efarch and backdoor.tidserv!inf [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

efarch and backdoor.tidserv!inf [Solved]

#1 ph1290

Group: Member
Posts: 43
Joined: 07-July 10

Posted 07 July 2010 - 02:02 PM

Having system issues which seemed to start with AV Security Suite rogue which I removed with pctools. i uninstalled pctools. Since then symantec has been catching zefarch and backdoor.tidserv!inf and has made things a little unstable with freezing up, very slow working etc. I did run through the cleaning guide and am including my logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4288

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/7/2010 10:11:53 AM
mbam-log-2010-07-07 (10-11-53).txt

Scan type: Quick scan
Objects scanned: 167296
Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Natsps.dll (Trojan.Hiloti.Gen) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ypofadotexaqa (Trojan.Hiloti.Gen) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xksbfpcr (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\meqstokm (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xksbfpcr (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\meqstokm (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Natsps.dll (Trojan.Hiloti.Gen) -> Delete on reboot.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

#2 ph1290

Group: Member
Posts: 43
Joined: 07-July 10

Posted 07 July 2010 - 02:04 PM

Rootkit log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-07 14:53:07
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\harrisap\LOCALS~1\Temp\kxldapog.sys

---- System - GMER 1.0.15 ----

SSDT 8A2FA9F8 ZwAlertResumeThread
SSDT 8A2FABD8 ZwAlertThread
SSDT 8A466FC0 ZwAllocateVirtualMemory
SSDT 8A552558 ZwConnectPort
SSDT 8A2F9B40 ZwCreateMutant
SSDT 8A3B1740 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9E9FF350]
SSDT 8A2FA488 ZwFreeVirtualMemory
SSDT 8A50E300 ZwImpersonateAnonymousToken
SSDT 8A2FBAB0 ZwImpersonateThread
SSDT 8A527928 ZwMapViewOfSection
SSDT 8A2FAC40 ZwOpenEvent
SSDT 89DE7220 ZwOpenProcessToken
SSDT 89DFDE70 ZwOpenThreadToken
SSDT 8A3E0668 ZwQueryValueKey
SSDT 89DFDED8 ZwResumeThread
SSDT 89DE8288 ZwSetContextThread
SSDT 8A31BBA8 ZwSetInformationProcess
SSDT 8A3082D8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9E9FF580]
SSDT 8A2F6E70 ZwSuspendProcess
SSDT 89DE6260 ZwSuspendThread
SSDT 8A2FBA48 ZwTerminateProcess
SSDT 8A2FB3F0 ZwTerminateThread
SSDT 8A2FACD0 ZwUnmapViewOfSection
SSDT 8A3245A8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atiide.sys entry point in ".rsrc" section [0xBA672894]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB497A000, 0x199B48, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[932] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[932] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[932] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1380] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E3000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\iastor \Device\Harddisk0\DR0 8A5F7EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\modules@ESQULserv
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\modules@ESQULl
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\modules@ESQULclk
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules@ESQULserv
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules@ESQULl
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules@ESQULclk

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atiide.sys suspicious modification
File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#3 Essexboy

Group: GeekU Moderator
Posts: 55,545
Joined: 31-May 06

Posted 07 July 2010 - 02:15 PM

Hi lets get to work

Three programmes to run which should kill the majority

Download TDSSKiller and save it to your Desktop.

Extract the file and run it.
Once completed it will create a log in your C:\ drive
Reboot your computer
Please post the contents of that log

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

AND FINALLY

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Check the box that says Scan All Users
Under the Custom Scan box paste this in

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs

#4 ph1290

Group: Member
Posts: 43
Joined: 07-July 10

Posted 07 July 2010 - 03:20 PM

TDSS Killer Log

16:38:02:593 2436 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
16:38:02:593 2436 ================================================================================
16:38:02:593 2436 SystemInfo:

16:38:02:593 2436 OS Version: 5.1.2600 ServicePack: 3.0
16:38:02:593 2436 Product type: Workstation
16:38:02:593 2436 ComputerName: 7-51896
16:38:02:593 2436 UserName: harrisap
16:38:02:593 2436 Windows directory: C:\WINDOWS
16:38:02:593 2436 System windows directory: C:\WINDOWS
16:38:02:593 2436 Processor architecture: Intel x86
16:38:02:593 2436 Number of processors: 2
16:38:02:593 2436 Page size: 0x1000
16:38:02:593 2436 Boot type: Normal boot
16:38:02:593 2436 ================================================================================
16:38:02:781 2436 Initialize success
16:38:02:781 2436
16:38:02:781 2436 Scanning Services ...
16:38:02:843 2436 Raw services enum returned 387 services
16:38:02:859 2436
16:38:02:859 2436 Scanning Drivers ...
16:38:03:859 2436 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:38:03:890 2436 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
16:38:03:984 2436 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:38:04:062 2436 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
16:38:04:109 2436 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
16:38:04:187 2436 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:38:04:234 2436 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:38:04:375 2436 ati2mtag (1e980a3848067cc5f5d2212f7f7510d8) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
16:38:04:500 2436 atiide (37ba30349e0f7e16951d202a26012143) C:\WINDOWS\system32\Drivers\atiide.sys
16:38:04:500 2436 Suspicious file (Forged): C:\WINDOWS\system32\Drivers\atiide.sys. Real md5: 37ba30349e0f7e16951d202a26012143, Fake md5: 2f2d1266961a242186e12237e18f1d4e
16:38:04:500 2436 File "C:\WINDOWS\system32\Drivers\atiide.sys" infected by TDSS rootkit ... 16:38:04:734 2436 Backup copy not found, trying to cure infected file..
16:38:04:734 2436 Cure success, using it..
16:38:04:765 2436 will be cured on next reboot
16:38:04:859 2436 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:38:04:937 2436 ATSwpWDF (a9f9d1d24441889beb1aa2b917457e23) C:\WINDOWS\system32\Drivers\ATSwpWDF.sys
16:38:04:984 2436 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:38:05:031 2436 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:38:05:078 2436 BTWUSB (d5af663711660d32ec230c6aaf7b6b83) C:\WINDOWS\system32\Drivers\btwusb.sys
16:38:05:109 2436 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:38:05:125 2436 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:38:05:171 2436 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:38:05:187 2436 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:38:05:250 2436 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
16:38:05:328 2436 CnxtHdAudService (74d5c90052e936622e077d94121ec2c9) C:\WINDOWS\system32\drivers\CHDAU32.sys
16:38:05:406 2436 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
16:38:05:453 2436 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:38:05:531 2436 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:38:05:625 2436 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:38:05:640 2436 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:38:05:671 2436 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:38:05:734 2436 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:38:05:796 2436 E1000 (4beb6f44b0dc94af9fb20e97ab7ad47c) C:\WINDOWS\system32\DRIVERS\e1000325.sys
16:38:05:859 2436 e1yexpress (6a738bee58ff3d2f237157082e799de8) C:\WINDOWS\system32\DRIVERS\e1y5132.sys
16:38:05:968 2436 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
16:38:06:000 2436 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
16:38:06:093 2436 f5ipfw (655b4da37044be6f58cd700426b2e242) C:\WINDOWS\system32\drivers\urfltw2k.sys
16:38:06:171 2436 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:38:06:187 2436 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:38:06:218 2436 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:38:06:296 2436 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:38:06:312 2436 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:38:06:343 2436 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:38:06:359 2436 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:38:06:375 2436 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:38:06:406 2436 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:38:06:484 2436 HECI (2df64415a28ce036ac6acec7645a996f) C:\WINDOWS\system32\DRIVERS\HECI.sys
16:38:06:515 2436 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:38:06:578 2436 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
16:38:06:625 2436 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
16:38:06:671 2436 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
16:38:06:718 2436 HSFHWAZL (03a51d7d5666df3d4331581b3a3109dc) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
16:38:06:781 2436 HSF_DPV (d92272a376bba4a0ed61f92280d71a10) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
16:38:06:890 2436 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
16:38:06:953 2436 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:38:06:984 2436 iastor (baabb0301949774a66b955c65319635a) C:\WINDOWS\system32\Drivers\iaStor.sys
16:38:07:000 2436 IBMPMDRV (6207f110f2530f187bf876012ebec664) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
16:38:07:015 2436 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:38:07:031 2436 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:38:07:062 2436 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:38:07:140 2436 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:38:07:203 2436 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:38:07:218 2436 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:38:07:250 2436 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:38:07:312 2436 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:38:07:328 2436 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:38:07:359 2436 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:38:07:375 2436 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:38:07:390 2436 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:38:07:468 2436 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
16:38:07:515 2436 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:38:07:562 2436 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
16:38:07:640 2436 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
16:38:07:687 2436 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:38:07:734 2436 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:38:07:781 2436 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:38:07:828 2436 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:38:07:875 2436 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:38:07:906 2436 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:38:07:984 2436 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:38:08:015 2436 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:38:08:062 2436 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:38:08:156 2436 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:38:08:218 2436 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:38:08:250 2436 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:38:08:265 2436 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
16:38:08:437 2436 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100706.004\naveng.sys
16:38:08:515 2436 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100706.004\navex15.sys
16:38:08:609 2436 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:38:08:625 2436 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:38:08:656 2436 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:38:08:671 2436 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:38:08:718 2436 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
16:38:08:765 2436 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:38:08:812 2436 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:38:08:968 2436 NETw5x32 (cfe1981a47a2f7650a1ef8917dc4d1c3) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
16:38:09:125 2436 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
16:38:09:156 2436 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:38:09:203 2436 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:38:09:265 2436 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:38:09:296 2436 NWADI (0973c0c696780161f4526586d5eac422) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
16:38:09:359 2436 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:38:09:375 2436 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:38:09:390 2436 NWUSBCDFIL (1fde5b2d61d97d803594df4b3bc28c4b) C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys
16:38:09:453 2436 NWUSBModem (65b471bb7e57c416a1e685ec07d4abfa) C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
16:38:09:500 2436 NWUSBPort (65b471bb7e57c416a1e685ec07d4abfa) C:\WINDOWS\system32\DRIVERS\nwusbser.sys
16:38:09:531 2436 NWUSBPort2 (65b471bb7e57c416a1e685ec07d4abfa) C:\WINDOWS\system32\DRIVERS\nwusbser2.sys
16:38:09:578 2436 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
16:38:09:625 2436 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:38:09:640 2436 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:38:09:687 2436 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:38:09:734 2436 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:38:09:750 2436 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:38:09:828 2436 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
16:38:09:953 2436 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:38:10:000 2436 prepdrvr (f6c80bd6f2a5c1ccc1c2519f02d99bf2) C:\WINDOWS\system32\CCM\prepdrv.sys
16:38:10:046 2436 psadd (651d3abc1d82d61b6cfb40cb947b3db3) C:\WINDOWS\system32\DRIVERS\psadd.sys
16:38:10:078 2436 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:38:10:109 2436 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:38:10:171 2436 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:38:10:250 2436 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:38:10:296 2436 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:38:10:328 2436 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:38:10:390 2436 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:38:10:437 2436 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:38:10:468 2436 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:38:10:484 2436 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:38:10:515 2436 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
16:38:10:546 2436 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:38:10:656 2436 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
16:38:10:656 2436 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
16:38:10:703 2436 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:38:10:750 2436 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:38:10:796 2436 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:38:10:859 2436 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:38:11:015 2436 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
16:38:11:078 2436 SPBBCDrv (60053e9c1fc4f6887c296c19cb825244) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
16:38:11:156 2436 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:38:11:203 2436 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:38:11:234 2436 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
16:38:11:265 2436 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:38:11:296 2436 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:38:11:390 2436 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
16:38:11:421 2436 SYMREDRV (e919f0922248a826964428f479a3dc24) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
16:38:11:453 2436 SYMTDI (c177d5a655af572c456ec977582b9bc0) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
16:38:11:546 2436 SynTP (820d28f30ac01ce86860a35dcc7bfaab) C:\WINDOWS\system32\DRIVERS\SynTP.sys
16:38:11:593 2436 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:38:11:687 2436 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:38:11:734 2436 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:38:11:765 2436 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:38:11:812 2436 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:38:11:890 2436 tpm (3724dff72b0f5307cf761cc91c2bb9f7) C:\WINDOWS\system32\DRIVERS\tpm.sys
16:38:11:953 2436 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:38:12:000 2436 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:38:12:046 2436 urvpndrv (b023b2516339f6a8d054b69f6b996364) C:\WINDOWS\system32\DRIVERS\covpndrv.sys
16:38:12:078 2436 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:38:12:093 2436 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:38:12:140 2436 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:38:12:187 2436 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:38:12:250 2436 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:38:12:296 2436 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:38:12:343 2436 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:38:12:375 2436 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:38:12:406 2436 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:38:12:437 2436 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:38:12:484 2436 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
16:38:12:546 2436 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:38:12:609 2436 winachsf (ed10a3d367dd5596506022d5e2a3cba0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
16:38:12:750 2436 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
16:38:12:781 2436 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
16:38:12:828 2436 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
16:38:12:859 2436 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:38:12:906 2436 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:38:12:906 2436 Reboot required for cure complete..
16:38:13:000 2436 Cure on reboot scheduled successfully
16:38:13:000 2436
16:38:13:000 2436 Completed
16:38:13:000 2436
16:38:13:000 2436 Results:
16:38:13:000 2436 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:38:13:000 2436 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:38:13:000 2436
16:38:13:000 2436 KLMD(ARK) unloaded successfully

*********************
*********************

combofixlog

ComboFix 10-07-06.05 - harrisap 07/07/2010 16:56:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3050.2331 [GMT -4:00]
Running from: c:\documents and settings\harrisap\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\icikowomaq.dll
c:\windows\system32\cleanup.exe
c:\windows\winhelp.ini
c:\windows\xpsp1hfm.log

----- BITS: Possible infected sites -----

hxxp://wsus.gabna-ad.local
.
((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-07-07 20:46 . 2010-07-07 20:46 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}
2010-07-07 19:27 . 2010-07-07 19:27 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}
2010-07-07 16:24 . 2010-07-07 16:24 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}
2010-07-07 16:15 . 2010-07-07 16:15 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}
2010-07-07 15:46 . 2010-07-07 15:46 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{8CF5B7FA-F366-49EA-AA98-61AB007901F4}
2010-07-07 15:36 . 2010-07-07 15:36 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}
2010-07-07 15:27 . 2010-07-07 15:27 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}
2010-07-07 14:02 . 2010-07-07 14:02 -------- d-----w- c:\documents and settings\harrisap\Application Data\Malwarebytes
2010-07-07 14:02 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-07 14:02 . 2010-07-07 14:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-07 14:02 . 2010-07-07 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-07 14:02 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-07 13:53 . 2010-07-07 13:53 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}
2010-07-07 13:47 . 2010-07-07 13:47 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}
2010-07-07 13:43 . 2010-07-07 13:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}
2010-07-07 13:42 . 2010-07-07 13:42 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}
2010-07-07 11:46 . 2010-07-07 11:46 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}
2010-07-07 11:44 . 2010-07-07 11:44 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}
2010-07-07 11:39 . 2010-07-07 11:39 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}
2010-07-06 20:32 . 2010-07-06 20:32 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}
2010-07-04 01:29 . 2010-07-04 01:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Yahoo
2010-07-03 17:38 . 2010-07-03 17:38 -------- d-----w- c:\program files\ERUNT
2010-07-03 17:28 . 2010-07-03 17:29 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}
2010-07-03 16:04 . 2010-07-03 16:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2010-07-03 16:04 . 2010-07-03 16:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-03 16:03 . 2010-07-03 16:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert
2010-07-03 16:03 . 2010-07-03 16:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-07-03 16:02 . 2010-07-03 16:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{A19F0325-B322-4DC2-97B2-521B259F25C5}
2010-07-03 13:01 . 2010-07-03 13:01 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}
2010-07-03 12:50 . 2010-07-03 12:50 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}
2010-07-02 18:39 . 2010-07-02 18:39 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}
2010-07-02 18:36 . 2010-07-02 18:36 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}
2010-07-02 17:46 . 2010-07-02 17:46 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}
2010-07-02 16:22 . 2010-07-07 11:44 0 ----a-w- c:\windows\Pjepezejohera.bin
2010-07-02 16:22 . 2010-07-07 18:56 120 ----a-w- c:\windows\Wbovete.dat
2010-07-02 16:22 . 2010-07-02 16:22 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}
2010-07-02 16:20 . 2010-07-02 16:31 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\rkjjhtfvy
2010-07-01 20:25 . 2010-07-01 20:25 -------- d-----w- c:\program files\WebEx
2010-06-27 19:44 . 2010-06-27 19:44 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\Threat Expert
2010-06-27 19:04 . 2010-07-06 20:23 -------- d-----w- c:\program files\Spyware Doctor
2010-06-27 19:04 . 2010-07-03 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-27 00:55 . 2010-06-27 22:23 -------- d-----w- c:\documents and settings\harrisap\Local Settings\Application Data\kybocnbxw
2010-06-12 20:03 . 2010-06-12 20:02 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-06-12 20:02 . 2010-06-13 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 21:01 . 2007-11-15 10:11 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-07-07 21:01 . 2007-11-15 19:11 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-07-07 20:59 . 2007-12-26 14:49 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-07 20:51 . 2009-06-19 19:54 -------- d-----w- c:\documents and settings\harrisap\Application Data\HPAppData
2010-07-07 20:39 . 2009-05-14 15:37 3456 ----a-w- c:\windows\system32\drivers\atiide.sys
2010-07-07 16:15 . 2007-11-15 16:58 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-07-03 17:32 . 2009-07-28 16:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-18 17:41 . 2008-06-02 18:45 -------- d-----w- c:\program files\PROFWS32
2010-06-12 20:02 . 2009-05-13 14:53 -------- d-----w- c:\program files\Java
2010-06-12 20:02 . 2010-06-12 20:02 152576 ----a-w- c:\documents and settings\harrisap\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2010-05-10 02:06 . 2009-07-23 20:39 -------- d-----w- c:\program files\Google
2010-05-04 17:20 . 2004-08-04 05:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 05:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 05:56 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-04 04:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 05:56 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-05-14 1323008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-06-12 606208]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-06-12 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrintNow.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrintNow.lnk
backup=c:\windows\pss\PrintNow.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%programfiles%\UltaVnc\winvnc.exe"= %programfiles%\UltaVnc\winvnc.exe:LocalSubNet,192.168.24.0/255.255.255.0,199.231.8.0/255.255.255.0,192.168.151.0/255.255.255.0:enabled:UltraVnc
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:199.231.8.0/255.255.255.0:Enabled:NAV10.1
"5900:TCP"= 5900:TCP:LocalSubNet,192.168.24.0/255.255.255.0,199.231.8.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:UltraVnc-Port
"2967:UDP"= 2967:UDP:199.231.8.0/255.255.255.0:Enabled:NAV9.1
"38293:UDP"= 38293:UDP:199.231.8.0/255.255.255.0:Enabled:NAV9.2
"139:TCP"= 139:TCP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22002
"3389:TCP"= 3389:TCP:LocalSubnet,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0,199.231.8.0/255.255.255.0:Enabled:@xpsp2res.dll,-22009
"2568:TCP"= 2568:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-CliHealth
"2701:TCP"= 2701:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-Ping
"2702:TCP"= 2702:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-RemoteControl
"2703:TCP"= 2703:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-Chat
"2704:TCP"= 2704:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-FileXfr
"9322:TCP"= 9322:TCP:EKDiscovery

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)
"RemoteAddresses"= *

R0 atiide;ATI SATA Controller IDE mode;c:\windows\system32\drivers\atiide.sys [5/14/2009 11:37 AM 3456]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [6/4/2008 9:51 AM 262784]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [4/17/2009 12:08 PM 32768]
R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [8/5/2008 5:58 PM 29184016]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 9:48 PM 116664]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/14/2009 11:41 AM 475520]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [5/14/2009 11:41 AM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 6:45 AM 102448]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [5/14/2009 6:19 PM 33920]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 8:59 AM 136176]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [5/4/2009 12:15 PM 279960]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [12/2/2008 12:07 PM 10752]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 1:23 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 12:08 PM 174336]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [10/19/2000 12:55 PM 411244]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 12:59]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 12:59]

2010-06-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-07-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: adp.com
Trusted Zone: centra.com
Trusted Zone: dhl-usa.com
Trusted Zone: learn.com
Trusted Zone: microsoft.com
Trusted Zone: virtela.net
Trusted Zone: windowsupdate.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {68132570-CED6-11D5-91AE-000039F5040E} - hxxp://www.employeeedge.com/NAVUPDPRJ.CAB
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CleanUpWindows - c:\windows\system32\cleanup.exe
HKLM-Run-CleanUpUserTemp - c:\windows\system32\cleanup.exe
HKLM-Run-CleanUpCtemp - c:\windows\system32\cleanup.exe
HKLM-Run-Easy Dock - (no file)
HKLM-Run-Smilamikuxi - c:\windows\icikowomaq.dll
SafeBoot-klmdb.sys
MSConfigStartUp-Registry Repair Wizard Scheduler - c:\program files\SmartPCTools\Registry Repair Wizard\RCHelper.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\harrisap\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 17:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3736)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\notes\ntmulti.exe
c:\program files\Visioneer\OneTouch 4.0\OtService.exe
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\msiexec.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-07-07 17:09:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-07 21:09

Pre-Run: 102,020,407,296 bytes free
Post-Run: 101,983,793,152 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 61BC8384669EBC0F589DF85D8E70D35A

***************
***************
OTL LOG

OTL logfile created on: 7/7/2010 5:13:35 PM - Run 2
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\harrisap\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 95.01 Gb Free Space | 63.74% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 7-51896
Current User Name: harrisap
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
PRC - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/11/13 07:31:12 | 000,247,144 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2009/06/08 16:38:17 | 000,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2009/05/14 11:43:12 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/05/14 11:34:22 | 000,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\KodakSvc.exe
PRC - [2009/04/07 17:27:30 | 001,511,424 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/08/05 17:58:52 | 029,184,016 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) -- C:\WINDOWS\system32\F5InstallerService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/04 11:34:20 | 000,487,424 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
PRC - [2008/03/04 11:34:12 | 001,122,304 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
PRC - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
PRC - [2007/10/07 21:48:40 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2007/05/29 17:33:22 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2007/02/10 05:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) -- C:\Notes\ntmulti.exe
PRC - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe

========== Modules (SafeList) ==========

MOD - [2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\TFEngine\TFService.exe -- (ThreatFire)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/06/08 16:38:17 | 000,056,680 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2009/05/14 11:34:22 | 000,057,344 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2009/05/04 12:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/08/05 17:58:52 | 029,184,016 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$XACTWARE) SQL Server (XACTWARE)
SRV - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) [Auto | Running] -- C:\WINDOWS\system32\F5InstallerService.exe -- (F5 Networks Component Installer)
SRV - [2008/03/04 11:34:12 | 001,122,304 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) [Auto | Running] -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/08/28 20:04:25 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/27 18:14:00 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2007/02/10 09:29:47 | 000,242,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/02/10 05:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Notes\ntmulti.exe -- (Multi-user Cleanup Service)
SRV - [2005/10/14 06:50:19 | 000,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2000/10/19 12:55:50 | 000,411,244 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/07/07 16:39:50 | 000,003,456 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\atiide.sys -- (atiide)
DRV - [2010/05/27 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/27 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/11 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100706.004\navex15.sys -- (NAVEX15)
DRV - [2010/05/11 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100706.004\naveng.sys -- (NAVENG)
DRV - [2009/10/09 23:15:18 | 000,033,920 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2009/10/09 23:15:13 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2009/05/14 11:43:44 | 000,328,728 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\iaStor.sys -- (iastor)
DRV - [2009/05/14 11:43:10 | 000,225,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)

#5 Essexboy

Group: GeekU Moderator
Posts: 55,545
Joined: 31-May 06

Posted 07 July 2010 - 03:29 PM

I appear to have lost the bottom half of OTL - could you repost the OTL log please

#6 ph1290

Group: Member
Posts: 43
Joined: 07-July 10

Posted 07 July 2010 - 03:37 PM

Here you go. I had run an earlier run of OLT before posting. At that time it posted an extras.txt log. After running TDSSKiller and combofix and then running OLT again, I got a new OLT.txt log, but no new Extras.txt log. Do you need to see the old one? Here is the complete OLT.txt log

OTL logfile created on: 7/7/2010 5:13:35 PM - Run 2
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\harrisap\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 95.01 Gb Free Space | 63.74% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 7-51896
Current User Name: harrisap
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
PRC - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/11/13 07:31:12 | 000,247,144 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2009/06/08 16:38:17 | 000,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2009/05/14 11:43:12 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/05/14 11:34:22 | 000,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\KodakSvc.exe
PRC - [2009/04/07 17:27:30 | 001,511,424 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/08/05 17:58:52 | 029,184,016 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) -- C:\WINDOWS\system32\F5InstallerService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/04 11:34:20 | 000,487,424 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
PRC - [2008/03/04 11:34:12 | 001,122,304 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
PRC - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
PRC - [2007/10/07 21:48:40 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2007/05/29 17:33:22 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2007/02/10 05:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) -- C:\Notes\ntmulti.exe
PRC - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe

========== Modules (SafeList) ==========

MOD - [2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\TFEngine\TFService.exe -- (ThreatFire)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/06/08 16:38:17 | 000,056,680 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2009/05/14 11:34:22 | 000,057,344 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2009/05/04 12:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/08/05 17:58:52 | 029,184,016 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$XACTWARE) SQL Server (XACTWARE)
SRV - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) [Auto | Running] -- C:\WINDOWS\system32\F5InstallerService.exe -- (F5 Networks Component Installer)
SRV - [2008/03/04 11:34:12 | 001,122,304 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) [Auto | Running] -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/08/28 20:04:25 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/27 18:14:00 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2007/02/10 09:29:47 | 000,242,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/02/10 05:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Notes\ntmulti.exe -- (Multi-user Cleanup Service)
SRV - [2005/10/14 06:50:19 | 000,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2000/10/19 12:55:50 | 000,411,244 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/07/07 16:39:50 | 000,003,456 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\atiide.sys -- (atiide)
DRV - [2010/05/27 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/27 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/11 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100706.004\navex15.sys -- (NAVEX15)
DRV - [2010/05/11 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100706.004\naveng.sys -- (NAVENG)
DRV - [2009/10/09 23:15:18 | 000,033,920 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2009/10/09 23:15:13 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2009/05/14 11:43:44 | 000,328,728 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\iaStor.sys -- (iastor)
DRV - [2009/05/14 11:43:10 | 000,225,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/05/14 11:43:09 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2009/05/14 11:43:09 | 000,764,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2009/05/14 11:43:09 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2009/05/14 11:43:09 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2009/05/14 11:43:08 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009/05/14 11:42:46 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2009/05/14 11:42:43 | 003,103,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/05/14 11:41:43 | 003,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2009/05/14 11:41:40 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2009/05/14 11:41:37 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/05/14 11:41:36 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2009/05/14 11:34:22 | 000,012,944 | ---- | M] (IBM Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2009/03/20 20:03:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/07/07 13:23:56 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/06/02 17:28:50 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/26 10:49:59 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/08/27 18:13:36 | 000,189,320 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/08/27 18:13:32 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/07/26 20:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/02/19 01:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/06/27 03:50:00 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

FF - HKLM\software\mozilla\Firefox\Extensions\\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}\ [2010/07/02 12:22:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{7F407392-4F54-4B22-B018-7C448707CE31}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}\ [2010/07/02 13:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A4423967-0FE1-45A0-A02F-24676A38EC26}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}\ [2010/07/02 14:36:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{656599F9-402B-4ABD-B3DD-B465296C0D22}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}\ [2010/07/02 14:39:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}\ [2010/07/03 08:50:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}\ [2010/07/03 09:01:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A19F0325-B322-4DC2-97B2-521B259F25C5}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{A19F0325-B322-4DC2-97B2-521B259F25C5}\ [2010/07/03 12:02:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1A8548C6-50F1-463B-9802-225F5F94F67F}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}\ [2010/07/03 13:29:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBD154CF-3450-438A-A1ED-432C3082042C}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}\ [2010/07/06 16:32:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{CCCB28FC-4068-4917-96E5-3983EF42704B}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}\ [2010/07/07 07:39:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6512AF10-2BD9-4242-83CE-3086EA813335}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}\ [2010/07/07 07:44:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}\ [2010/07/07 07:46:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}\ [2010/07/07 09:42:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}\ [2010/07/07 09:43:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}\ [2010/07/07 09:47:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{8D783363-3AE6-4CDD-B954-3B2301C786C7}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}\ [2010/07/07 09:53:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}\ [2010/07/07 11:27:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}\ [2010/07/07 11:36:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{F815F000-7EE3-4952-B739-09F30DAB8CE3}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}\ [2010/07/07 12:15:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{AE76301C-C986-4B42-8668-AC7A26389266}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}\ [2010/07/07 12:24:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}\ [2010/07/07 15:27:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}\ [2010/07/07 16:46:52 | 000,000,000 | ---D | M]

[2010/04/24 17:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions
[2010/04/24 17:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: ([2010/07/07 17:01:31 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hp\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [pdfFactory Dispatcher v3] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,313 (F5 Networks VPN Manager)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.c...pport/acpir.cab (IASRunner Class)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} http://uspsy16m.gabr...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,310 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} https://gabrobins1.clnt.virtela.net/vdesk/t...,2009,1010,0312 (F5 Networks Auto Update)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab (F5 Networks Policy Agent Host Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1228492840640 (WUWebControl Class)
O16 - DPF: {68132570-CED6-11D5-91AE-000039F5040E} http://www.employeee...m/NAVUPDPRJ.CAB (NAVUPDPRJ.NAVUPDCTL)
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} https://gabrobins1.clnt.virtela.net/vdesk/t...,2008,0404,2134 (F5 Networks Static Application Tunnel Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1228491044515 (MUWebControl Class)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab (F5 Virtual Sandbox Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jin...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,308 (F5 Networks SuperHost Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,304 (F5 Networks Host Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab (URVNCX Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.180.150 97.64.168.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GABNA-AD.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/15 12:50:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/07 16:52:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/07 16:52:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/07 16:52:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/07 16:52:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/07 16:52:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/07 16:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}
[2010/07/07 16:37:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\tdsskiller
[2010/07/07 15:34:32 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2010/07/07 15:27:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}
[2010/07/07 12:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}
[2010/07/07 12:15:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}
[2010/07/07 11:46:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{8CF5B7FA-F366-49EA-AA98-61AB007901F4}
[2010/07/07 11:43:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/07/07 11:36:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}
[2010/07/07 11:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}
[2010/07/07 10:02:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\Malwarebytes
[2010/07/07 10:02:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/07 10:02:36 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/07 10:02:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/07 10:02:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/07 10:01:24 | 006,153,384 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\harrisap\Desktop\mbam-setup.exe
[2010/07/07 09:53:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}
[2010/07/07 09:47:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}
[2010/07/07 09:42:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}
[2010/07/07 09:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/07 09:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/07 07:46:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}
[2010/07/07 07:44:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}
[2010/07/07 07:39:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}
[2010/07/06 16:32:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}
[2010/07/03 21:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Yahoo
[2010/07/03 13:39:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/03 13:38:30 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/03 13:37:50 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\harrisap\Desktop\erunt_setup.exe
[2010/07/03 13:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}
[2010/07/03 11:59:12 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\TFC.exe
[2010/07/03 09:01:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}
[2010/07/03 08:50:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}
[2010/07/02 14:39:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}
[2010/07/02 14:36:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}
[2010/07/02 13:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}
[2010/07/02 12:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}
[2010/07/02 12:20:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\rkjjhtfvy
[2010/07/01 16:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\My Albums
[2010/07/01 16:25:04 | 000,000,000 | ---D | C] -- C:\Program Files\WebEx
[2010/06/28 18:06:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\xact25 data
[2010/06/27 15:44:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\Threat Expert
[2010/06/27 15:10:19 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
[2010/06/27 15:04:22 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/06/27 15:04:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/06/27 15:03:16 | 036,600,008 | ---- | C] (PC Tools ) -- C:\Documents and Settings\harrisap\Desktop\sdasetup.exe
[2010/06/26 20:55:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\kybocnbxw
[2010/06/24 16:20:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\ranger
[2010/06/18 11:04:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\PDF files
[2010/06/18 09:09:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\Xactimate25 Office Templates
[2010/06/18 08:29:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\other folders
[2010/06/12 16:03:13 | 000,410,984 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/06/12 16:03:13 | 000,148,888 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/12 16:03:13 | 000,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/12 16:03:13 | 000,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/12 16:03:13 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/12 16:02:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee

========== Files - Modified Within 30 Days ==========

[2010/07/07 17:09:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/07 17:05:35 | 000,000,455 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2010/07/07 17:04:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/07 17:01:48 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2010/07/07 17:01:45 | 000,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2010/07/07 17:01:43 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/07 17:01:31 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/07 17:01:23 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/07 17:01:15 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/07 17:01:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/07 16:59:49 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\harrisap\ntuser.dat
[2010/07/07 16:59:49 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\harrisap\ntuser.ini
[2010/07/07 16:49:45 | 003,728,027 | R--- | M] () -- C:\Documents and Settings\harrisap\Desktop\ComboFix.exe
[2010/07/07 16:39:50 | 000,003,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\atiide.sys
[2010/07/07 16:37:12 | 000,981,780 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\tdsskiller.zip
[2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2010/07/07 14:56:50 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Wbovete.dat
[2010/07/07 12:15:40 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2010/07/07 11:30:38 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2010/07/07 10:13:33 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\Malwarebyteslog.doc
[2010/07/07 10:02:39 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/07 10:01:24 | 006,153,384 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\harrisap\Desktop\mbam-setup.exe
[2010/07/07 07:44:28 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Pjepezejohera.bin
[2010/07/06 16:59:33 | 000,171,171 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expense76.pdf
[2010/07/06 16:58:29 | 001,043,073 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expe 004.jpg
[2010/07/06 16:57:59 | 001,023,142 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expe 003.jpg
[2010/07/06 16:57:32 | 001,055,982 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expe 002.jpg
[2010/07/06 16:35:24 | 000,000,238 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Virtella SSL.url
[2010/07/06 16:23:21 | 000,152,384 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/06 10:40:30 | 000,000,732 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2010/07/06 08:32:12 | 000,032,747 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\APP.doc
[2010/07/03 13:38:31 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\NTREGOPT.lnk
[2010/07/03 13:38:31 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\ERUNT.lnk
[2010/07/03 13:37:53 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\harrisap\Desktop\erunt_setup.exe
[2010/07/03 11:59:15 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\TFC.exe
[2010/07/02 06:32:55 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/02 06:25:22 | 000,569,786 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/02 06:25:22 | 000,489,682 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/02 06:25:22 | 000,089,502 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/01 22:09:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/30 00:05:59 | 004,844,096 | -H-- | M] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\IconCache.db
[2010/06/29 09:24:32 | 001,519,151 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\UPWARD FLAG FOOTBALL.pdf
[2010/06/28 19:16:33 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Xactimate 25.lnk
[2010/06/28 18:04:31 | 051,193,881 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\25.4.256.35490_Update.exe
[2010/06/27 15:03:16 | 036,600,008 | ---- | M] (PC Tools ) -- C:\Documents and Settings\harrisap\Desktop\sdasetup.exe
[2010/06/26 22:57:35 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\harrisap\Desktop\~$lendar.doc
[2010/06/25 23:26:50 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\calendar.doc
[2010/06/24 16:49:12 | 000,464,115 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\InterContinental Hotels Group Your Reservation Confirmation.mht
[2010/06/23 15:38:58 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\44155.doc
[2010/06/18 02:07:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/16 14:47:46 | 000,163,647 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\HO3_sample.pdf
[2010/06/16 12:28:03 | 000,002,219 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GAB SSL.lnk
[2010/06/12 16:02:59 | 000,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/12 16:02:59 | 000,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/12 16:02:58 | 000,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/06/12 16:02:58 | 000,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/12 16:02:58 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/11 08:57:29 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\LETTERHEAD.doc
[2010/06/09 20:30:39 | 000,014,999 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\www.martindale.com_print_sbs.aspx.pdf

========== Files Created - No Company Name ==========

[2010/07/07 16:52:34 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/07 16:52:34 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/07 16:52:34 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/07 16:52:34 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/07 16:52:34 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/07 16:49:39 | 003,728,027 | R--- | C] () -- C:\Documents and Settings\harrisap\Desktop\ComboFix.exe
[2010/07/07 16:36:57 | 000,981,780 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\tdsskiller.zip
[2010/07/07 11:30:34 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2010/07/07 10:13:32 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\Malwarebyteslog.doc
[2010/07/07 10:02:39 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/06 16:59:32 | 000,171,171 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expense76.pdf
[2010/07/06 16:57:59 | 001,043,073 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expe 004.jpg
[2010/07/06 16:57:32 | 001,023,142 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expe 003.jpg
[2010/07/06 16:57:04 | 001,055,982 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expe 002.jpg
[2010/07/03 13:38:31 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\NTREGOPT.lnk
[2010/07/03 13:38:31 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\ERUNT.lnk
[2010/07/02 12:22:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Pjepezejohera.bin
[2010/07/02 12:22:54 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Wbovete.dat
[2010/06/29 09:24:32 | 001,519,151 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\UPWARD FLAG FOOTBALL.pdf
[2010/06/28 18:04:28 | 051,193,881 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\25.4.256.35490_Update.exe
[2010/06/27 15:10:20 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/06/26 22:57:35 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\harrisap\Desktop\~$lendar.doc
[2010/06/24 16:49:12 | 000,464,115 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\InterContinental Hotels Group Your Reservation Confirmation.mht
[2010/06/23 15:38:57 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\44155.doc
[2010/06/16 14:47:46 | 000,163,647 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\HO3_sample.pdf
[2010/06/11 08:57:29 | 000,052,224 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\LETTERHEAD.doc
[2010/06/09 20:30:39 | 000,014,999 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\www.martindale.com_print_sbs.aspx.pdf
[2010/02/22 22:18:36 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/22 22:18:36 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/12/17 06:48:09 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\DM510.dll
[2009/08/30 22:46:45 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2009/05/14 11:37:14 | 000,003,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\atiide.sys
[2009/05/14 11:34:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2008/03/18 11:58:05 | 000,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/12/26 12:18:32 | 000,000,455 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2007/11/28 15:39:06 | 000,000,029 | ---- | C] () -- C:\WINDOWS\vdialer.INI
[2007/11/28 12:12:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/11/16 15:23:19 | 000,003,981 | ---- | C] () -- C:\WINDOWS\RDSWIN.INI
[2007/11/16 12:47:22 | 000,000,033 | ---- | C] () -- C:\WINDOWS\WDTCPCON.INI
[2007/11/16 12:32:18 | 000,003,635 | ---- | C] () -- C:\WINDOWS\~WDINS.INI
[2007/11/16 10:06:19 | 000,000,555 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/15 12:58:54 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2006/01/26 16:42:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/06/17 01:53:02 | 000,000,702 | ---- | C] () -- C:\WINDOWS\Cm3.ini
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/07/30 09:24:34 | 000,000,218 | ---- | C] () -- C:\WINDOWS\oraodbc.ini

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2007/11/15 12:50:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2007/11/15 13:43:43 | 000,000,211 | RHS- | M] () -- C:\BOOT.BAK
[2009/05/27 22:07:00 | 000,000,282 | RHS- | M] () -- C:\boot.ini
[2004/08/04 00:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/07/07 17:09:39 | 000,021,663 | ---- | M] () -- C:\ComboFix.txt
[2007/11/15 12:50:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/02/03 16:05:05 | 000,000,512 | ---- | M] () -- C:\Disk1.txt
[2007/09/10 10:46:02 | 005,251,072 | ---- | M] (AutoDWG) -- C:\DWG2ImageX.dll
[2009/09/30 13:42:38 | 000,001,296 | ---- | M] () -- C:\EasyCD Ripper_log.txt
[2010/04/09 08:10:53 | 000,006,016 | ---- | M] () -- C:\EZ Dock_log.txt
[2007/11/15 12:50:08 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/08/12 09:37:25 | 000,044,894 | ---- | M] () -- C:\java.txt
[2007/09/10 10:46:02 | 000,995,383 | ---- | M] (Microsoft Corporation) -- C:\MFC42.DLL
[2007/11/15 12:50:08 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/03 23:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/12/02 13:53:41 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2009/07/27 14:36:51 | 000,262,144 | ---- | M] () -- C:\ntuser.dat
[2009/07/27 14:36:51 | 000,001,024 | -H-- | M] () -- C:\ntuser.dat.LOG
[2010/07/07 17:01:04 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2009/10/19 21:23:10 | 000,003,888 | ---- | M] () -- C:\Player Library_log.txt
[2009/10/19 21:21:47 | 000,005,184 | ---- | M] () -- C:\Player Loader_log.txt
[2010/07/07 16:38:13 | 000,040,758 | ---- | M] () -- C:\TDSSKiller.2.3.2.2_07.07.2010_16.38.02_log.txt

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >
[2006/02/19 03:28:56 | 000,012,288 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll

< %systemroot%\Fonts\*.ini >
[2007/11/15 12:49:40 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2009/04/07 17:25:30 | 000,192,512 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/02/09 15:43:24 | 000,074,240 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp054.dll
[2007/10/20 18:21:50 | 000,278,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5mu.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/11/15 06:11:12 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/11/15 06:11:12 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/11/15 06:11:12 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2008/04/13 20:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/13 20:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll

< %systemroot%\system32\ws2help.dll /md5 >
[2008/04/13 20:12:10 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9789E95E1D88EEB4B922BF3EA7779C28 -- C:\WINDOWS\system32\ws2help.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"AutoInstallMinorUpdate" = 1
"LastWaitTimeout" = =-
"NoAutoUpdate" = 0
"AUOptions" = 4
"ScheduledInstallDay" = 0
"ScheduledInstallTime" = 5
"UseWUServer" = 1
"RescheduleWaitTimeEnabled" = 1
"RescheduleWaitTime" = 1
"NoAutoRebootWithLoggedOnUsers" = 1
"DetectionFrequencyEnabled" = 1
"DetectionFrequency" = 4
"AutoInstallMinorUpdates" = 1
"RebootWarningTimeoutEnabled" = 1
"RebootWarningTimeout" = 5
"AUPowerManagement" = 1
"NoAUAsDefaultShutdownOption" = 1
"NoAUShutdownOption" = 1
"RebootRelaunchTimeoutEnabled" = 1
"RebootRelaunchTimeout" = 10

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-03 12:55:51

========== Alternate Data Streams ==========

@Alternate Data Stream - 159 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ECF54A0E
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

#7 Essexboy

Group: GeekU Moderator
Posts: 55,545
Joined: 31-May 06

Posted 07 July 2010 - 03:46 PM

Looks nearly did

A couple of stray to kill then a sweep for orphans. Once these runs are done can you let me know of any problems remaining

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2010/07/02 12:20:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\rkjjhtfvy
[2010/07/07 14:56:50 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Wbovete.dat
[2010/07/07 07:44:28 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Pjepezejohera.bin

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

#8 ph1290

Group: Member
Posts: 43
Joined: 07-July 10

Posted 07 July 2010 - 04:34 PM

OTL fixed log

All processes killed
========== OTL ==========
C:\Documents and Settings\harrisap\Local Settings\Application Data\rkjjhtfvy folder moved successfully.
C:\WINDOWS\Wbovete.dat moved successfully.
C:\WINDOWS\Pjepezejohera.bin moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: forms

User: GABguest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: GABuser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: harrisap
->Temp folder emptied: 40292 bytes
->Temporary Internet Files folder emptied: 4682727 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 2263 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 7517 bytes

User: smithd
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3678 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: forms

User: GABguest
->Flash cache emptied: 0 bytes

User: GABuser
->Flash cache emptied: 0 bytes

User: harrisap
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: smithd
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.7.1 log created on 07072010_180309

Files\Folders moved on Reboot...
C:\Documents and Settings\harrisap\Local Settings\Temp\~DFB5FF.tmp moved successfully.
C:\Documents and Settings\harrisap\Local Settings\Temporary Internet Files\Content.IE5\ZJE0JDC7\blank[1].htm moved successfully.
C:\Documents and Settings\harrisap\Local Settings\Temporary Internet Files\Content.IE5\ZJE0JDC7\blank[2].htm moved successfully.
C:\Documents and Settings\harrisap\Local Settings\Temporary Internet Files\Content.IE5\PD7LH3MO\st[1] moved successfully.
C:\Documents and Settings\harrisap\Local Settings\Temporary Internet Files\Content.IE5\PD7LH3MO\yahoo_com[1].htm moved successfully.
C:\Documents and Settings\harrisap\Local Settings\Temporary Internet Files\Content.IE5\O3EN5MUT\fc[1].htm moved successfully.
C:\Documents and Settings\harrisap\Local Settings\Temporary Internet Files\Content.IE5\O3EN5MUT\launch[1].htm moved successfully.
C:\Documents and Settings\harrisap\Local Settings\Temporary Internet Files\Content.IE5\680B1I4O\blank[1].htm moved successfully.
C:\Documents and Settings\harrisap\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

OTL log

OTL logfile created on: 7/7/2010 6:08:53 PM - Run 3
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\harrisap\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 95.46 Gb Free Space | 64.05% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 7-51896
Current User Name: harrisap
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
PRC - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/11/13 07:31:12 | 000,247,144 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2009/06/08 16:38:17 | 000,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2009/05/14 11:43:12 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/05/14 11:34:22 | 000,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\KodakSvc.exe
PRC - [2009/04/07 17:27:30 | 001,511,424 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/08/05 17:58:52 | 029,184,016 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) -- C:\WINDOWS\system32\F5InstallerService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/04 11:34:20 | 000,487,424 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
PRC - [2008/03/04 11:34:12 | 001,122,304 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
PRC - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
PRC - [2007/10/07 21:48:40 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2007/05/29 17:33:22 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2007/02/10 05:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) -- C:\Notes\ntmulti.exe
PRC - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe

========== Modules (SafeList) ==========

MOD - [2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\TFEngine\TFService.exe -- (ThreatFire)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/06/08 16:38:17 | 000,056,680 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2009/05/14 11:34:22 | 000,057,344 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2009/05/04 12:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/08/05 17:58:52 | 029,184,016 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$XACTWARE) SQL Server (XACTWARE)
SRV - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) [Auto | Running] -- C:\WINDOWS\system32\F5InstallerService.exe -- (F5 Networks Component Installer)
SRV - [2008/03/04 11:34:12 | 001,122,304 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) [Auto | Running] -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/08/28 20:04:25 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/27 18:14:00 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2007/02/10 09:29:47 | 000,242,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/02/10 05:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Notes\ntmulti.exe -- (Multi-user Cleanup Service)
SRV - [2005/10/14 06:50:19 | 000,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2000/10/19 12:55:50 | 000,411,244 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/07/07 16:39:50 | 000,003,456 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\atiide.sys -- (atiide)
DRV - [2010/05/27 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/27 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/11 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100706.004\navex15.sys -- (NAVEX15)
DRV - [2010/05/11 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100706.004\naveng.sys -- (NAVENG)
DRV - [2009/10/09 23:15:18 | 000,033,920 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2009/10/09 23:15:13 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2009/05/14 11:43:44 | 000,328,728 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\iaStor.sys -- (iastor)
DRV - [2009/05/14 11:43:10 | 000,225,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/05/14 11:43:09 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2009/05/14 11:43:09 | 000,764,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2009/05/14 11:43:09 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2009/05/14 11:43:09 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2009/05/14 11:43:08 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009/05/14 11:42:46 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2009/05/14 11:42:43 | 003,103,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/05/14 11:41:43 | 003,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2009/05/14 11:41:40 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2009/05/14 11:41:37 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/05/14 11:41:36 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2009/05/14 11:34:22 | 000,012,944 | ---- | M] (IBM Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2009/03/20 20:03:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/07/07 13:23:56 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/06/02 17:28:50 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/26 10:49:59 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/08/27 18:13:36 | 000,189,320 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/08/27 18:13:32 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/07/26 20:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/02/19 01:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/06/27 03:50:00 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

FF - HKLM\software\mozilla\Firefox\Extensions\\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}\ [2010/07/02 12:22:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{7F407392-4F54-4B22-B018-7C448707CE31}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}\ [2010/07/02 13:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A4423967-0FE1-45A0-A02F-24676A38EC26}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}\ [2010/07/02 14:36:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{656599F9-402B-4ABD-B3DD-B465296C0D22}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}\ [2010/07/02 14:39:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}\ [2010/07/03 08:50:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}\ [2010/07/03 09:01:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A19F0325-B322-4DC2-97B2-521B259F25C5}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{A19F0325-B322-4DC2-97B2-521B259F25C5}\ [2010/07/03 12:02:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1A8548C6-50F1-463B-9802-225F5F94F67F}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}\ [2010/07/03 13:29:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBD154CF-3450-438A-A1ED-432C3082042C}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}\ [2010/07/06 16:32:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{CCCB28FC-4068-4917-96E5-3983EF42704B}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}\ [2010/07/07 07:39:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6512AF10-2BD9-4242-83CE-3086EA813335}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}\ [2010/07/07 07:44:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}\ [2010/07/07 07:46:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}\ [2010/07/07 09:42:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}\ [2010/07/07 09:43:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}\ [2010/07/07 09:47:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{8D783363-3AE6-4CDD-B954-3B2301C786C7}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}\ [2010/07/07 09:53:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}\ [2010/07/07 11:27:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}\ [2010/07/07 11:36:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{F815F000-7EE3-4952-B739-09F30DAB8CE3}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}\ [2010/07/07 12:15:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{AE76301C-C986-4B42-8668-AC7A26389266}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}\ [2010/07/07 12:24:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}\ [2010/07/07 15:27:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}\ [2010/07/07 16:46:52 | 000,000,000 | ---D | M]

[2010/04/24 17:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions
[2010/04/24 17:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: ([2010/07/07 18:03:12 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hp\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [pdfFactory Dispatcher v3] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O15 - HKCU\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,313 (F5 Networks VPN Manager)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.c...pport/acpir.cab (IASRunner Class)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} http://uspsy16m.gabr...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,310 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} https://gabrobins1.clnt.virtela.net/vdesk/t...,2009,1010,0312 (F5 Networks Auto Update)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab (F5 Networks Policy Agent Host Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1228492840640 (WUWebControl Class)
O16 - DPF: {68132570-CED6-11D5-91AE-000039F5040E} http://www.employeee...m/NAVUPDPRJ.CAB (NAVUPDPRJ.NAVUPDCTL)
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} https://gabrobins1.clnt.virtela.net/vdesk/t...,2008,0404,2134 (F5 Networks Static Application Tunnel Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1228491044515 (MUWebControl Class)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab (F5 Virtual Sandbox Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jin...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,308 (F5 Networks SuperHost Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,304 (F5 Networks Host Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab (URVNCX Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.180.150 97.64.168.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GABNA-AD.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/15 12:50:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/07/07 18:03:13 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/07 18:03:09 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/07 16:52:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/07 16:52:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/07 16:52:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/07 16:52:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/07 16:52:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/07 16:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}
[2010/07/07 16:37:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\tdsskiller
[2010/07/07 15:34:32 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2010/07/07 15:27:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}
[2010/07/07 12:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}
[2010/07/07 12:15:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}
[2010/07/07 11:46:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{8CF5B7FA-F366-49EA-AA98-61AB007901F4}
[2010/07/07 11:43:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/07/07 11:36:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}
[2010/07/07 11:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}
[2010/07/07 10:02:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\Malwarebytes
[2010/07/07 10:02:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/07 10:02:36 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/07 10:02:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/07 10:02:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/07 10:01:24 | 006,153,384 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\harrisap\Desktop\mbam-setup.exe
[2010/07/07 09:53:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}
[2010/07/07 09:47:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}
[2010/07/07 09:42:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}
[2010/07/07 09:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/07 09:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/07 07:46:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}
[2010/07/07 07:44:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}
[2010/07/07 07:39:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}
[2010/07/06 16:32:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}
[2010/07/03 21:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Yahoo
[2010/07/03 13:39:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/03 13:38:30 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/03 13:37:50 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\harrisap\Desktop\erunt_setup.exe
[2010/07/03 13:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}
[2010/07/03 11:59:12 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\TFC.exe
[2010/07/03 09:01:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}
[2010/07/03 08:50:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}
[2010/07/02 14:39:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}
[2010/07/02 14:36:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}
[2010/07/02 13:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}
[2010/07/02 12:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}
[2010/07/01 16:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\My Albums
[2010/07/01 16:25:04 | 000,000,000 | ---D | C] -- C:\Program Files\WebEx
[2010/06/28 18:06:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\xact25 data
[2010/06/27 15:44:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\Threat Expert
[2010/06/27 15:10:19 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
[2010/06/27 15:04:22 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/06/27 15:04:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/06/27 15:03:16 | 036,600,008 | ---- | C] (PC Tools ) -- C:\Documents and Settings\harrisap\Desktop\sdasetup.exe
[2010/06/26 20:55:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\kybocnbxw
[2010/06/24 16:20:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\ranger
[2010/06/18 11:04:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\PDF files
[2010/06/18 09:09:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\Xactimate25 Office Templates
[2010/06/18 08:29:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\other folders
[2010/06/12 16:02:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/06/03 09:23:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\leesxing docs
[2010/05/06 09:58:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\RecoveryFix for Windows
[2010/05/06 09:47:07 | 000,000,000 | ---D | C] -- C:\Program Files\RecoveryFix For Windows(Demo)
[2010/05/06 09:46:32 | 004,172,182 | ---- | C] (Chily Softech Pvt Ltd ) -- C:\Documents and Settings\harrisap\Desktop\recoveryfixwindows.exe
[2010/05/06 09:35:21 | 000,000,000 | ---D | C] -- C:\Program Files\Selkie Rescue 3.6 Demo
[2010/05/06 09:18:50 | 000,000,000 | ---D | C] -- C:\Program Files\PC Inspector File Recovery
[2010/04/25 20:06:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\scanned
[2010/04/24 17:45:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2010/04/24 17:44:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\TomTom
[2010/04/24 17:44:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\TomTom
[2010/04/24 17:44:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\Mozilla
[2010/04/24 17:44:44 | 000,000,000 | ---D | C] -- C:\Program Files\TomTom International B.V
[2010/04/24 17:44:30 | 000,000,000 | ---D | C] -- C:\Program Files\TomTom HOME 2
[2010/04/24 17:42:30 | 000,000,000 | ---D | C] -- C:\Program Files\TomTom DesktopSuite
[2010/04/09 13:18:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\fridayfriday

========== Files - Modified Within 90 Days ==========

[2010/07/07 18:09:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/07 18:07:26 | 000,000,455 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2010/07/07 18:07:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/07 18:05:24 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2010/07/07 18:05:21 | 000,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2010/07/07 18:05:08 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/07 18:04:57 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/07 18:04:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/07 18:03:29 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\harrisap\ntuser.dat
[2010/07/07 18:03:26 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\harrisap\ntuser.ini
[2010/07/07 18:03:12 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/07/07 17:01:43 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/07 16:49:45 | 003,728,027 | R--- | M] () -- C:\Documents and Settings\harrisap\Desktop\ComboFix.exe
[2010/07/07 16:39:50 | 000,003,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\atiide.sys
[2010/07/07 16:37:12 | 000,981,780 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\tdsskiller.zip
[2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2010/07/07 12:15:40 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2010/07/07 11:30:38 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2010/07/07 10:13:33 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\Malwarebyteslog.doc
[2010/07/07 10:02:39 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/07 10:01:24 | 006,153,384 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\harrisap\Desktop\mbam-setup.exe
[2010/07/06 16:59:33 | 000,171,171 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expense76.pdf
[2010/07/06 16:58:29 | 001,043,073 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expe 004.jpg
[2010/07/06 16:57:59 | 001,023,142 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expe 003.jpg
[2010/07/06 16:57:32 | 001,055,982 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expe 002.jpg
[2010/07/06 16:35:24 | 000,000,238 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Virtella SSL.url
[2010/07/06 16:23:21 | 000,152,384 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/06 10:40:30 | 000,000,732 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2010/07/06 08:32:12 | 000,032,747 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\APP.doc
[2010/07/03 13:38:31 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\NTREGOPT.lnk
[2010/07/03 13:38:31 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\ERUNT.lnk
[2010/07/03 13:37:53 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\harrisap\Desktop\erunt_setup.exe
[2010/07/03 11:59:15 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\TFC.exe
[2010/07/02 06:32:55 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/02 06:25:22 | 000,569,786 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/02 06:25:22 | 000,489,682 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/02 06:25:22 | 000,089,502 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/01 22:09:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/30 00:05:59 | 004,844,096 | -H-- | M] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\IconCache.db
[2010/06/29 09:24:32 | 001,519,151 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\UPWARD FLAG FOOTBALL.pdf
[2010/06/28 19:16:33 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Xactimate 25.lnk
[2010/06/28 18:04:31 | 051,193,881 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\25.4.256.35490_Update.exe
[2010/06/27 15:03:16 | 036,600,008 | ---- | M] (PC Tools ) -- C:\Documents and Settings\harrisap\Desktop\sdasetup.exe
[2010/06/26 22:57:35 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\harrisap\Desktop\~$lendar.doc
[2010/06/25 23:26:50 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\calendar.doc
[2010/06/24 16:49:12 | 000,464,115 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\InterContinental Hotels Group Your Reservation Confirmation.mht
[2010/06/23 15:38:58 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\44155.doc
[2010/06/18 02:07:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/16 14:47:46 | 000,163,647 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\HO3_sample.pdf
[2010/06/16 12:28:03 | 000,002,219 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GAB SSL.lnk
[2010/06/11 08:57:29 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\LETTERHEAD.doc
[2010/06/09 20:30:39 | 000,014,999 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\www.martindale.com_print_sbs.aspx.pdf
[2010/06/01 07:17:57 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\budddg.xls
[2010/05/29 02:12:32 | 000,046,447 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\DIARY%2003%2028%202010[1].pdf
[2010/05/19 00:01:10 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\photosheet.doc
[2010/05/19 00:00:41 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\photosheet.DOT
[2010/05/16 23:51:13 | 000,482,936 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\LAS RegionalBranch Data quality - Manager.xls
[2010/05/09 22:06:40 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/06 09:47:08 | 000,000,904 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\RecoveryFix For Windows (Demo) .lnk
[2010/05/06 09:46:49 | 004,172,182 | ---- | M] (Chily Softech Pvt Ltd ) -- C:\Documents and Settings\harrisap\Desktop\recoveryfixwindows.exe
[2010/05/06 09:18:50 | 000,001,561 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector File Recovery.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/25 18:15:35 | 000,191,007 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\blackhistory 003.jpg
[2010/04/15 11:46:08 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

========== Files Created - No Company Name ==========

[2010/07/07 16:52:34 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/07 16:52:34 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/07 16:52:34 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/07 16:52:34 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/07 16:52:34 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/07 16:49:39 | 003,728,027 | R--- | C] () -- C:\Documents and Settings\harrisap\Desktop\ComboFix.exe
[2010/07/07 16:36:57 | 000,981,780 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\tdsskiller.zip
[2010/07/07 11:30:34 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2010/07/07 10:13:32 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\Malwarebyteslog.doc
[2010/07/07 10:02:39 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/06 16:59:32 | 000,171,171 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expense76.pdf
[2010/07/06 16:57:59 | 001,043,073 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expe 004.jpg
[2010/07/06 16:57:32 | 001,023,142 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expe 003.jpg
[2010/07/06 16:57:04 | 001,055,982 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expe 002.jpg
[2010/07/03 13:38:31 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\NTREGOPT.lnk
[2010/07/03 13:38:31 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\ERUNT.lnk
[2010/06/29 09:24:32 | 001,519,151 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\UPWARD FLAG FOOTBALL.pdf
[2010/06/28 18:04:28 | 051,193,881 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\25.4.256.35490_Update.exe
[2010/06/27 15:10:20 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/06/26 22:57:35 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\harrisap\Desktop\~$lendar.doc
[2010/06/24 16:49:12 | 000,464,115 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\InterContinental Hotels Group Your Reservation Confirmation.mht
[2010/06/23 15:38:57 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\44155.doc
[2010/06/16 14:47:46 | 000,163,647 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\HO3_sample.pdf
[2010/06/11 08:57:29 | 000,052,224 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\LETTERHEAD.doc
[2010/06/09 20:30:39 | 000,014,999 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\www.martindale.com_print_sbs.aspx.pdf
[2010/05/31 20:09:29 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\budddg.xls
[2010/05/19 00:01:10 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\photosheet.doc
[2010/05/19 00:00:41 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\photosheet.DOT
[2010/05/16 23:51:13 | 000,482,936 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\LAS RegionalBranch Data quality - Manager.xls
[2010/05/09 22:06:40 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/06 09:47:08 | 000,000,904 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\RecoveryFix For Windows (Demo) .lnk
[2010/05/06 09:18:51 | 000,006,200 | ---- | C] () -- C:\WINDOWS\System32\INT13EXT.VXD
[2010/05/06 09:18:50 | 000,001,561 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector File Recovery.lnk
[2010/05/04 01:47:22 | 000,049,664 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\calendar.doc
[2010/04/25 18:15:22 | 000,191,007 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\blackhistory 003.jpg
[2010/04/19 08:59:59 | 000,000,890 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/19 08:59:59 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/22 22:18:36 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/22 22:18:36 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/12/17 06:48:09 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\DM510.dll
[2009/08/30 22:46:45 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2009/05/14 11:37:14 | 000,003,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\atiide.sys
[2009/05/14 11:34:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2008/03/18 11:58:05 | 000,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/12/26 12:18:32 | 000,000,455 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2007/11/28 15:39:06 | 000,000,029 | ---- | C] () -- C:\WINDOWS\vdialer.INI
[2007/11/28 12:12:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/11/16 15:23:19 | 000,003,981 | ---- | C] () -- C:\WINDOWS\RDSWIN.INI
[2007/11/16 12:47:22 | 000,000,033 | ---- | C] () -- C:\WINDOWS\WDTCPCON.INI
[2007/11/16 12:32:18 | 000,003,635 | ---- | C] () -- C:\WINDOWS\~WDINS.INI
[2007/11/16 10:06:19 | 000,000,555 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/15 12:58:54 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2006/01/26 16:42:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/06/17 01:53:02 | 000,000,702 | ---- | C] () -- C:\WINDOWS\Cm3.ini
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/07/30 09:24:34 | 000,000,218 | ---- | C] () -- C:\WINDOWS\oraodbc.ini

========== LOP Check ==========

[2009/09/12 08:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/08/30 22:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2009/09/01 20:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2009/09/10 22:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/09/10 22:35:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/03/18 11:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/03/06 09:23:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2010/07/03 13:32:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/24 17:45:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2009/06/12 11:27:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xactware
[2010/02/14 10:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/01/29 14:17:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/09/10 22:38:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\DriverCure
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Leadertech
[2009/12/17 06:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\LinkManager 4.0
[2010/05/06 09:58:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\RecoveryFix for Windows
[2009/08/31 14:38:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Temp
[2010/04/24 17:44:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\TomTom
[2010/06/18 02:07:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/07/10 07:00:36 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 159 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ECF54A0E
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

mbam log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4288

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/7/2010 6:21:19 PM
mbam-log-2010-07-07 (18-21-19).txt

Scan type: Quick scan
Objects scanned: 165565
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 ph1290

Group: Member
Posts: 43
Joined: 07-July 10

Posted 08 July 2010 - 10:31 AM

Still getting the backdoor Tidserver thing. I noted the file location per Symantec:

C:\System Volume Information\_restore{21F2B3A7-1002-4290-ACB5-6182A2031AEC}\RP271\A0054421.sys

I don't know if that helps or not. The computer seems to be running better, but as noted, the Tideserver thing keeps getting detected.

#10 Essexboy

Group: GeekU Moderator
Posts: 55,545
Joined: 31-May 06

Posted 08 July 2010 - 12:20 PM

Quote

C:\System Volume Information\_restore{21F2B3A7-1002-4290-ACB5-6182A2031AEC}\RP271\A0054421.sys

That is system restore - lets kill it now (it is harmless there) On completion of this run can you let me know what problems remain

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS] 
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#11 ph1290

Group: Member
Posts: 43
Joined: 07-July 10

Posted 08 July 2010 - 01:55 PM

OTL log

OTL logfile created on: 7/8/2010 3:52:06 PM - Run 4
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\harrisap\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 104.63 Gb Free Space | 70.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 7-51896
Current User Name: harrisap
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
PRC - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/11/13 07:31:12 | 000,247,144 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2009/06/08 16:38:17 | 000,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2009/05/14 11:43:12 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/05/14 11:34:22 | 000,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\KodakSvc.exe
PRC - [2009/04/07 17:27:30 | 001,511,424 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/08/05 17:58:52 | 029,184,016 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) -- C:\WINDOWS\system32\F5InstallerService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/04 11:34:20 | 000,487,424 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
PRC - [2008/03/04 11:34:12 | 001,122,304 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
PRC - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
PRC - [2007/10/07 21:48:40 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2007/05/29 17:33:22 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2007/02/10 05:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) -- C:\Notes\ntmulti.exe
PRC - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe

========== Modules (SafeList) ==========

MOD - [2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\TFEngine\TFService.exe -- (ThreatFire)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/06/08 16:38:17 | 000,056,680 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2009/05/14 11:34:22 | 000,057,344 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2009/05/04 12:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/08/05 17:58:52 | 029,184,016 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$XACTWARE) SQL Server (XACTWARE)
SRV - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) [Auto | Running] -- C:\WINDOWS\system32\F5InstallerService.exe -- (F5 Networks Component Installer)
SRV - [2008/03/04 11:34:12 | 001,122,304 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) [Auto | Running] -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/08/28 20:04:25 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/27 18:14:00 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2007/02/10 09:29:47 | 000,242,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/02/10 05:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Notes\ntmulti.exe -- (Multi-user Cleanup Service)
SRV - [2005/10/14 06:50:19 | 000,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2000/10/19 12:55:50 | 000,411,244 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/07/07 16:39:50 | 000,003,456 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\atiide.sys -- (atiide)
DRV - [2010/05/27 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/27 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/11 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100707.002\navex15.sys -- (NAVEX15)
DRV - [2010/05/11 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100707.002\naveng.sys -- (NAVENG)
DRV - [2009/10/09 23:15:18 | 000,033,920 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2009/10/09 23:15:13 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2009/05/14 11:43:44 | 000,328,728 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\iaStor.sys -- (iastor)
DRV - [2009/05/14 11:43:10 | 000,225,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/05/14 11:43:09 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2009/05/14 11:43:09 | 000,764,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2009/05/14 11:43:09 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2009/05/14 11:43:09 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2009/05/14 11:43:08 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009/05/14 11:42:46 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2009/05/14 11:42:43 | 003,103,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/05/14 11:41:43 | 003,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2009/05/14 11:41:40 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2009/05/14 11:41:37 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/05/14 11:41:36 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2009/05/14 11:34:22 | 000,012,944 | ---- | M] (IBM Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2009/03/20 20:03:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/07/07 13:23:56 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/06/02 17:28:50 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/26 10:49:59 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/08/27 18:13:36 | 000,189,320 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/08/27 18:13:32 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/07/26 20:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/02/19 01:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/06/27 03:50:00 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\Extensions\\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}\ [2010/07/02 12:22:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{7F407392-4F54-4B22-B018-7C448707CE31}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}\ [2010/07/02 13:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A4423967-0FE1-45A0-A02F-24676A38EC26}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}\ [2010/07/02 14:36:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{656599F9-402B-4ABD-B3DD-B465296C0D22}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}\ [2010/07/02 14:39:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}\ [2010/07/03 08:50:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}\ [2010/07/03 09:01:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A19F0325-B322-4DC2-97B2-521B259F25C5}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{A19F0325-B322-4DC2-97B2-521B259F25C5}\ [2010/07/03 12:02:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1A8548C6-50F1-463B-9802-225F5F94F67F}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}\ [2010/07/03 13:29:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBD154CF-3450-438A-A1ED-432C3082042C}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}\ [2010/07/06 16:32:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{CCCB28FC-4068-4917-96E5-3983EF42704B}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}\ [2010/07/07 07:39:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6512AF10-2BD9-4242-83CE-3086EA813335}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}\ [2010/07/07 07:44:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}\ [2010/07/07 07:46:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}\ [2010/07/07 09:42:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}\ [2010/07/07 09:43:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}\ [2010/07/07 09:47:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{8D783363-3AE6-4CDD-B954-3B2301C786C7}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}\ [2010/07/07 09:53:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}\ [2010/07/07 11:27:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}\ [2010/07/07 11:36:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{F815F000-7EE3-4952-B739-09F30DAB8CE3}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}\ [2010/07/07 12:15:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{AE76301C-C986-4B42-8668-AC7A26389266}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}\ [2010/07/07 12:24:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}\ [2010/07/07 15:27:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}\ [2010/07/07 16:46:52 | 000,000,000 | ---D | M]

[2010/04/24 17:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions
[2010/04/24 17:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: ([2010/07/08 15:29:37 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hp\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [pdfFactory Dispatcher v3] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O15 - HKCU\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,313 (F5 Networks VPN Manager)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.c...pport/acpir.cab (IASRunner Class)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} http://uspsy16m.gabr...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,310 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} https://gabrobins1.clnt.virtela.net/vdesk/t...,2009,1010,0312 (F5 Networks Auto Update)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab (F5 Networks Policy Agent Host Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1228492840640 (WUWebControl Class)
O16 - DPF: {68132570-CED6-11D5-91AE-000039F5040E} http://www.employeee...m/NAVUPDPRJ.CAB (NAVUPDPRJ.NAVUPDCTL)
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} https://gabrobins1.clnt.virtela.net/vdesk/t...,2008,0404,2134 (F5 Networks Static Application Tunnel Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1228491044515 (MUWebControl Class)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab (F5 Virtual Sandbox Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jin...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,308 (F5 Networks SuperHost Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://gabrobins1.clnt.virtela.net/vdesk/t...1,2009,1010,304 (F5 Networks Host Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab (URVNCX Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.180.150 97.64.168.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GABNA-AD.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/15 12:50:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/07/07 18:03:13 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/07 18:03:09 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/07 16:52:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/07 16:52:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/07 16:52:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/07 16:52:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/07 16:52:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/07 16:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}
[2010/07/07 16:37:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\tdsskiller
[2010/07/07 15:34:32 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2010/07/07 15:27:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}
[2010/07/07 12:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}
[2010/07/07 12:15:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}
[2010/07/07 11:46:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{8CF5B7FA-F366-49EA-AA98-61AB007901F4}
[2010/07/07 11:43:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/07/07 11:36:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}
[2010/07/07 11:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}
[2010/07/07 10:02:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\Malwarebytes
[2010/07/07 10:02:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/07 10:02:36 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/07 10:02:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/07 10:02:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/07 10:01:24 | 006,153,384 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\harrisap\Desktop\mbam-setup.exe
[2010/07/07 09:53:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}
[2010/07/07 09:47:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}
[2010/07/07 09:42:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}
[2010/07/07 09:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/07 09:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/07 07:46:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}
[2010/07/07 07:44:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}
[2010/07/07 07:39:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}
[2010/07/06 16:32:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}
[2010/07/03 21:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Yahoo
[2010/07/03 13:39:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/03 13:38:30 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/03 13:37:50 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\harrisap\Desktop\erunt_setup.exe
[2010/07/03 13:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}
[2010/07/03 11:59:12 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\TFC.exe
[2010/07/03 09:01:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}
[2010/07/03 08:50:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}
[2010/07/02 14:39:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}
[2010/07/02 14:36:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}
[2010/07/02 13:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}
[2010/07/02 12:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}
[2010/07/01 16:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\My Albums
[2010/07/01 16:25:04 | 000,000,000 | ---D | C] -- C:\Program Files\WebEx
[2010/06/28 18:06:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\xact25 data
[2010/06/27 15:44:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\Threat Expert
[2010/06/27 15:10:19 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
[2010/06/27 15:04:22 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/06/27 15:04:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/06/27 15:03:16 | 036,600,008 | ---- | C] (PC Tools ) -- C:\Documents and Settings\harrisap\Desktop\sdasetup.exe
[2010/06/26 20:55:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\kybocnbxw
[2010/06/24 16:20:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\ranger
[2010/06/18 11:04:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\PDF files
[2010/06/18 09:09:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\Xactimate25 Office Templates
[2010/06/18 08:29:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\My Documents\other folders
[2010/06/12 16:02:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/06/03 09:23:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\leesxing docs
[2010/05/06 09:58:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\RecoveryFix for Windows
[2010/05/06 09:47:07 | 000,000,000 | ---D | C] -- C:\Program Files\RecoveryFix For Windows(Demo)
[2010/05/06 09:46:32 | 004,172,182 | ---- | C] (Chily Softech Pvt Ltd ) -- C:\Documents and Settings\harrisap\Desktop\recoveryfixwindows.exe
[2010/05/06 09:35:21 | 000,000,000 | ---D | C] -- C:\Program Files\Selkie Rescue 3.6 Demo
[2010/05/06 09:18:50 | 000,000,000 | ---D | C] -- C:\Program Files\PC Inspector File Recovery
[2010/04/25 20:06:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\scanned
[2010/04/24 17:45:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2010/04/24 17:44:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\TomTom
[2010/04/24 17:44:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\TomTom
[2010/04/24 17:44:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\Mozilla
[2010/04/24 17:44:44 | 000,000,000 | ---D | C] -- C:\Program Files\TomTom International B.V
[2010/04/24 17:44:30 | 000,000,000 | ---D | C] -- C:\Program Files\TomTom HOME 2
[2010/04/24 17:42:30 | 000,000,000 | ---D | C] -- C:\Program Files\TomTom DesktopSuite

========== Files - Modified Within 90 Days ==========

[2010/07/08 15:35:30 | 000,000,455 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2010/07/08 15:35:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/08 15:33:02 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2010/07/08 15:33:00 | 000,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2010/07/08 15:32:47 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/08 15:32:37 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/08 15:32:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/08 15:30:04 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\harrisap\ntuser.dat
[2010/07/08 15:29:55 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\harrisap\ntuser.ini
[2010/07/08 15:29:37 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/07/08 15:09:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/07 17:01:43 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/07 16:49:45 | 003,728,027 | R--- | M] () -- C:\Documents and Settings\harrisap\Desktop\ComboFix.exe
[2010/07/07 16:39:50 | 000,003,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\atiide.sys
[2010/07/07 16:37:12 | 000,981,780 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\tdsskiller.zip
[2010/07/07 15:34:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2010/07/07 12:15:40 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2010/07/07 11:30:38 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2010/07/07 10:13:33 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\Malwarebyteslog.doc
[2010/07/07 10:02:39 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/07 10:01:24 | 006,153,384 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\harrisap\Desktop\mbam-setup.exe
[2010/07/06 16:59:33 | 000,171,171 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expense76.pdf
[2010/07/06 16:58:29 | 001,043,073 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expe 004.jpg
[2010/07/06 16:57:59 | 001,023,142 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expe 003.jpg
[2010/07/06 16:57:32 | 001,055,982 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\expe 002.jpg
[2010/07/06 16:35:24 | 000,000,238 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Virtella SSL.url
[2010/07/06 16:23:21 | 000,152,384 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/06 10:40:30 | 000,000,732 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2010/07/06 08:32:12 | 000,032,747 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\APP.doc
[2010/07/03 13:38:31 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\NTREGOPT.lnk
[2010/07/03 13:38:31 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\ERUNT.lnk
[2010/07/03 13:37:53 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\harrisap\Desktop\erunt_setup.exe
[2010/07/03 11:59:15 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\TFC.exe
[2010/07/02 06:32:55 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/02 06:25:22 | 000,569,786 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/02 06:25:22 | 000,489,682 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/02 06:25:22 | 000,089,502 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/01 22:09:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/30 00:05:59 | 004,844,096 | -H-- | M] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\IconCache.db
[2010/06/29 09:24:32 | 001,519,151 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\UPWARD FLAG FOOTBALL.pdf
[2010/06/28 19:16:33 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Xactimate 25.lnk
[2010/06/28 18:04:31 | 051,193,881 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\25.4.256.35490_Update.exe
[2010/06/27 15:03:16 | 036,600,008 | ---- | M] (PC Tools ) -- C:\Documents and Settings\harrisap\Desktop\sdasetup.exe
[2010/06/26 22:57:35 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\harrisap\Desktop\~$lendar.doc
[2010/06/25 23:26:50 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\calendar.doc
[2010/06/24 16:49:12 | 000,464,115 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\InterContinental Hotels Group Your Reservation Confirmation.mht
[2010/06/23 15:38:58 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\44155.doc
[2010/06/18 02:07:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/16 14:47:46 | 000,163,647 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\HO3_sample.pdf
[2010/06/16 12:28:03 | 000,002,219 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GAB SSL.lnk
[2010/06/11 08:57:29 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\LETTERHEAD.doc
[2010/06/09 20:30:39 | 000,014,999 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\www.martindale.com_print_sbs.aspx.pdf
[2010/06/01 07:17:57 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\budddg.xls
[2010/05/29 02:12:32 | 000,046,447 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\DIARY%2003%2028%202010[1].pdf
[2010/05/19 00:01:10 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\photosheet.doc
[2010/05/19 00:00:41 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\photosheet.DOT
[2010/05/16 23:51:13 | 000,482,936 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\LAS RegionalBranch Data quality - Manager.xls
[2010/05/09 22:06:40 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/06 09:47:08 | 000,000,904 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\RecoveryFix For Windows (Demo) .lnk
[2010/05/06 09:46:49 | 004,172,182 | ---- | M] (Chily Softech Pvt Ltd ) -- C:\Documents and Settings\harrisap\Desktop\recoveryfixwindows.exe
[2010/05/06 09:18:50 | 000,001,561 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector File Recovery.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/25 18:15:35 | 000,191,007 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\blackhistory 003.jpg
[2010/04/15 11:46:08 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

========== Files Created - No Company Name ==========

[2010/07/07 16:52:34 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/07 16:52:34 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/07 16:52:34 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/07 16:52:34 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/07 16:52:34 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/07 16:49:39 | 003,728,027 | R--- | C] () -- C:\Documents and Settings\harrisap\Desktop\ComboFix.exe
[2010/07/07 16:36:57 | 000,981,780 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\tdsskiller.zip
[2010/07/07 11:30:34 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2010/07/07 10:13:32 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\Malwarebyteslog.doc
[2010/07/07 10:02:39 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/06 16:59:32 | 000,171,171 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expense76.pdf
[2010/07/06 16:57:59 | 001,043,073 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expe 004.jpg
[2010/07/06 16:57:32 | 001,023,142 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expe 003.jpg
[2010/07/06 16:57:04 | 001,055,982 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\expe 002.jpg
[2010/07/03 13:38:31 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\NTREGOPT.lnk
[2010/07/03 13:38:31 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\ERUNT.lnk
[2010/06/29 09:24:32 | 001,519,151 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\UPWARD FLAG FOOTBALL.pdf
[2010/06/28 18:04:28 | 051,193,881 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\25.4.256.35490_Update.exe
[2010/06/27 15:10:20 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/06/26 22:57:35 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\harrisap\Desktop\~$lendar.doc
[2010/06/24 16:49:12 | 000,464,115 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\InterContinental Hotels Group Your Reservation Confirmation.mht
[2010/06/23 15:38:57 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\44155.doc
[2010/06/16 14:47:46 | 000,163,647 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\HO3_sample.pdf
[2010/06/11 08:57:29 | 000,052,224 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\LETTERHEAD.doc
[2010/06/09 20:30:39 | 000,014,999 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\www.martindale.com_print_sbs.aspx.pdf
[2010/05/31 20:09:29 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\budddg.xls
[2010/05/19 00:01:10 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\photosheet.doc
[2010/05/19 00:00:41 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\photosheet.DOT
[2010/05/16 23:51:13 | 000,482,936 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\LAS RegionalBranch Data quality - Manager.xls
[2010/05/09 22:06:40 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/06 09:47:08 | 000,000,904 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\RecoveryFix For Windows (Demo) .lnk
[2010/05/06 09:18:51 | 000,006,200 | ---- | C] () -- C:\WINDOWS\System32\INT13EXT.VXD
[2010/05/06 09:18:50 | 000,001,561 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Inspector File Recovery.lnk
[2010/05/04 01:47:22 | 000,049,664 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\calendar.doc
[2010/04/25 18:15:22 | 000,191,007 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\blackhistory 003.jpg
[2010/04/19 08:59:59 | 000,000,890 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/19 08:59:59 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/22 22:18:36 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/22 22:18:36 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/12/17 06:48:09 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\DM510.dll
[2009/08/30 22:46:45 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2009/05/14 11:37:14 | 000,003,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\atiide.sys
[2009/05/14 11:34:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2008/03/18 11:58:05 | 000,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/12/26 12:18:32 | 000,000,455 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2007/11/28 15:39:06 | 000,000,029 | ---- | C] () -- C:\WINDOWS\vdialer.INI
[2007/11/28 12:12:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/11/16 15:23:19 | 000,003,981 | ---- | C] () -- C:\WINDOWS\RDSWIN.INI
[2007/11/16 12:47:22 | 000,000,033 | ---- | C] () -- C:\WINDOWS\WDTCPCON.INI
[2007/11/16 12:32:18 | 000,003,635 | ---- | C] () -- C:\WINDOWS\~WDINS.INI
[2007/11/16 10:06:19 | 000,000,555 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/15 12:58:54 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2006/01/26 16:42:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/06/17 01:53:02 | 000,000,702 | ---- | C] () -- C:\WINDOWS\Cm3.ini
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/07/30 09:24:34 | 000,000,218 | ---- | C] () -- C:\WINDOWS\oraodbc.ini

========== LOP Check ==========

[2009/09/12 08:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/08/30 22:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2009/09/01 20:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2009/09/10 22:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/09/10 22:35:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/03/18 11:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/03/06 09:23:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2010/07/03 13:32:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/24 17:45:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2009/06/12 11:27:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xactware
[2010/02/14 10:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/01/29 14:17:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/09/10 22:38:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\DriverCure
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Leadertech
[2009/12/17 06:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\LinkManager 4.0
[2010/05/06 09:58:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\RecoveryFix for Windows
[2009/08/31 14:38:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Temp
[2010/04/24 17:44:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\TomTom
[2010/06/18 02:07:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/07/10 07:00:36 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 159 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ECF54A0E
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

Here you go... I will see if anything pops up in the next 24 hrs and i'll let you know. Thanks for the help so far.

#12 Essexboy

Group: GeekU Moderator
Posts: 55,545
Joined: 31-May 06

Posted 08 July 2010 - 02:03 PM

OK I will clear my tools and tidy you up, norton should not alert now as the restore points have been cleared. I would recommend updating to IE8 as it is more secure

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select "Run as an Administrator.")

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

SpywareBlaster to help prevent spyware from installing in the first place.
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

#13 Essexboy

Group: GeekU Moderator
Posts: 55,545
Joined: 31-May 06

Posted 11 July 2010 - 05:57 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

efarch and backdoor.tidserv!inf [Solved] - Geeks to Go Forums