Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BloodHound.Explot.196


  • This topic is locked This topic is locked
8 replies to this topic

#1 RTJohn

RTJohn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 24 March 2009 - 02:03 PM

One of our machines is constantly saying that is has found BloodHound.Explot.196. It has also alerted to a Trojan on a few occasions. I says successfully quarantined but it just keeps constantly finding new ones. The computer seems to be running ok otherwise. MalWareBytes ran a full scan - took 42 hours - but found nothing.

Thank You!!!


Log file:


DDS (Ver_09-03-16.01) - NTFSx86
Run by melissa at 11:57:52.83 on Tue 03/24/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2047.804 [GMT -7:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intuit\QuickBooks 2007\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
\\server\clientapps\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://realtytech.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\efax43~1.lnk - c:\program files\efax messenger 4.3\J2GTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\melissa\appdata\roaming\mozilla\firefox\profiles\jf2ovawk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-8 101936]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 7808]

=============== Created Last 30 ================

2009-03-19 11:33 <DIR> --d----- c:\users\melissa\appdata\roaming\Malwarebytes
2009-03-19 11:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-19 11:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-19 11:33 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-19 11:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-19 11:33 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-19 11:19 161,792 a------- c:\windows\SWREG.exe
2009-03-19 11:19 98,816 a------- c:\windows\sed.exe
2009-03-19 11:19 <DIR> --d----- C:\ComboFix
2009-03-19 10:30 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-19 10:30 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-19 10:30 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-19 10:30 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-19 10:30 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-19 10:30 11,264 a------- c:\windows\system32\icardres.dll
2009-03-19 10:30 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-19 10:30 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-19 10:15 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-19 10:15 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-19 10:14 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-19 10:14 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-19 10:14 83,968 a------- c:\windows\system32\mscories.dll
2009-03-10 22:49 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-10 22:49 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-10 22:49 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-10 22:49 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-10 22:48 268,288 a------- c:\windows\system32\schannel.dll
2009-03-10 22:48 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-02-17 18:35 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-17 18:35 86,016 a------- c:\windows\inf\infstor.dat
2009-02-17 18:35 51,200 a------- c:\windows\inf\infpub.dat
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-07 12:28 453,152 a------- c:\windows\system32\nvuninst.exe
2008-12-08 15:08 61,224 a------- c:\users\melissa\GoToAssistDownloadHelper.exe
2008-06-24 13:17 174 a--sh--- c:\program files\desktop.ini
2008-06-24 13:04 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:58:29.38 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:16 PM

Posted 03 April 2009 - 01:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 RTJohn

RTJohn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 08 April 2009 - 03:01 PM

Here is the contents of the new DDS scan:



DDS (Ver_09-03-16.01) - NTFSx86
Run by melissa at 12:55:56.63 on Wed 04/08/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2047.871 [GMT -7:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\System32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\melissa\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://realtytech.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\efax43~1.lnk - c:\program files\efax messenger 4.3\J2GTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\melissa\appdata\roaming\mozilla\firefox\profiles\jf2ovawk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-8 101936]

=============== Created Last 30 ================

2009-03-31 09:59 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-03-31 09:59 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-31 09:59 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-03-31 09:56 <DIR> --d----- c:\program files\Secunia
2009-03-19 11:33 <DIR> --d----- c:\users\melissa\appdata\roaming\Malwarebytes
2009-03-19 11:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-19 11:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-19 11:33 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-19 11:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-19 11:33 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-19 11:19 161,792 a------- c:\windows\SWREG.exe
2009-03-19 11:19 98,816 a------- c:\windows\sed.exe
2009-03-19 11:19 <DIR> --d----- C:\ComboFix
2009-03-19 10:30 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-19 10:30 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-19 10:30 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-19 10:30 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-19 10:30 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-19 10:30 11,264 a------- c:\windows\system32\icardres.dll
2009-03-19 10:30 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-19 10:30 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-19 10:15 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-19 10:15 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-19 10:14 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-19 10:14 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-19 10:14 83,968 a------- c:\windows\system32\mscories.dll
2009-03-10 22:49 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-10 22:49 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-10 22:49 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-10 22:49 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-10 22:48 268,288 a------- c:\windows\system32\schannel.dll
2009-03-10 22:48 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-03-24 04:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-02-17 18:35 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-17 18:35 86,016 a------- c:\windows\inf\infstor.dat
2009-02-17 18:35 51,200 a------- c:\windows\inf\infpub.dat
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2008-12-08 15:08 61,224 a------- c:\users\melissa\GoToAssistDownloadHelper.exe
2008-06-24 13:17 174 a--sh--- c:\program files\desktop.ini
2008-06-24 13:04 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:56:49.61 ===============

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:16 PM

Posted 09 April 2009 - 06:45 AM

Hello, RTJohn

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I'm not seeing anything malicious in your log.

Let's try a rootkit and online scan.

Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.


In your next reply, please post:
  • Gmerlog
  • ESET log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:16 PM

Posted 13 April 2009 - 06:10 AM

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:16 PM

Posted 13 April 2009 - 10:07 AM

Reopened at user request.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 RTJohn

RTJohn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 13 April 2009 - 10:11 AM

I was able to run Gmer(after one attempt that resulted in a blue screen). But when I tried to run the online scan I would get an error saying insufficient rights or need admin privledges or something similar. I was logged in as an admin and actually tried with a separate admin account with the same result. So here is the Gmer log:


GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-13 07:39:50
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT 86BCDC40 ZwAlertResumeThread
SSDT 86BCDD20 ZwAlertThread
SSDT 86BC3578 ZwAllocateVirtualMemory
SSDT 86B03A98 ZwConnectPort
SSDT 86BCD9A0 ZwCreateMutant
SSDT 86B962A0 ZwCreateThread
SSDT 86BCC120 ZwFreeVirtualMemory
SSDT 86BCDA80 ZwImpersonateAnonymousToken
SSDT 86BCDB60 ZwImpersonateThread
SSDT 86BC56B8 ZwMapViewOfSection
SSDT 86BCD8C0 ZwOpenEvent
SSDT 86BA65A0 ZwOpenProcessToken
SSDT 86BC6D88 ZwOpenThreadToken
SSDT 86BE8C38 ZwResumeThread
SSDT 86BC6CC8 ZwSetContextThread
SSDT 86BC5580 ZwSetInformationProcess
SSDT 86BC6C08 ZwSetInformationThread
SSDT 86BCD7E0 ZwSuspendProcess
SSDT 86BC64B8 ZwSuspendThread
SSDT 86BA6248 ZwTerminateProcess
SSDT 86BC6578 ZwTerminateThread
SSDT 86BC5640 ZwUnmapViewOfSection
SSDT 86BC34A8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 81EF4914 8 Bytes [40, DC, BC, 86, 20, DD, BC, ...] {INC EAX; FDIVR QWORD [ESI+EAX*4-0x794322e0]}
.text ntkrnlpa.exe!KeSetTimerEx + 364 81EF4928 4 Bytes [78, 35, BC, 86]
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 81EF49B8 4 Bytes [98, 3A, B0, 86]
.text ntkrnlpa.exe!KeSetTimerEx + 428 81EF49EC 4 Bytes [A0, D9, BC, 86]
.text ntkrnlpa.exe!KeSetTimerEx + 454 81EF4A18 4 Bytes [A0, 62, B9, 86]
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741D7BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [742198C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [741DD3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [741CF527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [741D7599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [741CE43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7420B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [741DD68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741D012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [741D0095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741C71F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7425D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [741F75E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [741CDAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [741C668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741C66BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[5644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [741D1E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Windows\CSC\v2.0.6 0 bytes
File C:\Windows\CSC\v2.0.6\namespace 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\Adobe 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\desktop.ini 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\Elegance Music.docx 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\Elegance Music.pdf 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\desktop.ini 402 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Music 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Music\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Music\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Music\desktop.ini 668 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Music\Sample Music.lnk 571 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Pictures 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Pictures\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Pictures\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Pictures\desktop.ini 674 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Pictures\Sample Pictures.lnk 593 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Received Files 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Sharing Folders.lnk 356 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Videos 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Videos\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Videos\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Videos\desktop.ini 670 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\My Documents\My Videos\Sample Videos.lnk 579 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\Thumbs.db 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\don\Updater5 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Data Sources 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\Adobe 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\AdobeStockPhotos 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\C21 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\chicago_affiliate_benefits.jpg 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\Chicago_terms_conditions.jpg 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\Copy of Default.rdp 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\Default.rdp 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\IDX-A123_stuff 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\leadmailbox integration guide 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Computer.lnk 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\desktop.ini 552 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Music 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Music\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Music\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Music\desktop.ini 808 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Music\Sample Music.lnk 631 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Pictures 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Pictures\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Pictures\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Pictures\desktop.ini 820 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Pictures\Sample Pictures.lnk 665 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Pictures.lnk 459 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Videos 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Videos\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Videos\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Videos\desktop.ini 664 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Documents\My Videos\Sample Videos.lnk 583 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Music 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Pictures 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Received Files 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Sharing Folders.lnk 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Stationery 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Videos 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Virtual Machines 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\My Widgets 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\newpass.txt 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\Outlook PST 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\phone_buttons.ntl 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\RECYCLER 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\salesforce_input_10_18_06 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\Sandicor.com features.xls 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\sites_changed.xlsx 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\socal_logins.txt 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\Version Cue 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\john\Websites 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Music 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\AdobeStockPhotos 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\Agent123 Help Center Revisions 14How to edit a Manual Custom Page.doc 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\Book1.csv 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\Default.rdp 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\desktop.ini 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\Dowkey-2009contract.pdf 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\eFax Messenger 4.3 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\fox 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\images 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\MasterPasswords.xlsx 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\desktop.ini 402 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Music 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Music\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Music\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Music\desktop.ini 668 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Music\Sample Music.lnk 571 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Pictures 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Pictures\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Pictures\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Pictures\desktop.ini 674 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Pictures\Sample Pictures.lnk 593 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Videos 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Videos\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Videos\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Videos\desktop.ini 670 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Documents\My Videos\Sample Videos.lnk 579 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Fragments 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Pictures 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Received Files 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Sharing Folders.lnk 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\My Videos 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\Outlook PST 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\RECYCLER 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\Thumbs.db 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\Updater5 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\Version Cue 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\justin\websites 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\AdobeStockPhotos 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\AdobeStockPhotos\Downloaded Comps 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\AdobeStockPhotos\Previous Searches 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\AdobeStockPhotos\Purchased Images 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\desktop.ini 402 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Fax 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Fax\Drafts 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Fax\Drafts\desktop.ini 81 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Fax\Inbox 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Fax\Inbox\desktop.ini 81 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Fax\Inbox\WelcomeFax.tif 89534 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Fax\Personal CoverPages 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Fax\Personal CoverPages\desktop.ini 83 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Data Sources 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Data Sources\+Connect to New Data Source.odc 190 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Data Sources\+New SQL Server Connection.odc 196 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Data Sources\DATACONN.HTC 28734 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Data Sources\DESKTOP.INI 70 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Data Sources\FOLDER.ICO 4710 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\desktop.ini 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\My Pictures 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\My Pictures\Desktop.ini 107 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\My Pictures\Sample Pictures.lnk 587 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\Process Credit Cards in QuickBooks.url 206 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Collection Letters 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Collection Letters\Formal collection for job.doc 23040 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Collection Letters\Formal collection.doc 23040 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Collection Letters\Friendly collection for job.doc 38400 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Collection Letters\Friendly collection.doc 58368 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Collection Letters\Harsh collection for job.doc 58368 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Collection Letters\Harsh collection.doc 61952 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Accept credit app.doc 38912 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Blank customer letter.doc 37888 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Bounced check.doc 39936 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Contract transmittal.doc 38400 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Customer apology.doc 39424 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Customer birthday.doc 54272 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Deny credit app.doc 38400 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Fax to customer.doc 26112 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Inactive customer.doc 38912 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Thanks for business (product).doc 40960 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Customer Letters\Thanks for business (service).doc 47616 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Employee Letters 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Employee Letters\Blank employee letter.doc 42496 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Employee Letters\Employee birthday.doc 55808 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Employee Letters\Memo.doc 51200 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Employee Letters\Sick time.doc 37888 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Employee Letters\Vacation accrued.doc 34816 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Estimate Letters 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Estimate Letters\Estimate Cover Letter.doc 24576 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Estimate Letters\Estimate Letter with Details.doc 25088 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Estimate Letters\Window Envelope Estimate Cover Letter.doc 25088 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Estimate Letters\Window Envelope Estimate Letter with Details.doc 25600 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Invoice Letters 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Invoice Letters\Cover Letter.doc 21504 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Invoice Letters\Invoice Letter with Details.doc 22016 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Invoice Letters\Window Envelope Cover Letter.doc 22016 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Invoice Letters\Window Envelope Invoice Letter with Details.doc 22016 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Other Names Letters 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Other Names Letters\Blank other names letter.doc 46080 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Vendor Letters 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Vendor Letters\Blank vendor letter.doc 44544 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Vendor Letters\Credit request.doc 48640 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Vendor Letters\Disputed charges.doc 50176 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Vendor Letters\Fax to vendor.doc 26112 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\QuickBooks Letter Templates\Vendor Letters\Payment on account.doc 47616 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2.QBW.TLG 30474240 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\03001 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\03001\BIGLOGO.BMP 8288 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\03001\Thumbs.db 7168 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\03106 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\03106\BIGLOGO.BMP 7880 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\03106\OCBANNER.BMP 7880 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\03106\REGLOGO.BMP 3648 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\03106\Thumbs.db 13824 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Company Letters 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Company Letters\Collections_10-08-2007_1.doc 44544 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Company Letters\Collections_10-08-2007_2.doc 28160 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Company Letters\Collections_10-08-2007_3.doc 41984 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Company Letters\Collections_10-23-2007_1.doc 50688 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Company Letters\Collections_10-30-2007_1.doc 130048 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Company Letters\Collections_10-30-2007_2.doc 37888 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\CONNLOG.TXT 1974 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Go iMarketing_9_27_07 - Images 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Go iMarketing_9_27_07 - Images\GoiMarketing+logo.jpg 39050 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Go iMarketing_9_27_07.QBW 13807616 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Go iMarketing_9_27_07.QBW.ND 391 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Go iMarketing_9_27_07.QBW.TLG 25755648 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\mkx03001.ini 117 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\mkx03106.ini 594 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\New Folder 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_06_07 (Backup Nov 26,2007 02 59 PM).QBB 16673792 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_06_07 - Images 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_06_07.QBW 28676096 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_06_07.QBW.ND 373 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_06_07.QBW.TLG 1376256 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_10_27_06 - Images 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2 - Images 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2 - Images\GoiMarketing+logo.jpg 39050 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2 - Images\GoiMarketing+logo_Final.jpg 39028 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2 - Images\GoiMarketing+logo_Final2.jpg 37405 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2 - Images\GoiMarketing+logo_jpg.mht 54629 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2 - Images\GoiMarketing+logo_RT.jpg 31942 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2 - Images\logo.bmp 23008 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2.QBW 11104256 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2.QBW.ND 382 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2007 Forward (Backup Feb 19,2008 03 32 PM).QBB 22243840 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2007 Forward.QBW 31784960 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2007 Forward.QBW.ND 393 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_2007 Forward.QBW.TLG 2949120 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_3_6_06 - Images 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\RealtyTech_9_6_06 - Images 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Realty_Goi_2009_Forward.QBW 7860224 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Realty_Goi_2009_Forward.QBW.ND 393 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\Realty_Goi_2009_Forward.QBW.TLG 2424832 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\QB\~qbofx32 14068 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\quickbooks.intuit.com-commerce-catalog-fragments-quickb.mdi 10324 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Documents\QuickBooks\Support for QuickBooks.url 208 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\desktop.ini 668 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Sample Music.lnk 635 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\desktop.ini 359 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\09 Jack's Obsession.wma 5354403 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\01 Overture.wma 2527417 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\02 Opening.wma 979953 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\03 This Is Halloween.wma 3274761 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\04 Jack's Lament.wma 3155253 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\05 Doctor Finkelstein-In the Forest.wma 3191111 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\06 What's This-.wma 3226929 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\07 Town Meeting Song.wma 8623293 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\08 Jack and Sally Montage.wma 5551643 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\10 Kidnap the Sandy Claws.wma 3501839 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\11 Making Christmass.wma 3340493 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\12 Nabbed.wma 7320495 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\13 Oogie Boogie's Song.wma 2719005 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\14 Sally's Song.wma 2946057 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\15 Christmas Eve Montage.wma 3645261 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\16 Poor Jack.wma 2497867 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\17 To the Rescue.wma 3454021 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\18 Finale-Reprise.wma 3011811 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\19 Closing.wma 1374369 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\20 End Title.wma 3651233 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\AlbumArtSmall.jpg 2204 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\AlbumArt_{7C575081-774A-4CD6-8B3C-FE186DF30DCE}_Large.jpg 9956 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\AlbumArt_{7C575081-774A-4CD6-8B3C-FE186DF30DCE}_Small.jpg 2204 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\desktop.ini 358 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Music\Various Artists\Nightmare Revisited\Folder.jpg 9956 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Pictures 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Pictures\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Pictures\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Pictures\desktop.ini 674 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Pictures\image.jpg 9193 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Pictures\Sample Pictures.lnk 593 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files\AlbumArtSmall.jpg 1221 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files\AlbumArt_{20540714-42B9-4432-A627-88D01D505933}_Large.jpg 3825 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files\AlbumArt_{20540714-42B9-4432-A627-88D01D505933}_Small.jpg 1221 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files\AlbumArt_{51297421-CC6D-44CA-9E28-30A51AF285A8}_Large.jpg 10338 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files\AlbumArt_{51297421-CC6D-44CA-9E28-30A51AF285A8}_Small.jpg 2567 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files\AlbumArt_{62FA9420-7233-47F9-9D2B-C52D0FD1D18A}_Large.jpg 8081 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files\AlbumArt_{62FA9420-7233-47F9-9D2B-C52D0FD1D18A}_Small.jpg 2081 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files\desktop.ini 352 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Received Files\Folder.jpg 3825 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Sharing Folders.lnk 360 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Videos 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Videos\$RECYCLE.BIN 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Videos\$RECYCLE.BIN\desktop.ini 129 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Videos\desktop.ini 670 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\My Videos\Sample Videos.lnk 647 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Outlook PST 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Outlook PST\archive.pst 79250432 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Outlook PST\Outlook.pst 790316032 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Scanned Documents 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Scanned Documents\desktop.ini 81 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Scanned Documents\Welcome Scan.jpg 709832 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Thumbs.db 5120 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Updater5 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Version Cue 0 bytes
File C:\Windows\CSC\v2.0.6\namespace\server\Users\melissa\My Documents\Version Cue\myprojectshidden 0 bytes
File C:\Windows\CSC\v2.0.6\pq 20864 bytes
File C:\Windows\CSC\v2.0.6\sm 312 bytes
File C:\Windows\CSC\v2.0.6\temp 0 bytes
File C:\Windows\CSC\v2.0.6\temp\ea-{ad38dcd6-4229-11dd-b6d1-001921e683b7} 0 bytes
File C:\Windows\System32\LogFiles\Scm\SCM.EVM (size mismatch) 360448/294912 bytes
File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl 64 bytes
File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl 0 bytes
File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl 0 bytes
File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl 64 bytes
File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl 64 bytes
File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl 0 bytes
File C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 20480/4096 bytes
File C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.003 (size mismatch) 606208/393216 bytes
File D:\System Volume Information\MountPointManagerRemoteDatabase 0 bytes
File D:\System Volume Information\tracking.log 20480 bytes

---- EOF - GMER 1.0.15 ----

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:16 PM

Posted 13 April 2009 - 10:16 AM

Hello,

Gmer found no rootkit(s)

I cannot see any malware in your logs. Though, let's see if MBAM finds anything.

MalwareBytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Let's try a different scan:

Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:16 PM

Posted 17 April 2009 - 05:11 AM

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users