# Desktop.ini (Trojan) found



## remo26

I was infected about 2 weeks ago with a virus that was redirecting me when I selected links in my google searches and giving me fake Security Center popups. At the time, I had only Adaware installed which reported finding something like a "win32agent." I then installed other AV programs (Malwarebyte's AntiMalware and Vipre). Neither of them could completely remove the virus.

After finding and removing low-level threats and cookies, I would still get the same redirect and popup symptoms. Vipre would regularly report that Desktop.ini (Trojan) was detected trying to open a file. When I rebooted after a while, I would see it deleting multiple copies of the desktop.ini (maybe 20 or more copies).

I then did more searching and found lists saying that the file C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini needs to be deleted. After not being able to find the GAC_MSIL folder in Windows with hidden folders showing, I ran CMD.exe to view the path in DOS. I was able to see the file, its size is 28,160kb. When I tried to delete it, I got "access is denied."

Now I understand that I won't be able to solve this alone. I need someone to talk/walk me through the steps. I am concerned about the compromise of my passwords. All my PWs are managed through Roboform. Do I need to have all of them changed at this stage? Currently, I am still running Vipre. Here are the details of the Desktop.ini event that Vipre detects. Thanks in advance for the help.
*Active Protection Event Details*

Event Type2 -- Notify Timeout0(s) Monitor Source2003 -- On File Access Message ID{6BF0D082-977C-4880-B8AE-2324CC6347A8}Monitor Type2 -- File Recommend System ScanYes AP SDK Version5.0.5074Threat Definitions Version11197Event Actor Enum2 -- Object Event Date/Time2011-12-04T09:15:46
*Application Information*

File PathC:\WINDOWS\system32\cidaemon.exeProcess ID1484File Size8192(B) CRC85C37C243FF460000Application Rating1 -- Known Good Added To Always Allow ListNo CompanyMicrosoft CorporationFile Version5.1.2600.0 (xpclient.010817-1148)Product NameMicrosoft® Windows® Operating SystemProduct Version5.1.2600.0DescriptionIndexing Service filter daemonCopyright© Microsoft Corporation. All rights reserved.
*Attempted to modify the following file*

File PathC:\WINDOWS\assembly\GAC_MSIL\Desktop.iniMD58674d6f9f88c8ae1ee0525f64aae4eb1CRC8BC71F542C0CC0000Application Rating2 -- Known Bad Threat ID4150696
*Action Taken*

User Name\\NT AUTHORITY\SYSTEMAction2 -- Blocked Reason2 -- VIPRE Known


----------



## chemist

Hello and Welcome to TSF. 

Please *Subscribe to this Thread* to get immediate notification of replies as soon as they are posted. To do this click *Thread Tools*, then click *Subscribe to this Thread*. Make sure it is set to *Instant notification by email*, then click *Add Subscription*.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through *all* the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply. 

*If you have trouble with one of the steps*, simply move on to the next one, and make note of it in your reply. 

------------------------------------------------------


----------



## remo26

I am still having problems with Google search results being redirected and fake Windows Alert popups. I have uninstalled Vipre, and am only running Anti-Malware now.

Here is my DDS.txt logfile. Attached is the zipped Archive.txt logfile. There was no Ark.txt generated. I don't have a Windows install disk, and my CD drive is not working.

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702
Run by DORIS B at 22:05:27 on 2011-12-06
Microsoft Windows XP Home Edition 5.1.2600.2.1256.981.1033.18.2038.1409 [GMT 2:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\ggviewer81-3.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\DORIS B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\DORIS B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\DORIS B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\cidaemon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.jpost.com/
uSearch Page = hxxp://www.bing.com/?pc=AVBR
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060919
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
mURLSearchHooks: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Patent Pal Toolbar: {dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45} - c:\program files\patent_pal\prxtbPate.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: LexisNexis(R) PatentOptimizer(TM): {2710a98a-079e-4091-91a2-a00f45d4ba09} - c:\program files\lexisnexis\patentoptimizer\LNPatOpt.dll
TB: Patent Pal Toolbar: {dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45} - c:\program files\patent_pal\prxtbPate.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\doris b\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PE2CKFNT SE] c:\program files\ulead systems\ulead photo express 2 se\ChkFont.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [pdfFactory Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SBRegRebootCleaner] "c:\program files\gfi software\vipre\SBRC.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\documents and settings\doris b\start menu\programs\startup\Desktop_.ini
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
LSP: mswsock.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {395E58B9-090C-461A-8F27-087D1C72794A} - hxxps://useast-v1.nefsis.com/LoaderIE2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A64DBFEB-F36F-4E47-8A2A-39308CFABEB9} - hxxps://www.anywhereconference.com/plugins/IE/ANWShare.cab?2,7,0,0
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://micropat.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{48CD4F05-EB02-4338-8D71-413DBBA266B0} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\doris b\application data\mozilla\firefox\profiles\snikj93v.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51939
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\doris b\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-11-9 64512]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-12-5 101720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-10 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-10 22216]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\pct-safe\firebird\bin\fbguard.exe -s --> c:\pct-safe\firebird\bin\fbguard.exe -s [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-29 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\drivers\bsusbser.sys [2011-3-3 99456]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\pct-safe\firebird\bin\fbserver.exe -s -g --> c:\pct-safe\firebird\bin\fbserver.exe -s -g [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-29 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
S3 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
.
=============== Created Last 30 ================
.
2011-12-05 16:13:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-05 07:05:29 -------- d-----w- c:\documents and settings\doris b\application data\MSNInstaller
2011-12-03 18:18:49 -------- d-----w- c:\program files\common files\PC Tools
2011-12-03 18:18:48 -------- d-----w- c:\program files\PC Tools Security
2011-12-03 18:15:38 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-11-27 11:42:25 257536 ----a-w- c:\windows\BiImg.dll
2011-11-27 11:42:25 221184 ----a-w- c:\windows\TIFF32.DLL
2011-11-27 11:42:25 110592 ----a-w- c:\windows\JPEG32.DLL
2011-11-27 11:42:13 53248 ----a-w- c:\windows\system32\BiMAppNT.exe
2011-11-27 11:42:11 73728 ----a-w- c:\windows\system32\BiMResNT.dll
2011-11-27 11:42:11 143360 ----a-w- c:\windows\system32\BiMRmvNT.dll
2011-11-27 11:42:10 262144 ----a-w- c:\windows\system32\BiMMonNT.dll
2011-11-27 11:41:55 -------- d-----w- c:\program files\Net2Phone CommCenter
2011-11-21 12:25:15 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-11-10 12:47:47 -------- d-----w- c:\documents and settings\all users\application data\GFI Software
2011-11-10 12:41:51 -------- d-----w- c:\program files\GFI Software
2011-11-10 12:41:47 -------- d-----w- c:\documents and settings\doris b\application data\GFI Software
2011-11-10 09:29:15 -------- d-----w- c:\documents and settings\doris b\application data\Malwarebytes
2011-11-10 09:26:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-10 09:25:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 09:25:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-09 11:00:56 -------- d-----w- c:\documents and settings\doris b\local settings\application data\adaware
2011-11-09 11:00:22 -------- d-----w- c:\documents and settings\doris b\application data\adawaretb
2011-11-09 11:00:19 -------- d-----w- c:\program files\adawaretb
2011-11-09 10:59:43 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-11-08 13:34:03 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2011-11-08 13:33:59 -------- d-----w- c:\program files\Toolbar Cleaner
2011-11-07 12:21:06 -------- d-sh--w- c:\documents and settings\doris b\local settings\application data\0f407991
.
==================== Find3M ====================
.
2011-11-22 08:52:14 24576 ----a-w- c:\windows\system32\userinit.exe
2011-11-21 09:25:03 24576 ----a-w- c:\windows\system32\custsave.exe
2011-11-20 21:40:46 97792 ----a-w- c:\windows\system32\msiexec.exe
2011-11-10 12:39:54 1204224 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2011-11-08 04:55:35 20992 ----a-w- c:\windows\system32\WLTRYSVC.EXE
.
============= FINISH: 22:15:25.60 ===============


----------



## chemist

Hello remo26. 



> There was no Ark.txt generated


Did you download and run gmer? You won't get a gmer log unless you run it. 

I need to see a gmer log in order to help you. 

Download *GMER Rootkit Scanner* from *here**http://www.gmer.net/download.php*http://www.gmer.net/download.php and Save it to your Desktop. 

Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent. 
First, gmer will run a short, initial scan. 
If it gives you a warning about rootkit activity and asks if you want to run scan...click on *NO*. 


 
_Click the image to enlarge it_



In the right panel, you will see several boxes that have been checked. Ensure the following are *UNCHECKED* ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\) 
Show All (don't miss this one)

Then click the Scan button & wait for it to finish. 
Once done click on the *[Save..]* button, and in the File name area, type in *"Gmer.txt"* or it will save as a .log file which cannot be uploaded to your post. 

Save it where you can easily find it, such as your desktop, and attach it to your next reply.

_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _

------------------------------------------------------


----------



## remo26

Before I received your last message, I ran Anti-Malware overnight. It said it found a lot of trojans and rootkits. I had it perform the recommended actions. I didn't know about false positives like you wrote later. I have attached the MBAM logfile. I then ran Gmer, and have attached the log file as a txt file.


----------



## chemist

Hello again, remo26. One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known *clean* computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to *Microsoft's Online Safety* article for tips on creating a strong password. 

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. 

Please stay with me until given the 'all clear' even if symptoms seemingly abate. 

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper. 

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution. 

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

It appears that you have two antivirus programs installed and running, Ad-Watch and Authentium/Radialpoint. While this may seem like better protection, they can actually conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Add or Remove Programs in your Control Panel. 

If you want to keep Ad-Watch, uninstall both Authentium AntiVirus SDK - 2 and Radialpoint Security Services. 

------------------------------------------------------

Please download *ComboFix* and Save it to your Desktop. 

**Note: It is important that it is saved directly to your desktop**

*First, we need to install the Windows Recovery Console. *

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

Download: Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install - Microsoft Download Center - Download Details

Save it as it is originally named to your Desktop. 

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here










Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return. 

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:










Please continue as follows:


Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
Please click *Yes* to continue scanning for malware. 
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, *C:\ComboFix.txt*, in your next reply. 

Please re-enable your antivirus before posting the ComboFix.txt log. 

------------------------------------------------------


----------



## remo26

I had no idea that there was security SW other than Adaware and MBAM. I had disabled Adwatch. I don't know where to find Authentium AntiVirus SDK - 2 and Radialpoint Security Services. I will wait until you confirm this before I proceed. Currently, I only see MBAM in my system tray. Let me know if I should exit it also before running the scans. About the PWs, I have many PWs which are in Roboform for entering. Do I need to change all of these now? There are probably 50-100.


----------



## chemist

You need to uninstall Authentium and Radialpoint in the Add or Remove Programs section of your Control Panel. You should disable all antivirus and antispyware applications. 

You should at least change passwords related to financial transactions(banks, credit cards, etc.).


----------



## remo26

I could find any programs with names related to Authentium and Radialpoint in the Add or Remove Programs section of your Control Panel.


----------



## chemist

Proceed with the instructions for running ComboFix.


----------



## remo26

Okay, here is my log file from the ComboFix scan.


ComboFix 11-12-06.02 - DORIS B 12/07/2011 20:59:20.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.981.1033.18.2038.1536 [GMT 2:00]
Running from: c:\documents and settings\DORIS B\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DORIS B\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Documents\My Music\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\My Playlists\Desktop_.ini
c:\documents and settings\All Users\Documents\My Pictures\Desktop_.ini
c:\documents and settings\All Users\Documents\My Videos\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\7.0\Collab\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\7.0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\7.0\JavaScripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\7.0\Preferences\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\7.0\Security\CRLCache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\7.0\Security\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\7.0\Updater\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\Collab\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\Forms\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\JavaScripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\Security\CRLCache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\Security\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\Synchronizer\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\Synchronizer\inprogress\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\Synchronizer\metadata\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\9.0\Synchronizer\resources\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Acrobat\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\AIR\CRLCache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\AIR\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\AIR\Updater\Background\1.0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\AIR\Updater\Background\1.0\META-INF\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\AIR\Updater\Background\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\AIR\Updater\Background\full\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\AIR\Updater\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Flash Player\AssetCache\AQPTU45A\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Flash Player\AssetCache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Flash Player\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Linguistics\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Adobe\Linguistics\Dictionaries\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\AdobeUM\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\ArcSoft\ArcRegister\1.0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\ArcSoft\ArcRegister\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\ArcSoft\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\ArcSoft\PhotoImpression\4.0.0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\ArcSoft\PhotoImpression\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Avant Profiles\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\ClassRoom GradeBook\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\Local Store\#SharedObjects\bin-debug\AppContainer.swf\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\Local Store\#SharedObjects\bin-debug\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\Local Store\#SharedObjects\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\Local Store\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Download Manager\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Fit3DLive\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Free-backup.info\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Free-backup.info\JustZIPit\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Google\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Google\Google\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Google\Local Search History\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\gtny\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch3\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch4\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch5\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\GTUpdate\AUpdate\Channels\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\GTUpdate\AUpdate\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\GTUpdate\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Gtek\instch_gdql_d_cache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\gtk-2.0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\HP\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\HP\ScLogs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\HPAppData\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Identities\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\kompozer.net\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\kompozer.net\KompoZer\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\kompozer.net\KompoZer\Profiles\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\kompozer.net\KompoZer\Profiles\yl2dznm1.default\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\kompozer.net\KompoZer\Profiles\yl2dznm1.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\kompozer.net\KompoZer\Profiles\yl2dznm1.default\extensions\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\kompozer.net\KompoZer\Profiles\yl2dznm1.default\US\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Leadertech\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Leadertech\PowerRegister\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Macromedia\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Macromedia\Flash Player\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Macromedia\Flash Player\macromedia.com\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Macromedia\Flash Player\macromedia.com\support\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Macromedia\Flash Player\www.macromedia.com\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Access\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\AddIns\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Clip Organizer\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\CLR Security Config\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\CLR Security Config\v1.1.4322\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Credentials\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Credentials\S-1-5-21-2328895702-2467398078-4090025293-1003\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Credentials\S-1-5-21-2328895702-2467398078-4090025293-1013\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\CryptnetUrlCache\Content\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\CryptnetUrlCache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\CryptnetUrlCache\MetaData\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Crypto\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Crypto\RSA\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2328895702-2467398078-4090025293-1003\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2328895702-2467398078-4090025293-1013\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Excel\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Excel\XLSTART\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\HTML Help\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Media Player\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\MMC\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\MSDN\9.0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\MSDN\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Mse\1033\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Mse\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Office\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Office\Recent\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\OIS\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Outlook\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\PowerPoint\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Proof\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Protect\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Protect\S-1-5-21-2328895702-2467398078-4090025293-1003\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Protect\S-1-5-21-2328895702-2467398078-4090025293-1013\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Publisher\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Signatures\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Signatures\FlashPoint IP biz pre_files\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Speech\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Speech\Files\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Speech\Files\UserLexicons\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Stationery\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\My\Certificates\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\My\CRLs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\My\CTLs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\My\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\My\Keys\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\Request\Certificates\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\Request\CRLs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\Request\CTLs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\SystemCertificates\Request\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Templates\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\9.0\1033\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\9.0\Aliases\1033\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\9.0\Aliases\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\9.0\AutoRecoverDat\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\9.0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\9.0\ReflectedSchemas\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\9.0\ServerExplorer\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\9.0\StartPageCache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\9.0\VS Help Data\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\VWDExpress\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Web Platform Installer\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Word\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Microsoft\Word\STARTUP\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Motive\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Motive\Verizon\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Motive\Verizon\Events\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Mozilla\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\autocorr\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\autotext\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\backup\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\basic\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\basic\Standard\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\config\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\database\biblio\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\database\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\gallery\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\registry\cache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\registry\data\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\registry\data\org\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\registry\data\org\openoffice\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\registry\data\org\openoffice\Office\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\registry\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\Scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\store\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\temp\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\template\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\uno_packages\cache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\uno_packages\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\OpenOffice.org2\user\wordbook\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\Msg\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealMediaSDK\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\db\Backup\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\db\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\DRM\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\ErrorLogs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\Favorites\Audio\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\Favorites\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\Favorites\Radio\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\Favorites\Video\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\Favorites\Web Pages\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\library\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\PMP\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\skins\data\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\skins\data\normal\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\skins\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\RealPlayer\Temp\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\rnadmin\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\Update\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Real\Update\temp\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliam\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\02\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\05\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\06\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\07\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\08\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\12\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\13\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\17\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\1b\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\1c\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\1f\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\21\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\23\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\27\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\28\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\2a\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\2b\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\34\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\38\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\39\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\3e\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\3f\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\43\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\4e\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\53\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\57\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\59\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\5d\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\66\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\6c\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\70\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\71\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\75\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\86\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\87\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\8f\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\93\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\94\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\95\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\98\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\9a\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\a9\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\ac\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\b4\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\b9\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\ba\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\bb\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\c1\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\c5\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\c6\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\d6\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\d8\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\d9\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\de\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\e0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\e7\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\e9\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\f4\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\chatsync\fe\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\httpfe\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\daliamouallem\voicemail\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Skype\My Skype Received Files\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\skypePM\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\SoftQuad\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\SoftQuad\PCT-SAFE Editor\3.1\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\SoftQuad\PCT-SAFE Editor\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\0\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\1\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\10\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\11\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\12\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\13\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\14\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\15\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\16\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\17\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\18\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\19\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\2\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\20\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\21\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\22\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\23\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\24\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\25\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\26\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\27\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\28\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\29\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\3\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\30\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\31\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\32\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\33\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\34\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\35\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\36\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\37\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\38\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\39\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\4\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\40\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\41\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\42\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\43\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\44\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\45\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\46\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\47\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\48\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\49\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\5\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\50\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\51\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\52\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\53\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\54\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\55\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\56\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\57\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\58\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\59\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\6\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\60\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\61\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\62\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\63\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\7\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\8\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\9\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\host\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\6.0\tmp\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\cache\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\security\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\tmp\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Deployment\tmp\si\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\jre1.6.0_15\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Sun\Java\jre1.6.0_16\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Symantec\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\U3\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\U3\temp\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\Verizon-SA2-Delivery-2.18467.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\Verizon-SA2-Delivery-2.18467.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\Verizon-SA2-Delivery-2.18467.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\Verizon-SA2-Delivery-2.18467.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\Verizon-SA2-Delivery-2.18467.zip.dir\en\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\all\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-1.6334.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\all\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200906-3.41.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\all\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-3.41.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\all\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200907-4.41.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\all\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-1.18467.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\all\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-2.41.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\all\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-4.41.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\all\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\VerizonSASTip-200909-5.41.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-06.26500.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-07.41.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-09.41.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\all\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\all\scripts\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\en\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\en\for-spa-with-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\en\for-spa-with-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\en\for-spa-with-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\en\for-spa-without-container\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\en\for-spa-without-container\htdocs\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2009-10.41.zip.dir\en\for-spa-without-container\images\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Verizon\VSP\SoftwareDetectionScripts\109.tmp\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Yahoo!\Companion\Buttons\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Yahoo!\Companion\Desktop_.ini
c:\documents and settings\DORIS B\Application Data\Yahoo!\Desktop_.ini
c:\documents and settings\DORIS B\Cookies\Desktop_.ini
c:\documents and settings\DORIS B\Desktop\Desktop_.ini
c:\documents and settings\DORIS B\Desktop\Shared FPIP\4'1 Daniel\Desktop_.ini
c:\documents and settings\DORIS B\Desktop\Shared FPIP\5'1 Tross\Desktop_.ini
c:\documents and settings\DORIS B\Desktop\Shared FPIP\6 Parann-Nissany\Desktop_.ini
c:\documents and settings\DORIS B\Desktop\Shared FPIP\Desktop_.ini
c:\documents and settings\DORIS B\g2mdlhlpx.exe
c:\documents and settings\DORIS B\Local Settings\Temporary Internet Files\Desktop_.ini
c:\documents and settings\DORIS B\Recent\Desktop_.ini
c:\documents and settings\DORIS B\WINDOWS
c:\windows\$NtUninstallKB35118$\1445633370
c:\windows\$NtUninstallKB35118$\255883665\@
c:\windows\$NtUninstallKB35118$\255883665\L\odetmngk
c:\windows\$NtUninstallKB35118$\255883665\loader.tlb
c:\windows\$NtUninstallKB35118$\255883665\U\@00000001
c:\windows\$NtUninstallKB35118$\255883665\U\@000000c0
c:\windows\$NtUninstallKB35118$\255883665\U\@000000cb
c:\windows\$NtUninstallKB35118$\255883665\U\@000000cf
c:\windows\$NtUninstallKB35118$\255883665\U\@80000000
c:\windows\$NtUninstallKB35118$\255883665\U\@800000c0
c:\windows\$NtUninstallKB35118$\255883665\U\@800000cb
c:\windows\$NtUninstallKB35118$\255883665\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\EventSystem.log
c:\windows\iun6002.exe
c:\windows\system32\ 
c:\windows\system32\AutoRun.inf
c:\windows\TEMP\logishrd\LVPrcInj01.dll
d:\ayd stuff\akevot bahol\1\Desktop_.ini
d:\ayd stuff\akevot bahol\2\Desktop_.ini
d:\ayd stuff\akevot bahol\Desktop_.ini
d:\ayd stuff\bagan shel hahaim\Desktop_.ini
d:\ayd stuff\concert 2008\??? 1\Desktop_.ini
d:\ayd stuff\concert 2008\??? 2\Desktop_.ini
d:\ayd stuff\concert 2008\Desktop_.ini
d:\ayd stuff\ipod pics\My Pictures\Desktop_.ini
d:\ayd stuff\ipod pics\My Pictures\QuickCam\Desktop_.ini
d:\ayd stuff\ipod pics\summer 2010\Desktop_.ini
d:\ayd stuff\malachim\1\Desktop_.ini
d:\ayd stuff\malachim\2\Desktop_.ini
d:\ayd stuff\malachim\Desktop_.ini
d:\ayd stuff\meidad tassa\??? ?????\Desktop_.ini
d:\ayd stuff\meidad tassa\???? ???-?? ????? ???\Desktop_.ini
d:\ayd stuff\meidad tassa\Desktop_.ini
d:\ayd stuff\milim shel tefillah\Desktop_.ini
d:\ayd stuff\mimaakim\1\Desktop_.ini
d:\ayd stuff\mimaakim\2\Desktop_.ini
d:\ayd stuff\mimaakim\Desktop_.ini
d:\ayd stuff\oked veneekad\Desktop_.ini
d:\ayd stuff\shaare razon\Desktop_.ini
d:\ayd stuff\yesh lanu al mi lismokh\Desktop_.ini
d:\doris pc backup\My Pictures\Desktop_.ini
d:\doris pc backup\My Pictures\QuickCam\Desktop_.ini
d:\doris pc backup\My RoboForm Data\Default Profile\Desktop_.ini
d:\doris pc backup\My RoboForm Data\Desktop_.ini
d:\doris pc backup\Sabade Golchin\Desktop_.ini
d:\doris pc backup\Shared FPIP\26'959\Desktop_.ini
d:\doris pc backup\Shared FPIP\3663'3\3663'1\Desktop_.ini
d:\doris pc backup\Shared FPIP\3663'3\Desktop_.ini
d:\doris pc backup\Shared FPIP\3663'3\Final OA\Desktop_.ini
d:\doris pc backup\Shared FPIP\3663'3\First OA\Desktop_.ini
d:\doris pc backup\Shared FPIP\3663'3\First OA\Restriction\Desktop_.ini
d:\doris pc backup\Shared FPIP\3663'3\Restriction\Desktop_.ini
d:\doris pc backup\Shared FPIP\4'1 Daniel\Desktop_.ini
d:\doris pc backup\Shared FPIP\5'1 Tross\Desktop_.ini
d:\doris pc backup\Shared FPIP\6'1 Parann-Nissany\Desktop_.ini
d:\doris pc backup\Shared FPIP\7 Bergig\7'1 PCT\Desktop_.ini
d:\doris pc backup\Shared FPIP\7 Bergig\7'1 PCT\pct-7-1-Bergig_files\Desktop_.ini
d:\doris pc backup\Shared FPIP\7 Bergig\7'2 PPA\Desktop_.ini
d:\doris pc backup\Shared FPIP\7 Bergig\Desktop_.ini
d:\doris pc backup\Shared FPIP\8 Rutenberg\8'1 US PMS\Desktop_.ini
d:\doris pc backup\Shared FPIP\8 Rutenberg\Desktop_.ini
d:\doris pc backup\Shared FPIP\Contracts\Desktop_.ini
d:\doris pc backup\Shared FPIP\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\Admin\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\Admin\Invoices\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\Admin\PCT\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\FPIP Temp Website\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\IMM\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\JCT\Book Orders for JCT\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\JCT\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\JCT\JCT registration forms\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\MindMaps\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\Poly\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\clipart_library\buttons\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\clipart_library\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\clipart_library\logos\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\FLASH\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\fonts\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\html\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\html\flash\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\html\images\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\With_FL\psd\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\Without_FL\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\Without_FL\html\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\sample_full_site\sample_full_site\Without_FL\html\images\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\Technion\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\Technion\Technion registration forms\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\screenshots\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\site\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\site\images\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\fonts\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\jpeg\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\library\buttons\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\library\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\library\logos\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\post\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\post\fonts\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\post\html\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\post\html\images\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\post\jpeg\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\post\psd\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_1773_8GRNIozT46w25OncP1b3\sources_NKmznJ3Za0\sources\psd\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\screenshots\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\site\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\site\images\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\site_flash\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\site_flash\flash\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\site_flash\images\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\clipart_library\buttons\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\clipart_library\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\clipart_library\fonts_for_clipart_library\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\clipart_library\logos\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\flash\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\flash\gs\dataTransfer\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\flash\gs\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\fonts\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_22964_ezEjX98rf5t7134gt6Fz\sources_x4J5JI20l9\sources\psd\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\screenshots\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\site\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\site\images\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\site_flash\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\site_flash\flash\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\site_flash\images\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\sources_Q48xUN9XNP\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\sources_Q48xUN9XNP\sources\clipart_library\buttons\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\sources_Q48xUN9XNP\sources\clipart_library\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\sources_Q48xUN9XNP\sources\clipart_library\logos\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\sources_Q48xUN9XNP\sources\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\sources_Q48xUN9XNP\sources\FLASH\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\sources_Q48xUN9XNP\sources\Fonts\Desktop_.ini
d:\doris pc backup\Shared FPIP\FPIP Resources\template_7706_973r331wW26ZXqF0r6j5\sources_Q48xUN9XNP\sources\PSD\Desktop_.ini
d:\doris pc backup\YDM Personal\Desktop_.ini
c:\windows\$NtUninstallKB35118$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\msiexec.exe was found and disinfected 
Restored copy from - c:\windows\$NtUninstallKB942288-v3$\msiexec.exe 
.
Infected copy of c:\program files\Lavasoft\Ad-Aware\AAWService.exe was found and disinfected 
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1207\A0197678.exe 
.
Infected copy of c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe was found and disinfected 
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1208\A0197721.exe 
.
Infected copy of c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe was found and disinfected 
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1208\A0197722.exe 
.
Infected copy of c:\program files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe was found and disinfected 
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1208\A0197723.exe 
.
Infected copy of c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe was found and disinfected 
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1196\A0197090.exe 
.
Infected copy of c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE was found and disinfected 
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1208\A0197724.EXE 
.
Infected copy of c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe was found and disinfected 
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1208\A0197725.exe 
.
Infected copy of c:\program files\Xobni\XobniService.exe was found and disinfected 
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1208\A0197823.exe 
.
.
((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
.
.
2011-12-05 16:13 . 2011-11-10 15:36 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-05 07:05 . 2011-12-05 07:05 -------- d-----w- c:\documents and settings\DORIS B\Application Data\MSNInstaller
2011-12-03 18:18 . 2011-12-04 04:57 -------- d-----w- c:\program files\Common Files\PC Tools
2011-12-03 18:18 . 2011-12-04 04:57 -------- d-----w- c:\program files\PC Tools Security
2011-12-03 18:15 . 2011-12-04 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-28 08:16 . 2011-11-28 08:16 -------- d-----w- c:\documents and settings\DORIS B\Application Data\Template
2011-11-27 11:42 . 2002-05-10 14:30 110592 ----a-w- c:\windows\JPEG32.DLL
2011-11-27 11:42 . 2002-05-10 14:27 221184 ----a-w- c:\windows\TIFF32.DLL
2011-11-27 11:42 . 2001-09-28 11:44 257536 ----a-w- c:\windows\BiImg.dll
2011-11-27 11:42 . 2003-04-23 13:14 53248 ----a-w- c:\windows\system32\BiMAppNT.exe
2011-11-27 11:42 . 2003-04-23 15:16 73728 ----a-w- c:\windows\system32\BiMResNT.dll
2011-11-27 11:42 . 2003-04-09 13:42 143360 ----a-w- c:\windows\system32\BiMRmvNT.dll
2011-11-27 11:42 . 2003-04-23 13:14 262144 ----a-w- c:\windows\system32\BiMMonNT.dll
2011-11-27 11:41 . 2011-12-02 10:56 -------- d-----w- c:\program files\Net2Phone CommCenter
2011-11-21 12:25 . 2011-11-09 11:36 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-11-10 12:47 . 2011-11-10 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\GFI Software
2011-11-10 12:41 . 2011-11-10 12:41 -------- d-----w- c:\program files\GFI Software
2011-11-10 12:41 . 2011-11-10 12:41 -------- d-----w- c:\documents and settings\DORIS B\Application Data\GFI Software
2011-11-10 09:29 . 2011-11-10 09:29 -------- d-----w- c:\documents and settings\DORIS B\Application Data\Malwarebytes
2011-11-10 09:26 . 2011-11-10 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-10 09:25 . 2011-08-31 15:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 09:25 . 2011-12-07 19:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-09 11:00 . 2011-11-09 11:00 -------- d-----w- c:\documents and settings\DORIS B\Local Settings\Application Data\adaware
2011-11-09 11:00 . 2011-11-14 07:10 -------- d-----w- c:\documents and settings\DORIS B\Application Data\adawaretb
2011-11-09 11:00 . 2011-11-09 12:23 -------- d-----w- c:\program files\adawaretb
2011-11-09 10:59 . 2011-11-03 10:06 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-11-08 13:34 . 2011-12-07 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2011-11-08 13:33 . 2011-11-08 13:33 -------- d-----w- c:\program files\Toolbar Cleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-22 08:52 . 2004-08-10 17:51 24576 ----a-w- c:\windows\system32\userinit.exe
2011-11-21 09:25 . 2008-05-04 15:19 24576 ----a-w- c:\windows\system32\custsave.exe
2011-11-10 12:39 . 2006-09-19 19:06 1204224 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2011-11-08 04:55 . 2006-09-19 19:06 20992 ----a-w- c:\windows\system32\WLTRYSVC.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Patent_Pal\prxtbPate.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45}"= "c:\program files\Patent_Pal\prxtbPate.dll" [2011-05-09 176936]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440]
.
[HKEY_CLASSES_ROOT\clsid\{dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45}]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DC5F4A1E-B7C0-4E15-ACB3-8B33C30AEC45}"= "c:\program files\Patent_Pal\prxtbPate.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-15 39408]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-02-13 160328]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"PE2CKFNT SE"="c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2006-08-24 503808]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-10 198032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 443968]
.
c:\documents and settings\DORIS B\Start Menu\Programs\Startup\
Desktop_.ini [2009-11-23 10]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0SBBD.exe /d \Device\HarddiskVolume2\Program Files\GFI Software\VIPRE\Definitions
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\KompoZer\\KompoZer 0.8a4\\kompozer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Avant Browser\\ybrowser.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\Avant Browser\\adownloader.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\ggviewer81-3.exe"=
"c:\\Documents and Settings\\DORIS B\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Google\\ggverscheck81-3.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\All Users\\Application Data\\Ad-Aware Browsing Protection\\adawarebp.exe"=
"c:\\Program Files\\adawaretb\\dtUser.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/9/2011 12:59 PM 64512]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [12/5/2011 6:13 PM 101720]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/7/2011 9:51 PM 2152152]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/10/2011 11:26 AM 366152]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [8/20/2009 11:34 PM 46824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/10/2011 11:25 AM 22216]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\pct-safe\Firebird\Bin\fbguard.exe -s --> c:\pct-safe\Firebird\Bin\fbguard.exe -s [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/29/2010 8:00 AM 135664]
S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\drivers\bsusbser.sys [3/3/2011 10:14 PM 99456]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\pct-safe\Firebird\Bin\fbserver.exe -s -g --> c:\pct-safe\Firebird\Bin\fbserver.exe -s -g [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/29/2010 8:00 AM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/3/2011 12:06 PM 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/11/2008 2:28 AM 47128]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/10/2004 7:50 PM 5120]
S3 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/11/2008 2:28 AM 369688]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 8:49 AM 242712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 11:36]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 17:15]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 17:15]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2328895702-2467398078-4090025293-1013Core.job
- c:\documents and settings\DORIS B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 02:28]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2328895702-2467398078-4090025293-1013UA.job
- c:\documents and settings\DORIS B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 02:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.jpost.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {395E58B9-090C-461A-8F27-087D1C72794A} - hxxps://useast-v1.nefsis.com/LoaderIE2.cab
DPF: {A64DBFEB-F36F-4E47-8A2A-39308CFABEB9} - hxxps://www.anywhereconference.com/plugins/IE/ANWShare.cab?2,7,0,0
FF - ProfilePath - c:\documents and settings\DORIS B\Application Data\Mozilla\Firefox\Profiles\snikj93v.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51939
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SBRegRebootCleaner - c:\program files\GFI Software\VIPRE\SBRC.exe
Notify-WgaLogon - (no file)
SafeBoot-SolutoService
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-12-07 22:10
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(9744)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
c:\progra~1\Google\GGTASK~1.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\System32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Google\ggviewer81-3.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\common files\logitech\lu\lulnchr.exe
c:\program files\common files\logitech\lu\LogitechUpdate.exe
.
**************************************************************************
.
Completion time: 2011-12-07 22:24:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-07 20:24
.
Pre-Run: 2,210,344,960 bytes free
Post-Run: 7,168,188,416 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 9BF612306972D480C62F8E8FDEFDC963


----------



## chemist

Hello again, remo26. Please tell us how your system is behaving. 

------------------------------------------------------

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open *Notepad* and copy/paste all the text in the codebox below into Notepad: 



Code:


File::
c:\documents and settings\DORIS B\Start Menu\Programs\Startup\Desktop_.ini

Firefox::
FF - ProfilePath - c:\documents and settings\DORIS B\Application Data\Mozilla\Firefox\Profiles\snikj93v.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51939
FF - prefs.js: network.proxy.type - 1

Folder::
c:\windows\$NtUninstallKB35118$

DDS::
uInternet Connection Wizard,ShellNext = iexplore

ClearJavaCache::

Driver::
Radialpoint Security Services

Save this Notepad file as *CFScript.txt* to your Desktop and then close the file. 












Referring to the picture above, drag CFScript onto ComboFix. 

If you are prompted to update ComboFix and have an internet connection, please choose *Yes*

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, *C:\ComboFix.txt*, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log. 

------------------------------------------------------


----------



## remo26

My system seems to be responding faster, google links aren't redirected, and the fake Security Alerts have not popped up.

While running ComboFix there was a window that said an error had occurred with a file, and it asked to terminate or debug. I chose terminate.

Here is the ComboFix log file.


ComboFix 11-12-06.02 - DORIS B 12/08/2011 8:06.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.981.1033.18.2038.1294 [GMT 2:00]
Running from: c:\documents and settings\DORIS B\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DORIS B\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
FILE ::
"c:\documents and settings\DORIS B\Start Menu\Programs\Startup\Desktop_.ini"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\DORIS B\Start Menu\Programs\Startup\Desktop_.ini
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\$NtUninstallKB35118$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Radialpoint Security Services
.
.
((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
.
.
2011-12-05 16:13 . 2011-11-10 15:36 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-05 07:05 . 2011-12-05 07:05 -------- d-----w- c:\documents and settings\DORIS B\Application Data\MSNInstaller
2011-12-03 18:18 . 2011-12-04 04:57 -------- d-----w- c:\program files\Common Files\PC Tools
2011-12-03 18:18 . 2011-12-04 04:57 -------- d-----w- c:\program files\PC Tools Security
2011-12-03 18:15 . 2011-12-04 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-28 08:16 . 2011-11-28 08:16 -------- d-----w- c:\documents and settings\DORIS B\Application Data\Template
2011-11-27 11:42 . 2002-05-10 14:30 110592 ----a-w- c:\windows\JPEG32.DLL
2011-11-27 11:42 . 2002-05-10 14:27 221184 ----a-w- c:\windows\TIFF32.DLL
2011-11-27 11:42 . 2001-09-28 11:44 257536 ----a-w- c:\windows\BiImg.dll
2011-11-27 11:42 . 2003-04-23 13:14 53248 ----a-w- c:\windows\system32\BiMAppNT.exe
2011-11-27 11:42 . 2003-04-23 15:16 73728 ----a-w- c:\windows\system32\BiMResNT.dll
2011-11-27 11:42 . 2003-04-09 13:42 143360 ----a-w- c:\windows\system32\BiMRmvNT.dll
2011-11-27 11:42 . 2003-04-23 13:14 262144 ----a-w- c:\windows\system32\BiMMonNT.dll
2011-11-27 11:41 . 2011-12-02 10:56 -------- d-----w- c:\program files\Net2Phone CommCenter
2011-11-21 12:25 . 2011-11-09 11:36 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-11-10 12:47 . 2011-11-10 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\GFI Software
2011-11-10 12:41 . 2011-11-10 12:41 -------- d-----w- c:\program files\GFI Software
2011-11-10 12:41 . 2011-11-10 12:41 -------- d-----w- c:\documents and settings\DORIS B\Application Data\GFI Software
2011-11-10 09:29 . 2011-11-10 09:29 -------- d-----w- c:\documents and settings\DORIS B\Application Data\Malwarebytes
2011-11-10 09:26 . 2011-11-10 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-10 09:25 . 2011-08-31 15:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 09:25 . 2011-12-07 19:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-09 11:00 . 2011-11-09 11:00 -------- d-----w- c:\documents and settings\DORIS B\Local Settings\Application Data\adaware
2011-11-09 11:00 . 2011-11-14 07:10 -------- d-----w- c:\documents and settings\DORIS B\Application Data\adawaretb
2011-11-09 11:00 . 2011-11-09 12:23 -------- d-----w- c:\program files\adawaretb
2011-11-09 10:59 . 2011-11-03 10:06 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-11-08 13:34 . 2011-12-08 06:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2011-11-08 13:33 . 2011-11-08 13:33 -------- d-----w- c:\program files\Toolbar Cleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-22 08:52 . 2004-08-10 17:51 24576 ----a-w- c:\windows\system32\userinit.exe
2011-11-21 09:25 . 2008-05-04 15:19 24576 ----a-w- c:\windows\system32\custsave.exe
2011-11-10 12:39 . 2006-09-19 19:06 1204224 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2011-11-08 04:55 . 2006-09-19 19:06 20992 ----a-w- c:\windows\system32\WLTRYSVC.EXE
.
.
((((((((((((((((((((((((((((( [email protected]_20.11.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-08 06:33 . 2011-12-08 06:33 16384 c:\windows\Temp\Perflib_Perfdata_77c.dat
+ 2011-12-08 06:33 . 2011-12-08 06:33 16384 c:\windows\Temp\Perflib_Perfdata_230.dat
+ 2011-12-08 06:33 . 2011-12-08 06:33 16384 c:\windows\Temp\Perflib_Perfdata_150.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Patent_Pal\prxtbPate.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45}"= "c:\program files\Patent_Pal\prxtbPate.dll" [2011-05-09 176936]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440]
.
[HKEY_CLASSES_ROOT\clsid\{dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45}]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DC5F4A1E-B7C0-4E15-ACB3-8B33C30AEC45}"= "c:\program files\Patent_Pal\prxtbPate.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{dc5f4a1e-b7c0-4e15-acb3-8b33c30aec45}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-15 39408]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-02-13 160328]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"PE2CKFNT SE"="c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2006-08-24 503808]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-10 198032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 443968]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0SBBD.exe /d \Device\HarddiskVolume2\Program Files\GFI Software\VIPRE\Definitions
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\KompoZer\\KompoZer 0.8a4\\kompozer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Avant Browser\\ybrowser.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\Avant Browser\\adownloader.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\ggviewer81-3.exe"=
"c:\\Documents and Settings\\DORIS B\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Google\\ggverscheck81-3.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\All Users\\Application Data\\Ad-Aware Browsing Protection\\adawarebp.exe"=
"c:\\Program Files\\adawaretb\\dtUser.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/9/2011 12:59 PM 64512]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [12/5/2011 6:13 PM 101720]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/7/2011 9:51 PM 2152152]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/10/2011 11:26 AM 366152]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [8/20/2009 11:34 PM 46824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/10/2011 11:25 AM 22216]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\pct-safe\Firebird\Bin\fbguard.exe -s --> c:\pct-safe\Firebird\Bin\fbguard.exe -s [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/29/2010 8:00 AM 135664]
S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\drivers\bsusbser.sys [3/3/2011 10:14 PM 99456]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\pct-safe\Firebird\Bin\fbserver.exe -s -g --> c:\pct-safe\Firebird\Bin\fbserver.exe -s -g [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/29/2010 8:00 AM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/3/2011 12:06 PM 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/11/2008 2:28 AM 47128]
S3 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/11/2008 2:28 AM 369688]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 8:49 AM 242712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 11:36]
.
2011-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 17:15]
.
2011-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 17:15]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2328895702-2467398078-4090025293-1013Core.job
- c:\documents and settings\DORIS B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 02:28]
.
2011-12-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2328895702-2467398078-4090025293-1013UA.job
- c:\documents and settings\DORIS B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 02:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.jpost.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {395E58B9-090C-461A-8F27-087D1C72794A} - hxxps://useast-v1.nefsis.com/LoaderIE2.cab
DPF: {A64DBFEB-F36F-4E47-8A2A-39308CFABEB9} - hxxps://www.anywhereconference.com/plugins/IE/ANWShare.cab?2,7,0,0
FF - ProfilePath - c:\documents and settings\DORIS B\Application Data\Mozilla\Firefox\Profiles\snikj93v.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-12-08 08:36
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(6176)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
c:\progra~1\Google\GGTASK~1.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\System32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Google\ggviewer81-3.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2011-12-08 08:46:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-08 06:46
ComboFix2.txt 2011-12-07 20:24
.
Pre-Run: 7,161,176,064 bytes free
Post-Run: 7,048,658,944 bytes free
.
- - End Of File - - F6958A4BFE5C1B1019BE8E6FDDC4E2B3


----------



## chemist

Hello again, remo26. Boot to Safe Mode and see if you can delete this folder: 



> c:\windows\*$NtUninstallKB35118$*


Let me know. 

Restart your computer. 
After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key. 
In some systems, this may be the F5 key. 
Instead of Windows loading as normal, a menu should appear. 
Use the up arrow key to highlight *Safe Mode* and press 'Enter'. 
Login on your usual account.
------------------------------------------------------


----------



## remo26

I tried to delete the file in Safe mode, but it said access denied.


----------



## chemist

Hello again, remo26. Please download this *file* and Save it to your Desktop. 

It is important that it is saved directly to your desktop. 

Go Start > Run and copy/paste the following bolded text into the Run box and click OK:

*"%userprofile%\desktop\Inherit.exe" "c:\windows\$NtUninstallKB35118$"*

When the 'Finish' box pops us, click 'OK'. 

Can you delete the folder now? 

------------------------------------------------------


----------



## remo26

After running Inherit, I was still not able to delete the folder (both in normal and safe mode).


----------



## chemist

Hello again, remo26. 

Download *The Avenger2* by Swandog46 from *here*

Unzip/extract it to a folder on your desktop.
Double-click on *avenger.exe* to run *The Avenger*
Click *OK*
Make sure that the box next to *Scan for rootkits* has a tick in it and that the box next to *Automatically disable any rootkits found* does *not* have a tick in it.
Copy/paste the following text in the codebox below into the 'Input script here:' box. 



Code:


Folders to delete:
c:\windows\$NtUninstallKB35118$

Note: The above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Click *Execute*
Click *Yes*
You will now be asked *First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?*
Click *Yes*
Your PC will now be rebooted.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\*avenger.txt* (typically C:\*avenger.txt*).
Please post this log in your next reply.
------------------------------------------------------


----------



## remo26

Here's the Avenger log. It looks like it got it. Thanks a lot for your help. Is there more that we need to do? Is there a reason why these got through my security SW that I can avoid in the future?

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
Swandog46's Public Anti-Malware Tools
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Folder "c:\windows\$NtUninstallKB35118$" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.


----------



## chemist

Hello again, remo26. Almost done. Unfortunately, no antivirus program is 100% protective. 

Any reason you haven't updated to Service Pack 3? 

Support is ending for some versions of Windows > Windows End of Support Information - Windows Help & How-to

------------------------------------------------------

Launch *Malwarebytes' Anti-Malware*
Under the Update tab, click *Check for Updates*
If an update is found, it will download and install the latest version. 
Once the program has loaded, select *Perform quick scan*, then click *Scan*. 
When the scan is complete, click *OK*, then *Show Results* to view the results. 
Be sure that everything is checked, and click *Remove Selected*. 
When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the *Logs* tab in MBAM. 
Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click *OK* to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

*J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5*

These are all outdated, and security risks by having them installed still. Reboot your computer once all those Java components are removed. 

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

In fact, you should be able to update your current Java, *Java(TM) 6 Update 20*, by going to Control Panel (Classic View) and double-clicking on the Java icon (looks like a coffee cup). Click on the Update tab. On the lower right, click on Update Now. An update should begin. Allow the install of the new Java.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it. 

After the install is complete, go back to your Control Panel(using Classic View) and click the *Java* icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the *Settings* button.
Next, click on the *Delete Files* button.
There are two options in the window to clear the cache - *Leave BOTH Checked*
 *Applications and Applets*
*Trace and Log Files*

Click *OK* on *Delete Temporary Files* Window. 
*Note: This deletes ALL the Downloaded Applications and Applets from the CACHE*
Click *OK* to leave the Temporary Files Window.
Click *OK* to leave the Java Control Panel.

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan. 

Go *here* and click 'ESET Online Scanner'.

If you are not using Internet Explorer, double-click *esetsmartinstaller_enu.exe* to install it, then click 'Run'. 
Turn off the real-time scanner of any existing antivirus program while performing the online scan.
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
If using Internet Explorer, allow the ActiveX control to install when asked.
Make sure that the option *Remove found threats* is *un*ticked and the *Scan Archives* option is ticked.
Click on *Advanced Settings* and ensure these options are ticked:
*Scan for potentially unwanted applications*
*Scan for potentially unsafe applications*
*Enable Anti-Stealth Technology*

Next to 'Current scan targets: _Operating memory, Local drives_', click the Change.. button. 
Tick all the boxes that correspond to your external/inserted drives. 
Click *Start*
Wait for the scan to finish, then click 'Finish'.
Use *Notepad* to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined. 
Copy/paste that log as a reply to this topic.
------------------------------------------------------

*Please post the following in your next reply:

MBAM log
ESET report*


----------



## remo26

I didn't upgrade to Win XP SP3 because I was worried about my copy of Office not being Genuine. I am planning to make the jump to Win8 when it comes out. I don't want to have problems with my current setup.

I ran MBAM. No infected files detected. The log file is posted at the end of the message.

When I tried to remove the old versions of Java, I got a message box saying, "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

BTW, add/remove programs list says I already have Java 6 Update 20 installed.

I will post the results of the ESET scan in my next reply.


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8351
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
12/11/2011 10:26:48 AM
mbam-log-2011-12-11 (10-26-48).txt
Scan type: Quick scan
Objects scanned: 183107
Time elapsed: 20 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## remo26

Here is the ESET report.


[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=83afb18ebc42984d85d23c4f22932d7b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-11 03:38:52
# local_time=2011-12-11 05:38:52 (+0200, Jerusalem Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 53097853 53097853 0 0
# compatibility_mode=8192 67108863 100 0 4149 4149 0 0
# scanned=171637
# found=58
# cleaned=0
# scan_time=22437
C:\Qoobox\Quarantine\C\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Lavasoft\Ad-Aware\AAWService.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Xobni\XobniService.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1173\A0184617.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1173\A0184621.rbf Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1173\A0184773.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1174\A0186792.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186804.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186816.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186828.EXE Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186829.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186830.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186831.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186832.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186833.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186834.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186843.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186858.EXE Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186859.EXE Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186860.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186861.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186865.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186867.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1175\A0186912.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1176\A0186991.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1177\A0187093.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1184\A0188093.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1191\A0188844.exe probably a variant of Win32/Adware.BargainBuddy.C application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1191\A0188851.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1191\A0189851.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1194\A0190851.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1194\A0190867.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1195\A0191867.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1195\A0191878.dll probably a variant of Win32/Adware.BargainBuddy.C application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1195\A0191881.dll probably a variant of Win32/Adware.BargainBuddy.C application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1195\A0192867.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1195\A0195868.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1195\A0196868.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1195\A0196870.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1195\A0197056.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1208\A0197702.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1208\A0197817.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1209\A0198521.ini a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1209\A0198526.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1209\A0198527.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1209\A0198528.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1209\A0198529.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1209\A0198530.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1209\A0198531.EXE Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1209\A0198532.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1209\A0198533.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\drivers\redbook.sys a variant of Win32/Rootkit.Kryptik.EZ trojan (unable to clean) 00000000000000000000000000000000 I
G:\1u0o8bnq.cmd Win32/PSW.OnLineGames.NMY trojan (unable to clean) 00000000000000000000000000000000 I


----------



## chemist

> I didn't upgrade to Win XP SP3 because I was worried about my copy of Office not being Genuine


I'm afraid I can no longer help you, unless you uninstall your non-genuine Office. We don't support users with illegal software.


----------



## remo26

I thought the issue was with my OS which is legal. Anyway, I assume that from your answer I was far from being clean of viruses.


----------



## chemist

We don't support users with illegal software. Referring to the Forum Rules which you should have read at the time of Registering at this forum, TSF does not support *illegal* activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (*illegal*) software is still present on the machine.


----------

