s /n*.exe*
C:\Documents and Settings\Leah\Application Data /s /n*.exe*
C:\Documents and Settings\Anna\Local Settings\temp /s
C:\Documents and Settings\Rachel\Local Settings\temp /s
C:\Documents and Settings\Papa\Local Settings\Temp /s
C:\Documents and Settings\Leah\Local Settings\Temp /s
C:\WINDOWS\System /s
:filefind
spoolsv.exe
ieudinit.exe
cmstp.exe
mstinit.exe
sessmgr.exe
cisvc.exe
comrepl.exe
rsvp.exe
esentutl.exe
:comment

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

burevestnik · July 2009

Part 1
**************************************************************
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 20:10 on 01/07/2009 by Papa (Administrator - Elevation successful)
========== dir ==========
C:\Documents and Settings\Anna\Local Settings\Application Data - Parameters: "/s /n*.exe*"
---Files---
None found.
C:\Documents and Settings\Anna\Local Settings\Application Data\Adobe d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Adobe\Acrobat d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Adobe\Acrobat\8.0 d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache\Search80 d

[16:13 27/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Adobe\Color d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Ahead d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Ahead\Nero Home d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Ahead\Nero Home\idx d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\ApplicationHistory d

[01:25 16/05/2009]
SyncInfoApp.exe.df6d11f9.ini.inuse --a--- 0 bytes [01:25 16/05/2009] [02:08 01/07/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft d

[22:25 02/05/2009]
cisvc.exe --a--- 61440 bytes [23:37 05/06/2009] [00:20 09/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\CD Burning d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Credentials d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1220945662-1532298954-839522115-1004 d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Feeds d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~ d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Feeds Cache d--hs- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Feeds Cache\77ZQ5SMY d--hs- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Feeds Cache\93Z22R9N d--hs- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Feeds Cache\T0PT74D9 d--hs- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Feeds Cache\V6X2JUWK d--hs- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\FORMS d

[13:05 25/06/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Internet Explorer d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Media Player d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Media Player\Transcoded Files Cache d

[19:17 26/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Messenger d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Office d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Office\12.0 d

[22:30 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Office\ONetConfig d

[21:29 31/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Outlook d

[13:05 25/06/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Portable Devices d

[01:25 16/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Silverlight d

[21:20 31/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Contacts d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Contacts\{96628549-6f8d-462b-9578-c3208802183d} d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Contacts\{96628549-6f8d-462b-9578-c3208802183d}\DBStore dr-hs- [11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Contacts\{96628549-6f8d-462b-9578-c3208802183d}\DBStore\Backup dr-hs- [11:18 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Contacts\{96628549-6f8d-462b-9578-c3208802183d}\DBStore\Backup\new d

[19:33 30/06/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Contacts\{96628549-6f8d-462b-9578-c3208802183d}\DBStore\LogFiles dr-hs- [11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Backup d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Backup\new d

[00:21 01/07/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars\DBStore dr-hs- [11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars\DBStore\Backup dr-hs- [11:18 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars\DBStore\Backup\new d

[16:22 30/06/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars\DBStore\LogFiles dr-hs- [11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Microsoft Communities d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Optonline ( b9b d

[11:17 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Optonline ( b9b\Deleted Items d

[11:17 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Optonline ( b9b\Drafts d

[11:17 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Optonline ( b9b\Inbox d

[11:17 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Optonline ( b9b\Junk E-mail d

[11:17 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Optonline ( b9b\Sent Items d

[11:17 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Outbox d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Proof d

[15:01 10/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Sentinel d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Drafts d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Sent Items d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds\Deleted Items d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds\Microsoft Feeds d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds\Microsoft Feeds\Microsoft a 823 d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds\Microsoft Feeds\Microsoft a 8be d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Media d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Media\10.0 d

[22:32 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Windows Media\9.0 d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft Help d

[21:29 31/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Mozilla d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Mozilla\Firefox d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Mozilla\Firefox\Profiles d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Symantec d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs d

[22:25 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data - Parameters: "/s /n*.exe*"
---Files---
None found.
c:\documents and settings\Rachel\Local Settings\Application Data\Adobe d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Adobe\Acrobat d

[22:29 02/06/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Adobe\Acrobat\8.0 d

[22:29 02/06/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache d

[22:29 02/06/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Adobe\Color d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Ahead d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Ahead\Nero Home d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Ahead\Nero Home\idx d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\ApplicationHistory d

[21:49 15/05/2009]
SyncInfoApp.exe.df6d11f9.ini.inuse --a--- 0 bytes [21:49 15/05/2009] [17:28 26/06/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\CD Burning d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Credentials d---s- [19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1220945662-1532298954-839522115-1006 d---s- [19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Feeds d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~ d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Feeds Cache d--hs- [19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Feeds Cache\08UVTT3H d--hs- [19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Feeds Cache\99I4D8KS d--hs- [19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Feeds Cache\GM7C8QOP d--hs- [19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Feeds Cache\TWNT5BW0 d--hs- [19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\FORMS d

[19:48 06/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Internet Explorer d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Media Player d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Movie Maker d

[17:59 10/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Office d

[19:48 06/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Office\12.0 d

[19:48 06/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Office\ONetConfig d

[15:54 21/06/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Outlook d

[19:48 06/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Portable Devices d

[21:49 15/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Windows d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Windows Media d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Windows Media\10.0 d

[19:10 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Windows Media\11.0 d

[23:08 28/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft\Windows Media\9.0 d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Microsoft Help d

[15:54 21/06/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Mozilla d

[23:05 27/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Mozilla\Firefox d

[23:05 27/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Mozilla\Firefox\Profiles d

[23:05 27/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Symantec d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs d

[19:03 02/05/2009]
c:\documents and settings\Rachel\Local Settings\Application Data\WMTools Downloaded Files d

[17:59 10/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data - Parameters: "/s /n*.exe*"
---Files---
None found.
C:\Documents and Settings\Papa\Local Settings\Application Data\ACD Systems d

[02:02 04/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\ACD Systems\Catalogs d

[02:02 04/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\ACD Systems\Catalogs\25Pro d

[02:02 04/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\ACD Systems\Catalogs\25Pro\Default d

[02:02 04/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\ACD Systems\data d

[02:02 04/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\ACD Systems\ICMCache d

[02:02 04/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\ACD Systems\SavedSearches d

[02:02 04/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe d

[15:41 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Acrobat d

[16:46 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Acrobat\8.0 d

[16:46 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache d

[16:47 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache\Search80 d

[01:49 06/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater d

[16:46 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Color d

[15:52 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\ESD d

[13:22 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Updater5 d

[13:21 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Updater5\Data d

[01:48 06/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Updater5\Install d

[13:21 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Updater5\Install\acrobat8pro-EFG d

[01:48 06/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Updater5\Install\AdobeUpdater d

[01:48 06/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Updater5\Install\AdobeUpdater\acrobat8pro-EFG d

[01:48 06/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Updater5\Install\AdobeUpdater\AdobeUpdater d

[01:48 06/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Updater6 d

[15:52 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Adobe\Updater6\Install d

[15:52 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Ahead d

[17:48 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Ahead\Nero Home d

[17:48 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Ahead\Nero Home\idx d

[17:49 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Apple d

[02:30 12/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Apple\Apple Software Update d

[02:30 12/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Apple Computer d

[02:29 12/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Apple Computer\QuickTime d

[02:29 12/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Apple Computer\QuickTime\downloads d

[19:58 27/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Apple Computer\QuickTime\downloads\04 d

[19:58 27/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Apple Computer\QuickTime\downloads\04\09 d

[19:58 27/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Apple Computer\QuickTime\downloads\04\13 d

[19:58 27/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\ApplicationHistory d

[18:07 15/05/2009]
InstallUtil.exe.89c0d2f9.ini --a--- 2089 bytes [18:26 15/05/2009] [18:26 15/05/2009]
ngen.exe.2c05686e.ini --a--- 2872 bytes [13:50 16/05/2009] [13:51 16/05/2009]
PortDiscover.exe.74694571.ini --a--- 2289 bytes [18:26 15/05/2009] [18:26 15/05/2009]
ProxyDetector.exe.f2fa055.ini --a--- 790 bytes [18:07 15/05/2009] [18:07 15/05/2009]
SyncInfoApp.exe.df6d11f9.ini --a--- 1366 bytes [18:36 15/05/2009] [18:36 15/05/2009]
SyncInfoApp.exe.df6d11f9.ini.inuse --a--- 0 bytes [18:36 15/05/2009] [00:04 02/07/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Downloaded Installations d

[15:13 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Downloaded Installations\{05649068-F4B1-4FDF-AAC4-2E6813EDFD5C} d

[15:13 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Downloaded Installations\{F6555645-B047-4AB4-BA3D-FDCECAD739AB} d

[02:00 04/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Identities d

[23:55 17/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Identities\{0B057171-3AC7-4F0A-9311-2941E358F8C6} d

[23:55 17/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Identities\{0B057171-3AC7-4F0A-9311-2941E358F8C6}\Microsoft d

[23:55 17/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Identities\{0B057171-3AC7-4F0A-9311-2941E358F8C6}\Microsoft\Outlook Express d

[23:55 17/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft d

[13:11 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\CD Burning d

[13:11 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Credentials d---s- [13:11 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1220945662-1532298954-839522115-1003 d---s- [13:11 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Feeds d

[13:42 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~ d

[13:42 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Feeds Cache d--hs- [13:42 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Feeds Cache\9856L5KI d--hs- [13:42 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Feeds Cache\AQF1CSHM d--hs- [13:42 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Feeds Cache\BBZ5QB4X d--hs- [13:42 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Feeds Cache\U1SALJFP d--hs- [13:42 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\FORMS d

[13:03 15/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\HelpCtr d

[03:07 29/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Internet Explorer d

[13:12 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Media Player d

[13:11 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Media Player\Art Cache d--h-- [11:33 15/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Media Player\Art Cache\LocalMLS d

[11:33 15/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Media Player\Transcoded Files Cache d

[11:33 15/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Messenger d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Office d

[14:51 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Office\12.0 d

[14:51 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Outlook d

[13:03 15/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Portable Devices d

[11:35 15/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Silverlight d

[11:29 15/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\SkyDrive d

[10:26 02/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\SkyDrive\RichUpload d

[10:26 02/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\SyncToy d

[02:56 06/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\SyncToy\2.0 d

[02:56 06/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows d

[13:11 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Defender d

[14:35 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker d

[14:35 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live d

[11:11 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live\SqmApi d

[11:11 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Contacts d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Contacts\{48afacb0-3f68-47e0-b6f5-cd619c97241d} d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Contacts\{48afacb0-3f68-47e0-b6f5-cd619c97241d}\DBStore dr-hs- [11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Contacts\{48afacb0-3f68-47e0-b6f5-cd619c97241d}\DBStore\Backup dr-hs- [11:28 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Contacts\{48afacb0-3f68-47e0-b6f5-cd619c97241d}\DBStore\Backup\new d

[11:28 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Contacts\{48afacb0-3f68-47e0-b6f5-cd619c97241d}\DBStore\LogFiles dr-hs- [11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail d

[11:11 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Backup d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Backup\new d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars d

[11:11 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars\DBStore dr-hs- [11:11 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars\DBStore\Backup dr-hs- [11:28 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars\DBStore\Backup\new d

[11:28 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Calendars\DBStore\LogFiles dr-hs- [11:11 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Microsoft Communities d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Outbox d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Sentinel d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Deleted Items d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Drafts d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Sent Items d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds\Deleted Items d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds\Microsoft Feeds d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds\Microsoft Feeds\Microsoft a 823 d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Live Mail\Your Feeds\Microsoft Feeds\Microsoft a 8be d

[11:12 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Media d

[13:11 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Media\10.0 d

[17:46 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Media\11.0 d

[11:31 15/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Windows Media\9.0 d

[13:11 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft Help d

[14:41 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Mozilla d

[10:19 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Mozilla\Firefox d

[10:19 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Mozilla\Firefox\Profiles d

[10:19 03/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Mozilla\Firefox\Profiles\w1zusv1v.default d

[02:29 29/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Mozilla\Firefox\Profiles\w1zusv1v.default\Cache d

[00:09 02/07/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Mozilla\Firefox\Profiles\w1zusv1v.default\OfflineCache d

[02:30 29/06/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Symantec d

[14:31 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition d

[14:31 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 d

[14:31 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs d

[14:31 02/05/2009]
C:\Documents and Settings\Papa\Local Settings\Application Data\Zenfolio d

[02:18 30/06/2009]
c:\documents and settings\Leah\Local Settings\Application Data - Parameters: "/s /n*.exe*"
---Files---
None found.

burevestnik · July 2009

Part 2
**********************************************************
c:\documents and settings\Leah\Local Settings\Application Data\Adobe d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Adobe\Color d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Ahead d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Ahead\Nero Home d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Ahead\Nero Home\idx d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\ApplicationHistory d

[16:36 16/05/2009]
SyncInfoApp.exe.df6d11f9.ini.inuse --a--- 0 bytes [16:36 16/05/2009] [21:38 29/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\CD Burning d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Credentials d---s- [16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1220945662-1532298954-839522115-1005 d---s- [16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Feeds d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~ d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Feeds Cache d--hs- [16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Feeds Cache\5P5IX7JH d--hs- [16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Feeds Cache\9OKGITG3 d--hs- [16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Feeds Cache\CXC7G5EP d--hs- [16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Feeds Cache\GSJJPBT2 d--hs- [16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Internet Explorer d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Media Player d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Office d

[17:36 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Office\12.0 d

[17:36 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Portable Devices d

[16:36 16/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Windows d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Windows Media d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Windows Media\10.0 d

[17:38 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Microsoft\Windows Media\9.0 d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Mozilla d

[16:59 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Mozilla\Firefox d

[16:59 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Mozilla\Firefox\Profiles d

[16:59 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Symantec d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 d

[16:55 03/05/2009]
c:\documents and settings\Leah\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs d

[16:55 03/05/2009]
C:\Documents and Settings\Anna\Application Data - Parameters: "/s /n*.exe*"
---Files---
None found.
C:\Documents and Settings\Anna\Application Data\Adobe d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat\8.0 d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat\8.0\Collab d

[00:31 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat\8.0\JavaScripts d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat\8.0\organizer70 d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat\8.0\Preferences d

[00:31 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat\8.0\Synchronizer d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat\8.0\Synchronizer\metadata d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat\Distiller 8 d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Acrobat\Distiller 8\Cache d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Adobe PDF d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Adobe PDF\Distiller d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Adobe PDF\Distiller\Data d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Adobe PDF\Distiller\Startup d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Adobe PDF\Settings d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\CS4ServiceManager d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Flash Player d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Flash Player\AssetCache d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Flash Player\AssetCache\5P3KEBTA d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brz d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\bul d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\cfr d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\ctl d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\cze d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\dan d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\dut d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\est d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\fin d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\frn d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\gre d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\hrv d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\hun d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\itl d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\lav d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\lit d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\nrw d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\nyn d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\pol d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\prt d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\rum d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\rus d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\slo d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\slv d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\spn d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\swd d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\tur d

[00:32 15/05/2009]
C:\Documents and Settings\Anna\Application Data\Identities d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Identities\{64352BA8-71B2-42AA-812B-1E93AB7F8073} d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\IEPro d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\IEPro\adblock d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\IEPro\autoform d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\IEPro\textsaver d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\abcnews.go.com d

[01:24 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\bankofamerica.com d

[02:03 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\bankofamerica.com\sas d

[02:03 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\bankofamerica.com\sas\sas-docs d

[02:03 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\bankofamerica.com\sas\sas-docs\html d

[02:03 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\bankofamerica.com\sas\sas-docs\html\pmfso.swf d

[02:03 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\bin.clearspring.com d

[23:15 04/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\cdn1.eyewonder.com d

[19:57 09/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\common.scrippsnetworks.com d

[21:55 23/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com d

[12:09 03/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ht d

[00:56 12/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ht\yep d

[00:56 12/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ht\yep\vyc_player.swf d

[00:56 12/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ks d

[01:48 20/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ks\gmy d

[14:20 29/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ks\gmy\AdPlugin.swf d

[14:20 29/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ks\ytv d

[13:24 20/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ks\ytv\AdPlugin.swf d

[13:24 20/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ks\ytv-dint d

[01:48 20/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\ks\ytv-dint\AdPlugin.swf d

[01:48 20/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\static.video.yahoo.com d

[23:38 04/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\static.video.yahoo.com\yep d

[23:38 04/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\d.yimg.com\static.video.yahoo.com\yep\vyc_player.swf d

[23:38 04/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\e.blip.tv d

[22:44 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\flash.quantserve.com d

[01:24 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\interclick.com d

[17:01 25/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com d

[12:12 03/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a d

[15:29 08/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a d

[15:29 08/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1- d

[15:29 08/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java d

[15:29 08/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions d

[15:29 08/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\bankofamerica d

[11:43 18/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\bankofamerica\090518 d

[11:43 18/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\bankofamerica\090518\c d

[11:43 18/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\discovery d

[22:09 05/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\discovery\090606 d

[22:09 05/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\discovery\090606\d d

[22:09 05/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\discovery\090606\d\e1.swf d

[22:09 05/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\ford d

[21:57 14/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\ford\090514 d

[21:57 14/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\paramount d

[15:29 08/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\paramount\090508 d

[15:29 08/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\a\a\1-\java\promotions\paramount\090508\i d

[15:29 08/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\m d

[22:48 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\m\ver d

[22:48 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\m\ver\271.3 d

[22:48 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\m\ver\271.3\embed-2009-03-26-1329 d

[22:48 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\m\ver\271.3\embed-2009-03-26-1329\swf d

[22:48 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\l.yimg.com\m\ver\271.3\embed-2009-03-26-1329\swf\yup_embed_module.swf d

[22:48 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\load.tubemogul.com d

[22:44 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\m1.2mdn.net d

[02:12 25/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\mail.google.com d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\publish.vx.roo.com d

[00:59 08/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\s.ytimg.com d

[20:00 06/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\static.twitter.com d

[03:11 05/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\static.twitter.com\flash d

[03:11 05/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\static.twitter.com\flash\widgets d

[03:11 05/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\static.twitter.com\flash\widgets\profile d

[03:11 05/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\static.twitter.com\flash\widgets\profile\TwitterWidget.swf d

[03:11 05/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\swf.neopets.com d

[16:57 25/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\swf.neopets.com\flash_enabled_check.swf d

[16:57 25/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\theonion.com d

[14:02 12/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\tlc.discovery.com d

[16:22 29/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\tlc.discovery.com\shared d

[16:22 29/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\tlc.discovery.com\shared\swf d

[16:22 29/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\tlc.discovery.com\shared\swf\video-players d

[16:22 29/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\tlc.discovery.com\shared\swf\video-players\monetized d

[16:22 29/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\tlc.discovery.com\shared\swf\video-players\monetized\video-asset-page-player.swf d

[16:22 29/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\tlc.discovery.com\shared\swf\video-players\monetized\video-asset-page-player.swf\#VIDEO d

[16:22 29/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\www.applevacations.com d

[01:06 11/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\www.applevacations.com\static d

[01:06 11/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\www.applevacations.com\static\promotions d

[01:06 11/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\www.applevacations.com\static\promotions\lastminute d

[01:06 11/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\www.applevacations.com\static\promotions\lastminute\index.swf d

[01:06 11/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\www.hulu.com d

[13:54 19/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\www.hulu.com\playerembed.swf d

[13:54 19/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\www.theonion.com d

[14:02 12/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\#SharedObjects\UN64CM5Y\www.weather.com d

[23:58 10/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#abcnews.go.com d

[01:24 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bankofamerica.com d

[02:03 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com d

[23:15 04/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn1.eyewonder.com d

[19:57 09/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#common.scrippsnetworks.com d

[21:55 23/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#d.yimg.com d

[12:09 03/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#e.blip.tv d

[22:44 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flash.quantserve.com d

[01:24 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com d

[17:01 25/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#l.yimg.com d

[12:12 03/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#load.tubemogul.com d

[22:44 27/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#m1.2mdn.net d

[02:12 25/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#mail.google.com d

[22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#publish.vx.roo.com d

[00:59 08/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com d

[20:00 06/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.twitter.com d

[03:11 05/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#swf.neopets.com d

[16:57 25/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#theonion.com d

[14:02 12/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#tlc.discovery.com d

[16:22 29/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.applevacations.com d

[01:06 11/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.hulu.com d

[13:54 19/05/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.theonion.com d

[14:02 12/06/2009]
C:\Documents and Settings\Anna\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.weather.com d

[23:58 10/06/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\AddIns d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Address Book d

[11:13 03/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Clip Organizer d

[02:37 08/06/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\CLR Security Config d

[01:25 16/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\CLR Security Config\v1.1.4322 d

[01:25 16/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\CLView d

[21:29 31/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\CLView\1033 d

[21:29 31/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Credentials d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Credentials\S-1-5-21-1220945662-1532298954-839522115-1004 d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\CryptnetUrlCache d---s- [11:13 03/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\CryptnetUrlCache\Content d---s- [11:13 03/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\CryptnetUrlCache\MetaData d---s- [11:13 03/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Document Building Blocks d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Document Building Blocks\1033 d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Internet Explorer d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Internet Explorer\Quick Launch dr---- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Internet Explorer\UserData d--hs- [18:02 26/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Internet Explorer\UserData\0EXL0717 d--hs- [18:02 26/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Internet Explorer\UserData\1Q45Q7ZM d--hs- [18:02 26/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Internet Explorer\UserData\45RDDEA1 d--hs- [18:02 26/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Internet Explorer\UserData\IX7Q98X3 d--hs- [18:02 26/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Media Player d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Microsoft IntelliPoint d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Microsoft IntelliPoint\SQM d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Office d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Office\Recent d---s- [22:30 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\PowerPoint d

[03:04 08/06/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Proof d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Protect d---s- [22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Protect\S-1-5-21-1220945662-1532298954-839522115-1004 d---s- [22:26 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\SystemCertificates d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\SystemCertificates\My d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\SystemCertificates\My\Certificates d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\SystemCertificates\My\CRLs d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\SystemCertificates\My\CTLs d---s- [22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Templates d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Templates\Document Themes d

[17:44 14/06/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Templates\Document Themes\Theme Colors d

[17:44 14/06/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Templates\Document Themes\Theme Effects d

[17:44 14/06/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Templates\Document Themes\Theme Fonts d

[17:44 14/06/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Templates\SmartArt Graphics d

[13:44 11/06/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\UProof d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Windows d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Windows\Themes d

[22:25 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Word d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Microsoft\Word\STARTUP d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\MiniDm d

[22:27 02/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Extensions d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Crash Reports d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\p5hkx75p.default d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\p5hkx75p.default\bookmarkbackups d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\p5hkx75p.default\chrome d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\p5hkx75p.default\extensions d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\p5hkx75p.default\minidumps d

[14:44 10/05/2009]
C:\Documents and Settings\Anna\Application Data\WinRAR d

[21:22 31/05/2009]
C:\Documents and Settings\Rachel\Application Data - Parameters: "/s /n*.exe*"
---Files---
None found.
C:\Documents and Settings\Rachel\Application Data\Adobe d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Acrobat d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Acrobat\8.0 d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Acrobat\8.0\Collab d

[22:28 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Acrobat\8.0\JavaScripts d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Acrobat\8.0\Preferences d

[22:28 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Acrobat\8.0\Synchronizer d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Acrobat\8.0\Synchronizer\metadata d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Acrobat\Distiller 8 d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Acrobat\Distiller 8\Cache d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Adobe PDF d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Adobe PDF\Distiller d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Adobe PDF\Distiller\Data d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Adobe PDF\Distiller\Startup d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Adobe PDF\Settings d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\CS4ServiceManager d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Flash Player d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Flash Player\AssetCache d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Flash Player\AssetCache\A847MLHV d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics d

[22:28 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries d

[22:28 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary d

[22:28 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all d

[22:28 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brz d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\bul d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\cfr d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\ctl d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\cze d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\dan d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\dut d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng d

[22:28 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\est d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\fin d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\frn d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\gre d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\hrv d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\hun d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\itl d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\lav d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\lit d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\nrw d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\nyn d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\pol d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\prt d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\rum d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\rus d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\slo d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\slv d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\spn d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\swd d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\tur d

[22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11 d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\DswMedia d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\Prefs d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\Prefs\PXFN6PFV d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\DirectSound d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\FlashAsset d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\FontAsset d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\FontXtra d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\MacroMix d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\MixServices d

[23:22 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\Shockwave3dAsset d

[23:22 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\SoundControl d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\SWA d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\TextAsset d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\AdobeSystemsIncorporated\TextXtra d

[23:20 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\MacromediaInc d

[23:22 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Adobe\Shockwave Player 11\xtras\download\MacromediaInc\Havok d

[23:22 15/05/2009]
C:\Documents and Settings\Rachel\Application Data\Brother dr---- [22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Brother\PrtDrv dr---- [22:29 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Identities d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Identities\{B99E5BA4-12C1-468B-B169-B35254D15E54} d

[19:03 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\IEPro d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\IEPro\adblock d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\IEPro\autoform d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\IEPro\textsaver d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS d

[19:14 02/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\abcnews.go.com d

[00:15 20/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\assets.bunchball.com d

[19:48 06/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\bin.clearspring.com d

[22:10 09/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\cdn.gigya.com d

[23:06 20/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\cdn.visiblemeasures.com d

[23:10 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\cdn.visiblemeasures.com\swf d

[23:10 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\cdn.visiblemeasures.com\swf\as2 d

[23:10 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\cdn.visiblemeasures.com\swf\as2\AS2SOHandler.swf d

[23:10 02/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\core.mochibot.com d

[20:22 29/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\core.videoegg.com d

[23:22 13/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\core.videoegg.com\#com d

[23:22 13/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\core.videoegg.com\#com\videoegg d

[23:22 13/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\core.videoegg.com\#ve d

[23:22 13/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.scribd.com d

[23:15 13/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.scribd.com\ScribdViewer.swf d

[23:15 13/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.yimg.com d

[11:50 07/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.yimg.com\ht d

[00:52 10/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.yimg.com\ht\yep d

[00:52 10/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.yimg.com\ht\yep\vyc_player.swf d

[00:52 10/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.yimg.com\ks d

[11:50 07/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.yimg.com\ks\ytv d

[11:50 07/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.yimg.com\ks\ytv\AdPlugin.swf d

[11:50 07/05/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.yimg.com\ks\ytv-dint d

[23:08 17/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d.yimg.com\ks\ytv-dint\AdPlugin.swf d

[23:08 17/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\d2vu12l4y8nfmr.cloudfront.net d

[00:24 23/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\flash.quantserve.com d

[19:20 06/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\forbes.com d

[12:05 04/06/2009]
C:\Documents and Settings\Rachel\Application Data\Macromedia\Flash Player\#SharedObjects\3H5KRCPS\forbes.com\media d

[12:05 04/06/2009]

mdm.exe virus

Comments