Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

yahoo redirect virus


  • This topic is locked This topic is locked

#1
ph1290

ph1290

    Member

  • Member
  • PipPip
  • 58 posts
antimalware doctor alert popped up during search for rental car followed by bunches of pop ups warning of security issues. ran mbam and deleted 30-40 viruses. now I have a redirect virus through yahoo.com.
  • 0

Advertisements


#2
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hello ph1290 and welcome to GeeksToGo :)

I'm Homburg and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.

  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you
  • Please do not try to fix anything without being asked
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.

========
Step 1
========

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All users
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

========
Step 2
========

  • Download GMER to your desktop
  • Right-Click and extract it to the desktop
  • Double-Click gmer.exe
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. (Please be patient as it can take some time to complete)



**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


After it finishes scanning

  • Click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it to your desktop


Post ark.txt in your next reply

========
Step 3
========

Please remember to post the two logs from OTL and the ark.txt log
Do you have any other problems other than pop ups and redirects eg missing shortcuts in your programs list etc?

Homburg
  • 0

#3
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Thanks Homburg.

Another little problem with my system since this started is that I get a lot of "Internet Explorer cannot display this webpage right now" messages with a run troubleshoot button. When I hit Enter or hit the troubleshoot button, the website will then pop up, but at least on geekstogo, it has wiped out my message. Short messages seem to go through. I will get on my wife's laptop tomorrow and post the logs unless you have some idea what the Explorer issue is.
  • 0

#4
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Here is the OTL.txt log

OTL logfile created on: 5/27/2011 7:07:32 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\harrisap\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 92.36 Gb Free Space | 61.97% Space Free | Partition Type: NTFS

Computer Name: 7-51896 | User Name: harrisap | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/22 10:00:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
PRC - [2010/07/28 10:30:43 | 000,057,752 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2010/06/12 16:02:59 | 000,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\javaw.exe
PRC - [2010/03/31 23:34:36 | 000,243,000 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Search Protection\YspService.exe
PRC - [2009/05/14 11:43:12 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/05/04 12:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
PRC - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\KodakSvc.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) -- C:\WINDOWS\system32\F5InstallerService.exe
PRC - [2008/04/14 05:42:30 | 000,060,416 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
PRC - [2007/10/07 21:48:40 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2007/05/29 17:33:22 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) -- C:\Notes\ntmulti.exe


========== Modules (SafeList) ==========

MOD - [2011/05/22 10:00:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
MOD - [2008/04/14 05:42:52 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ThreatFire)
SRV - File not found [Auto | Stopped] -- -- (itlperf)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (6to4)
SRV - [2010/07/28 10:30:43 | 000,057,752 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2009/05/04 12:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) [Auto | Running] -- C:\WINDOWS\system32\F5InstallerService.exe -- (F5 Networks Component Installer)
SRV - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) [Auto | Running] -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/08/28 20:04:25 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/27 18:14:00 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Notes\ntmulti.exe -- (Multi-user Cleanup Service)
SRV - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2000/10/19 12:55:50 | 000,411,244 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache)


========== Driver Services (SafeList) ==========

DRV - [2011/05/18 04:00:00 | 001,542,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110525.002\navex15.sys -- (NAVEX15)
DRV - [2011/05/18 04:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110525.002\naveng.sys -- (NAVENG)
DRV - [2011/05/10 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/05/10 04:00:00 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/07/07 16:39:50 | 000,003,456 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\atiide.sys -- (atiide)
DRV - [2009/10/09 23:15:18 | 000,033,920 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2009/10/09 23:15:13 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2009/05/14 11:43:09 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2009/05/14 11:43:09 | 000,764,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2009/05/14 11:43:09 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2009/05/14 11:43:09 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2009/05/14 11:43:08 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009/05/14 11:42:46 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2009/05/14 11:42:43 | 003,103,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/05/14 11:41:43 | 003,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2009/05/14 11:41:40 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2009/05/14 11:41:37 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/05/14 11:41:36 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2009/03/20 20:03:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/07/07 13:23:56 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/06/02 17:28:50 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2007/12/26 10:49:59 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/08/27 18:13:36 | 000,189,320 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/08/27 18:13:32 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/07/26 20:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/02/19 01:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/06/27 03:50:00 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/...UGO&form=ZGAPHP
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/...UGO&form=ZGAPHP
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}\ [2010/07/02 12:22:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{7F407392-4F54-4B22-B018-7C448707CE31}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}\ [2010/07/02 13:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A4423967-0FE1-45A0-A02F-24676A38EC26}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}\ [2010/07/02 14:36:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{656599F9-402B-4ABD-B3DD-B465296C0D22}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}\ [2010/07/02 14:39:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}\ [2010/07/03 08:50:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}\ [2010/07/03 09:01:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A19F0325-B322-4DC2-97B2-521B259F25C5}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{A19F0325-B322-4DC2-97B2-521B259F25C5}\ [2010/07/03 12:02:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1A8548C6-50F1-463B-9802-225F5F94F67F}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}\ [2010/07/03 13:29:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBD154CF-3450-438A-A1ED-432C3082042C}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}\ [2010/07/06 16:32:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{CCCB28FC-4068-4917-96E5-3983EF42704B}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}\ [2010/07/07 07:39:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6512AF10-2BD9-4242-83CE-3086EA813335}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}\ [2010/07/07 07:44:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}\ [2010/07/07 07:46:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}\ [2010/07/07 09:42:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}\ [2010/07/07 09:43:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}\ [2010/07/07 09:47:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{8D783363-3AE6-4CDD-B954-3B2301C786C7}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}\ [2010/07/07 09:53:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}\ [2010/07/07 11:27:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}\ [2010/07/07 11:36:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{F815F000-7EE3-4952-B739-09F30DAB8CE3}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}\ [2010/07/07 12:15:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{AE76301C-C986-4B42-8668-AC7A26389266}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}\ [2010/07/07 12:24:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}\ [2010/07/07 15:27:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}\ [2010/07/07 16:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/04/17 11:02:36 | 000,000,000 | ---D | M]

[2010/04/24 17:44:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions
[2010/04/24 17:44:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions\[email protected]
File not found (No name found) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\[email protected]

O1 HOSTS File: ([2011/05/27 16:01:56 | 000,431,575 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14881 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..\Run: [4E3E0230AEBB4E96] File not found
O4 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\YspService.exe (Yahoo! Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} https://gabrobins1.c...,2010,1215,1100 (F5 Networks VPN Manager)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.c...pport/acpir.cab (IASRunner Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} http://uspsy16m.gabr...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://gabrobins1.c...,2010,1215,1053 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} https://gabrobins1.c...,2010,0617,2017 (F5 Networks Auto Update)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab (F5 Networks Policy Agent Host Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1228492840640 (WUWebControl Class)
O16 - DPF: {68132570-CED6-11D5-91AE-000039F5040E} http://www.employeee...m/NAVUPDPRJ.CAB (NAVUPDPRJ.NAVUPDCTL)
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} https://gabrobins1.c...,2008,0404,2134 (F5 Networks Static Application Tunnel Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1228491044515 (MUWebControl Class)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab (F5 Virtual Sandbox Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.su...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.h...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} https://gabrobins1.c...1,2010,617,2010 (F5 Networks SuperHost Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://gabrobins1.c...31,2010,902,806 (F5 Networks Host Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab (URVNCX Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.209.36 97.64.168.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GABNA-AD.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/15 12:50:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/27 12:50:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2011/05/27 07:58:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\expense reprots
[2011/05/26 21:15:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/05/26 17:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/05/26 16:36:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2011/05/26 16:36:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/05/23 20:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2011/05/23 20:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011/05/23 08:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!
[2011/05/23 08:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\HPAppData
[2011/05/23 08:25:11 | 000,000,000 | ---D | C] -- C:\Program Files\Search Toolbar
[2011/05/22 10:30:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\harrisap\IECompatCache
[2011/05/22 10:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/22 10:20:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/22 10:00:28 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2011/05/21 23:11:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\850C3386F25D49ABBA82710CF64570A3
[2011/05/17 23:25:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\Identities
[2011/05/15 13:46:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\etheridge
[2011/05/14 23:07:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\new bama losses
[2011/05/10 10:07:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2011/05/06 17:34:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\quake106
[22 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/27 19:02:39 | 000,000,322 | -HS- | M] () -- C:\WINDOWS\tasks\Ibkb.job
[2011/05/27 18:45:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/27 18:43:49 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2011/05/27 18:43:47 | 000,057,752 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2011/05/27 18:43:13 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/27 18:42:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/27 18:14:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/27 16:54:45 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\LinkUp USA (2).url
[2011/05/27 16:48:41 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/05/27 16:25:29 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/27 15:01:05 | 000,002,219 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\GAB SSL.lnk
[2011/05/26 16:41:41 | 000,047,249 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\GABR_New_logo.jpg
[2011/05/25 16:50:48 | 000,293,775 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2011/05/24 02:07:01 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/22 10:00:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2011/05/21 23:20:04 | 000,012,482 | -HS- | M] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\w70st7567b4372d
[2011/05/21 23:20:04 | 000,012,482 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\w70st7567b4372d
[2011/05/21 23:11:16 | 000,000,517 | ---- | M] () -- C:\WINDOWS\arazidijibazo.dll
[2011/05/18 21:22:26 | 000,000,864 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Xactimate 27.0 ML.lnk
[2011/05/17 10:07:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/09 13:16:36 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/05/02 16:45:17 | 000,137,448 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\us_mc1616_mail_yahoo_com_mc_showMessage_sMid=0&fid=Sent&.pdf
[2011/05/02 08:10:24 | 000,182,559 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\dads poa.pdf
[2011/05/02 08:10:10 | 000,192,947 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\moms poa.pdf
[2011/04/27 21:46:02 | 000,013,453 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\Assignment Guidelines for IA on NW claims[1].pdf
[22 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/26 16:41:41 | 000,047,249 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\GABR_New_logo.jpg
[2011/05/25 16:50:45 | 000,293,775 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2011/05/21 23:13:03 | 000,012,482 | -HS- | C] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\w70st7567b4372d
[2011/05/21 23:13:03 | 000,012,482 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\w70st7567b4372d
[2011/05/21 23:11:16 | 000,000,517 | ---- | C] () -- C:\WINDOWS\arazidijibazo.dll
[2011/05/21 23:10:37 | 000,000,322 | -HS- | C] () -- C:\WINDOWS\tasks\Ibkb.job
[2011/05/09 13:16:36 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\harrisap\Start Menu\Programs\Windows Media Player.lnk
[2011/05/02 16:43:14 | 000,137,448 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\us_mc1616_mail_yahoo_com_mc_showMessage_sMid=0&fid=Sent&.pdf
[2011/05/02 08:10:24 | 000,182,559 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\dads poa.pdf
[2011/05/02 08:10:10 | 000,192,947 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\moms poa.pdf
[2011/04/27 21:46:02 | 000,013,453 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\Assignment Guidelines for IA on NW claims[1].pdf
[2011/04/17 11:00:42 | 000,023,126 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2011/04/15 08:29:31 | 000,174,256 | ---- | C] () -- C:\WINDOWS\hpoins43.dat
[2011/04/15 08:29:31 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat
[2011/04/15 01:15:46 | 000,362,904 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/04/06 13:13:49 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/06 13:13:49 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/06 13:13:49 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/06 11:59:27 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/08/09 14:53:03 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Wbovete.dat
[2010/08/09 14:53:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Pjepezejohera.bin
[2010/07/28 14:49:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/28 14:49:21 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/27 15:10:20 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/02/22 22:18:36 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/22 22:18:36 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/02/22 22:18:36 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\vidccleaner.exe
[2010/02/14 10:44:45 | 000,030,548 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/17 06:48:09 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\DM510.dll
[2009/12/12 16:29:07 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/30 22:46:45 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2009/06/19 15:23:17 | 000,157,263 | ---- | C] () -- C:\WINDOWS\hphins25.dat
[2009/06/19 15:23:17 | 000,000,879 | ---- | C] () -- C:\WINDOWS\hphmdl25.dat
[2009/06/12 10:44:28 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\fusioncache.dat
[2009/06/12 09:42:21 | 000,118,641 | ---- | C] () -- C:\WINDOWS\hpoins09.dat
[2009/05/27 22:04:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/05/14 11:42:44 | 000,172,033 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/05/14 11:41:33 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Atibrtmon.exe
[2009/05/14 11:41:06 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/05/14 11:39:33 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2009/05/14 11:37:47 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2009/05/14 11:37:14 | 000,003,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\atiide.sys
[2009/05/14 11:34:22 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ibmpmsvc.exe
[2009/05/14 11:34:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2008/03/18 11:58:05 | 000,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/12/26 12:18:32 | 000,000,455 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2007/11/28 15:39:06 | 000,000,029 | ---- | C] () -- C:\WINDOWS\vdialer.INI
[2007/11/28 12:12:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/11/16 15:25:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/11/16 15:23:19 | 000,003,981 | ---- | C] () -- C:\WINDOWS\RDSWIN.INI
[2007/11/16 12:47:22 | 000,000,033 | ---- | C] () -- C:\WINDOWS\WDTCPCON.INI
[2007/11/16 12:32:18 | 000,003,635 | ---- | C] () -- C:\WINDOWS\~WDINS.INI
[2007/11/16 10:06:19 | 000,000,555 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/15 15:55:40 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/11/15 12:58:54 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2007/11/15 12:47:12 | 000,023,444 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/11/15 06:12:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/11/15 06:11:50 | 000,152,384 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/11/15 06:11:46 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.exe
[2006/03/09 13:28:40 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat
[2006/01/26 16:42:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/03 20:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 09:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/06/17 01:53:02 | 000,000,702 | ---- | C] () -- C:\WINDOWS\Cm3.ini
[2001/08/23 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 12:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 11:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 11:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 11:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 11:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 11:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,491,116 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,090,342 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/07/30 09:24:34 | 000,000,218 | ---- | C] () -- C:\WINDOWS\oraodbc.ini

========== LOP Check ==========

[2008/03/18 12:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2009/08/30 22:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2009/09/01 20:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2009/09/10 22:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/09/10 22:35:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/03/18 11:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2011/04/15 16:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2010/04/24 17:45:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2011/04/14 23:11:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xactware
[2010/07/11 09:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/14 10:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Leadertech
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GABguest\Application Data\Leadertech
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GABuser\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GABuser\Application Data\Leadertech
[2011/05/21 23:11:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\850C3386F25D49ABBA82710CF64570A3
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Leadertech
[2009/12/17 06:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\LinkManager 4.0
[2010/05/06 09:58:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\RecoveryFix for Windows
[2010/04/24 17:44:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\TomTom
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\smithd\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\smithd\Application Data\Leadertech
[2011/05/27 19:02:39 | 000,000,322 | -HS- | M] () -- C:\WINDOWS\Tasks\Ibkb.job
[2011/05/24 02:07:01 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/07/10 07:00:36 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

========== Purity Check ==========



< End of report >
  • 0

#5
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Here is the GMER log

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-27 20:26:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 HITACHI_HTS543216L9SA00 rev.FB2ZC48C
Running: gmer.exe; Driver: C:\DOCUME~1\harrisap\LOCALS~1\Temp\kxldapog.sys


---- System - GMER 1.0.15 ----

SSDT 8AA1F738 ZwAlertResumeThread
SSDT 8A9FA8C8 ZwAlertThread
SSDT 8AA04DB8 ZwAllocateVirtualMemory
SSDT 8AB7C818 ZwConnectPort
SSDT 8AA1ABA8 ZwCreateMutant
SSDT 8ABDD990 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA1FDB350]
SSDT 8ABDD958 ZwFreeVirtualMemory
SSDT 8AA18218 ZwImpersonateAnonymousToken
SSDT 8A9F4BA8 ZwImpersonateThread
SSDT 8AA1BE80 ZwMapViewOfSection
SSDT 8AA1B578 ZwOpenEvent
SSDT 86C042B8 ZwOpenProcessToken
SSDT 8AA04D80 ZwOpenThreadToken
SSDT 8AA125D8 ZwQueryValueKey
SSDT 8AA0DEA0 ZwResumeThread
SSDT 8AA0B428 ZwSetContextThread
SSDT 8AA09D80 ZwSetInformationProcess
SSDT 8AA14D80 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA1FDB580]
SSDT 8AA0DA10 ZwSuspendProcess
SSDT 8AA1A738 ZwSuspendThread
SSDT 8AD7DE58 ZwTerminateProcess
SSDT 8AA111E8 ZwTerminateThread
SSDT 8A9FDD80 ZwUnmapViewOfSection
SSDT 8AA14DB8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? kaqeb.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB4226000, 0x199B48, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[2024] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 008A000A
.text C:\WINDOWS\System32\svchost.exe[2024] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 008B000A
.text C:\WINDOWS\System32\svchost.exe[2024] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 008C000A
.text C:\WINDOWS\System32\svchost.exe[2024] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FE000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8ACE653B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8ACE653B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8ACE653B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8ACE653B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-12 8ACE653B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-7 8ACE653B

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:112] B9E72730

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\[email protected]
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\[email protected]
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\[email protected]
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\[email protected]
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\[email protected]
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\[email protected]

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 [email protected] code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt 103 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0IFY6WAY\iframe3[1].htm 1139 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0IFY6WAY\like[2].php 7428 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0IFY6WAY\bannerad_dc[2].aspx 1078 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RSQV24US\ywa[1].js 22336 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RSQV24US\tbp6130242_v0_l[1].jpg 1241 bytes

---- EOF - GMER 1.0.15 ----
  • 0

#6
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
As an FYI, I have removed viruses on an almost daily basis with MBAM. I have those logs if you need them. My ability to access my wireless internet is being compromised. My went out for a couple of days. I also noted whn I clickedon computer that I have a "detached Z drive" that I have never noticed before.

Finally, I had a popup come up asking for far too many details including credit card #'s, ssn, dob, etc. to verify who i was when I tried to log onto my bank website. I have changed my password from my wife' computer and don't plan to go back there until things clear up
  • 0

#7
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi ph1290,

We'll use OTL to remove some nasties and and TDSSkiller to sort out your bootkit.

Please do the following:

========
Step 1
========

Run OTLPosted Image
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
    O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
    O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
    [2011/05/27 19:02:39 | 000,000,322 | -HS- | M] () -- C:\WINDOWS\tasks\Ibkb.job
    [2011/05/21 23:20:04 | 000,012,482 | -HS- | M] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\w70st7567b4372d
    [2011/05/21 23:20:04 | 000,012,482 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\w70st7567b4372d
    [2011/05/21 23:11:16 | 000,000,517 | ---- | M] () -- C:\WINDOWS\arazidijibazo.dll
    
    :Services
    
    :Reg
    
    :Files
    C:\Documents and Settings\All Users\Application Data\w70st7567b4372d
    C:\Documents and Settings\harrisap\Local Settings\Application Data\w70st7567b4372d
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done, post the fix log
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

========
Step 2
========

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

========
Step 3
========


Start Posted Image MalwareBytes
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediantly.

========
Step 4
========

Please remember to post:
OTL fix log
New OTL quick scan log
TDSS report
MalwareBytes scan log
Any remaining problems that you're experiencing

Homburg
  • 0

#8
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Since my last post, I got various warning messages about problems with my hard drive, then it rebooted. Comes back up to a black desktop, no icons, the start menu program file shows no programs, Windows XP recovery comes up and warns of dire problems. Tried safe mode, but can't pull up any programs as the programs folder appears as if's empty. Suggestions on how to run the scans. Download the programs onto a flashdrive?
  • 0

#9
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Okay, I was able to do some of what you wanted.

I downloaded OTL, TDSS Killer, and Malware Bytes to an external drive;

I then logged into safe mode and I ran the OTL fix and it seemed to work fine, noting it needed to reboot; I let it reboot to a normal boot rather than safe mode and it put up the OTL.txt file, but when I tried to copy it back over to my external drive, but I think it got wiped out when Windows XP Recovery popped up.

I then tried to run TDSS Killer. All of a sudden, I can't see anything in my external drive. I was able to find it on a search and extracted it to my desktop and ran it. I was able to cure a tdl4 or tld4 something. saved the log file to my external drive, and now can't find it even by search. I can check on properties and see that 62 GB of info is on there, but I can't seem to link to the file.

Finally I ran MalWareBytes. When I downloaded on my external drive, I the virus definition file was 159 days or so old and I updated it successfully. However, when I ran it from my external drive it once again noted that it was 159 days old and then would not update it. It did find one file and that for some reason is the only file I can see on my external drive. Here it is....

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/28/2011 10:35:50 PM
mbam-log-2011-05-28 (22-35-50).txt

Scan type: Quick scan
Objects scanned: 189066
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#10
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Please download this file here to a USB thumb drive or a CD and run it on the infected PC

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.



Can you now see your desktop?

We need another OTL scan to see what's going on. If you still have OTL on your desktop, please start it and press Quick Scan, post the log it produces.

If you are unable to see it try to download it to a USB thumb drive and run it from there...

Download OTL to your USB thumb drive
  • Double click on the icon to run it. Press Quick Scan,post the log it produces.

  • 0

Advertisements


#11
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
unhide unhid my icons

I did note while checking my program files that Windows Recovery XP which is the pop up giving out all the dire warnings has added itself as of yesterday to my list of programs.


Ran OTL here is the log

OTL logfile created on: 5/29/2011 10:41:19 PM - Run 5
OTL by OldTimer - Version 3.2.23.0 Folder = E:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.98 Gb Total Physical Memory | 2.62 Gb Available Physical Memory | 88.04% Memory free
4.82 Gb Paging File | 4.73 Gb Available in Paging File | 98.10% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 94.03 Gb Free Space | 63.09% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 168.57 Gb Free Space | 72.39% Space Free | Partition Type: NTFS

Computer Name: 7-51896 | User Name: harrisap | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/28 21:25:34 | 000,580,096 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/05/28 21:25:34 | 000,580,096 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
MOD - [2008/04/14 05:42:52 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ThreatFire)
SRV - File not found [Auto | Stopped] -- -- (itlperf)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (6to4)
SRV - [2011/05/28 10:35:11 | 000,017,408 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\rpcnetp.exe -- (rpcnetp)
SRV - [2011/05/28 10:34:27 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Stopped] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2009/05/04 12:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) [Auto | Stopped] -- C:\WINDOWS\system32\F5InstallerService.exe -- (F5 Networks Component Installer)
SRV - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) [Auto | Stopped] -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/08/28 20:04:25 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/27 18:14:00 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) [Auto | Stopped] -- C:\Notes\ntmulti.exe -- (Multi-user Cleanup Service)
SRV - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2000/10/19 12:55:50 | 000,411,244 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache)


========== Driver Services (SafeList) ==========

DRV - [2011/05/18 04:00:00 | 001,542,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110525.002\navex15.sys -- (NAVEX15)
DRV - [2011/05/18 04:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110525.002\naveng.sys -- (NAVENG)
DRV - [2011/05/10 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/05/10 04:00:00 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/07/07 16:39:50 | 000,003,456 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\atiide.sys -- (atiide)
DRV - [2009/10/09 23:15:18 | 000,033,920 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2009/10/09 23:15:13 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2009/05/14 11:43:09 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2009/05/14 11:43:09 | 000,764,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2009/05/14 11:43:09 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2009/05/14 11:43:09 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2009/05/14 11:43:08 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009/05/14 11:42:46 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2009/05/14 11:42:43 | 003,103,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/05/14 11:41:43 | 003,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2009/05/14 11:41:40 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2009/05/14 11:41:37 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/05/14 11:41:36 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2009/03/20 20:03:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/07/07 13:23:56 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/06/02 17:28:50 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2007/12/26 10:49:59 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/08/27 18:13:36 | 000,189,320 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/08/27 18:13:32 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/07/26 20:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/02/19 01:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/06/27 03:50:00 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/...UGO&form=ZGAPHP
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/...UGO&form=ZGAPHP
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}\ [2010/07/02 12:22:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{7F407392-4F54-4B22-B018-7C448707CE31}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}\ [2010/07/02 13:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A4423967-0FE1-45A0-A02F-24676A38EC26}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}\ [2010/07/02 14:36:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{656599F9-402B-4ABD-B3DD-B465296C0D22}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}\ [2010/07/02 14:39:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}\ [2010/07/03 08:50:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}\ [2010/07/03 09:01:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A19F0325-B322-4DC2-97B2-521B259F25C5}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{A19F0325-B322-4DC2-97B2-521B259F25C5}\ [2010/07/03 12:02:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1A8548C6-50F1-463B-9802-225F5F94F67F}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}\ [2010/07/03 13:29:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBD154CF-3450-438A-A1ED-432C3082042C}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}\ [2010/07/06 16:32:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{CCCB28FC-4068-4917-96E5-3983EF42704B}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}\ [2010/07/07 07:39:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6512AF10-2BD9-4242-83CE-3086EA813335}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}\ [2010/07/07 07:44:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}\ [2010/07/07 07:46:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}\ [2010/07/07 09:42:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}\ [2010/07/07 09:43:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}\ [2010/07/07 09:47:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{8D783363-3AE6-4CDD-B954-3B2301C786C7}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}\ [2010/07/07 09:53:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}\ [2010/07/07 11:27:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}\ [2010/07/07 11:36:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{F815F000-7EE3-4952-B739-09F30DAB8CE3}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}\ [2010/07/07 12:15:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{AE76301C-C986-4B42-8668-AC7A26389266}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}\ [2010/07/07 12:24:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}\ [2010/07/07 15:27:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}\ [2010/07/07 16:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/04/17 11:02:36 | 000,000,000 | ---D | M]

[2010/04/24 17:44:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions
[2010/04/24 17:44:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions\[email protected]
File not found (No name found) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\[email protected]

O1 HOSTS File: ([2011/05/28 21:53:55 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] E:\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..\Run: [HeypPtdMGKlWj] C:\Documents and Settings\All Users\Application Data\HeypPtdMGKlWj.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\YspService.exe (Yahoo! Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} https://gabrobins1.c...,2010,1215,1100 (F5 Networks VPN Manager)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.c...pport/acpir.cab (IASRunner Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} http://uspsy16m.gabr...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://gabrobins1.c...,2010,1215,1053 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} https://gabrobins1.c...,2010,0617,2017 (F5 Networks Auto Update)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab (F5 Networks Policy Agent Host Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1228492840640 (WUWebControl Class)
O16 - DPF: {68132570-CED6-11D5-91AE-000039F5040E} http://www.employeee...m/NAVUPDPRJ.CAB (NAVUPDPRJ.NAVUPDCTL)
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} https://gabrobins1.c...,2008,0404,2134 (F5 Networks Static Application Tunnel Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1228491044515 (MUWebControl Class)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab (F5 Virtual Sandbox Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.su...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.h...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} https://gabrobins1.c...1,2010,617,2010 (F5 Networks SuperHost Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://gabrobins1.c...31,2010,902,806 (F5 Networks Host Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab (URVNCX Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.209.36 97.64.168.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GABNA-AD.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/15 12:50:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/08/12 22:42:48 | 000,000,062 | ---- | M] () - E:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\mwp.exe" -a "%1" %*
O35 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\mwp.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\mwp.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\mwp.exe" -a "%1" %*
O37 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/28 22:20:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\harrisap\Recent
[2011/05/28 22:12:34 | 000,000,000 | ---D | C] -- C:\tdsskiller
[2011/05/28 09:49:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Start Menu\Programs\Windows XP Recovery
[2011/05/28 09:48:57 | 000,340,480 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\21487396.exe
[2011/05/28 09:35:32 | 000,432,128 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\HeypPtdMGKlWj.exe
[2011/05/27 12:50:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2011/05/27 07:58:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\expense reprots
[2011/05/26 21:15:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/05/26 17:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/05/26 16:36:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2011/05/26 16:36:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/05/23 20:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2011/05/23 20:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011/05/23 08:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!
[2011/05/23 08:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\HPAppData
[2011/05/23 08:25:11 | 000,000,000 | ---D | C] -- C:\Program Files\Search Toolbar
[2011/05/22 10:30:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\harrisap\IECompatCache
[2011/05/22 10:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/22 10:20:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/22 10:00:28 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2011/05/21 23:11:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\850C3386F25D49ABBA82710CF64570A3
[2011/05/17 23:25:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\Identities
[2011/05/15 13:46:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\etheridge
[2011/05/14 23:07:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\new bama losses
[2011/05/10 10:07:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2011/05/06 17:34:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\quake106
[1 C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/29 22:11:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/29 22:11:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/28 22:39:01 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2011/05/28 22:20:10 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/28 21:53:55 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/28 16:45:07 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/28 10:47:47 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/28 10:35:11 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2011/05/28 10:35:08 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2011/05/28 10:34:33 | 000,013,160 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\Upgrd.exe
[2011/05/28 10:34:27 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.exe
[2011/05/28 10:15:15 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/28 09:49:08 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~21487396r
[2011/05/28 09:49:08 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~21487396
[2011/05/28 09:49:06 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\Windows XP Recovery.lnk
[2011/05/28 09:49:00 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\21487396
[2011/05/27 21:43:06 | 000,012,178 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/27 16:54:45 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\LinkUp USA (2).url
[2011/05/27 15:01:05 | 000,002,219 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\GAB SSL.lnk
[2011/05/26 16:41:41 | 000,047,249 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\GABR_New_logo.jpg
[2011/05/25 16:50:48 | 000,293,775 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2011/05/24 02:07:01 | 000,000,330 | ---- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/22 10:00:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2011/05/17 10:07:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/02 16:45:17 | 000,137,448 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\us_mc1616_mail_yahoo_com_mc_showMessage_sMid=0&fid=Sent&.pdf
[2011/05/02 08:10:24 | 000,182,559 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\dads poa.pdf
[2011/05/02 08:10:10 | 000,192,947 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\moms poa.pdf
[1 C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/29 22:22:31 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/28 09:49:08 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~21487396r
[2011/05/28 09:49:08 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~21487396
[2011/05/28 09:49:06 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\Windows XP Recovery.lnk
[2011/05/28 09:49:00 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\21487396
[2011/05/27 21:36:08 | 000,012,178 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/27 21:36:08 | 000,012,178 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/26 16:41:41 | 000,047,249 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\GABR_New_logo.jpg
[2011/05/25 16:50:45 | 000,293,775 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2011/05/09 13:16:36 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\harrisap\Start Menu\Programs\Windows Media Player.lnk
[2011/05/02 16:43:14 | 000,137,448 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\us_mc1616_mail_yahoo_com_mc_showMessage_sMid=0&fid=Sent&.pdf
[2011/05/02 08:10:24 | 000,182,559 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\dads poa.pdf
[2011/05/02 08:10:10 | 000,192,947 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\moms poa.pdf
[2011/04/17 11:00:42 | 000,023,126 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2011/04/15 08:29:31 | 000,174,256 | ---- | C] () -- C:\WINDOWS\hpoins43.dat
[2011/04/15 08:29:31 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat
[2011/04/15 01:15:46 | 000,362,904 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/04/06 13:13:49 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/06 13:13:49 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/06 13:13:49 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/06 11:59:27 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/08/09 14:53:03 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Wbovete.dat
[2010/08/09 14:53:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Pjepezejohera.bin
[2010/07/28 14:49:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/28 14:49:21 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/27 15:10:20 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/02/22 22:18:36 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/22 22:18:36 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/02/22 22:18:36 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\vidccleaner.exe
[2010/02/14 10:44:45 | 000,030,548 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/17 06:48:09 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\DM510.dll
[2009/12/12 16:29:07 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/30 22:46:45 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2009/06/19 15:23:17 | 000,157,263 | ---- | C] () -- C:\WINDOWS\hphins25.dat
[2009/06/19 15:23:17 | 000,000,879 | ---- | C] () -- C:\WINDOWS\hphmdl25.dat
[2009/06/12 10:44:28 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\fusioncache.dat
[2009/06/12 09:42:21 | 000,118,641 | ---- | C] () -- C:\WINDOWS\hpoins09.dat
[2009/05/27 22:04:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/05/14 11:42:44 | 000,172,033 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/05/14 11:41:33 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Atibrtmon.exe
[2009/05/14 11:41:06 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/05/14 11:39:33 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2009/05/14 11:37:47 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2009/05/14 11:37:14 | 000,003,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\atiide.sys
[2009/05/14 11:34:22 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ibmpmsvc.exe
[2009/05/14 11:34:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2008/03/18 11:58:05 | 000,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/12/26 12:18:32 | 000,000,455 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2007/11/28 15:39:06 | 000,000,029 | ---- | C] () -- C:\WINDOWS\vdialer.INI
[2007/11/28 12:12:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/11/16 15:25:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/11/16 15:23:19 | 000,003,981 | ---- | C] () -- C:\WINDOWS\RDSWIN.INI
[2007/11/16 12:47:22 | 000,000,033 | ---- | C] () -- C:\WINDOWS\WDTCPCON.INI
[2007/11/16 12:32:18 | 000,003,635 | ---- | C] () -- C:\WINDOWS\~WDINS.INI
[2007/11/16 10:06:19 | 000,000,555 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/15 15:55:40 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/11/15 12:58:54 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2007/11/15 12:47:12 | 000,023,444 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/11/15 06:12:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/11/15 06:11:50 | 000,152,384 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/11/15 06:11:46 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.exe
[2006/03/09 13:28:40 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat
[2006/01/26 16:42:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/03 20:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 09:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/06/17 01:53:02 | 000,000,702 | ---- | C] () -- C:\WINDOWS\Cm3.ini
[2001/08/23 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 12:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 11:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 11:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 11:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 11:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 11:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,491,116 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,090,342 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/07/30 09:24:34 | 000,000,218 | ---- | C] () -- C:\WINDOWS\oraodbc.ini

========== LOP Check ==========

[2008/03/18 12:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2009/08/30 22:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2009/09/01 20:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2009/09/10 22:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/09/10 22:35:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/03/18 11:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2011/04/15 16:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2010/04/24 17:45:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2011/04/14 23:11:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xactware
[2010/07/11 09:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/14 10:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Leadertech
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GABguest\Application Data\Leadertech
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GABuser\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GABuser\Application Data\Leadertech
[2011/05/21 23:11:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\850C3386F25D49ABBA82710CF64570A3
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Leadertech
[2009/12/17 06:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\LinkManager 4.0
[2010/05/06 09:58:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\RecoveryFix for Windows
[2010/04/24 17:44:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\TomTom
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\smithd\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\smithd\Application Data\Leadertech
[2011/05/24 02:07:01 | 000,000,330 | ---- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/07/10 07:00:36 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

========== Purity Check ==========



< End of report >
  • 0

#12
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

You have a new type of infection, it would be a good idea to only use the PC for the minimal amount until we get you cleaned up :)

Can you please do the following in the order I've listed:

========
Step 1
========

Run OTLPosted Image
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..\Run: [HeypPtdMGKlWj] C:\Documents and Settings\All Users\Application Data\HeypPtdMGKlWj.exe (Microsoft Corporation)
    O35 - HKLM\..exefile [open] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\mwp.exe" -a "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\mwp.exe" -a "%1" %*
    O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\mwp.exe" -a "%1" %*
    O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\mwp.exe" -a "%1" %*
    [2011/05/28 09:49:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Start Menu\Programs\Windows XP Recovery
    [2011/05/28 09:48:57 | 000,340,480 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\21487396.exe
    [2011/05/28 09:35:32 | 000,432,128 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\HeypPtdMGKlWj.exe
    [2011/05/28 09:49:08 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~21487396r
    [2011/05/28 09:49:08 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~21487396
    [2011/05/28 09:49:06 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\Windows XP Recovery.lnk
    [2011/05/28 09:49:00 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\21487396
    [2011/05/27 21:43:06 | 000,012,178 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\s7846w86gi86yo4j3444wfp8hl
    [2010/08/09 14:53:03 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Wbovete.dat
    [2010/08/09 14:53:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Pjepezejohera.bin
    
    :Services
    
    :Reg
    
    :Files
    C:\Documents and Settings\All Users\Application Data\~21487396r
    C:\Documents and Settings\All Users\Application Data\~21487396
    C:\Documents and Settings\All Users\Application Data\21487396
    C:\Documents and Settings\All Users\Application Data\s7846w86gi86yo4j3444wfp8hl
    
    :Commands
    [purity]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done. Please post the OTL fix log.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

========
Step 2
========

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image

========
Step 3
========

Please remember to post:
OTL fix log
New OTL Quick Scan log
aswMBR check log

Homburg
  • 0

#13
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
ran the otl fix, rebooted, no log popped up. ran otl scan, saved log. ran awsmbr, saved log; icons disappeared again when I booted up this morning. will run unhide again to see if that helps. After running the fix, I don't have the windows xp recovery threats at the moment. I got my wireless connection back.

Here is the OLT log

OTL logfile created on: 5/30/2011 8:50:44 AM - Run 6
OTL by OldTimer - Version 3.2.23.0 Folder = E:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.98 Gb Total Physical Memory | 2.14 Gb Available Physical Memory | 71.75% Memory free
4.82 Gb Paging File | 4.36 Gb Available in Paging File | 90.43% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 93.13 Gb Free Space | 62.48% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 168.57 Gb Free Space | 72.39% Space Free | Partition Type: NTFS

Computer Name: 7-51896 | User Name: harrisap | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/28 21:25:34 | 000,580,096 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2011/05/28 10:34:27 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2010/03/31 23:34:36 | 000,243,000 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Search Protection\YspService.exe
PRC - [2009/05/14 11:43:12 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/05/04 12:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
PRC - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\KodakSvc.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) -- C:\WINDOWS\system32\F5InstallerService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
PRC - [2007/10/07 21:48:40 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2007/05/29 17:33:22 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) -- C:\Notes\ntmulti.exe


========== Modules (SafeList) ==========

MOD - [2011/05/28 21:25:34 | 000,580,096 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
MOD - [2008/04/14 05:42:52 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ThreatFire)
SRV - File not found [Auto | Stopped] -- -- (itlperf)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (6to4)
SRV - [2011/05/28 10:34:27 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2009/05/04 12:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/04/17 12:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) [Auto | Running] -- C:\WINDOWS\system32\F5InstallerService.exe -- (F5 Networks Component Installer)
SRV - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) [Auto | Running] -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/08/28 20:04:25 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/27 18:14:00 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Notes\ntmulti.exe -- (Multi-user Cleanup Service)
SRV - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2000/10/19 12:55:50 | 000,411,244 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache)


========== Driver Services (SafeList) ==========

DRV - [2011/05/18 04:00:00 | 001,542,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110525.002\navex15.sys -- (NAVEX15)
DRV - [2011/05/18 04:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110525.002\naveng.sys -- (NAVENG)
DRV - [2011/05/10 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/05/10 04:00:00 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/07/07 16:39:50 | 000,003,456 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\atiide.sys -- (atiide)
DRV - [2009/10/09 23:15:18 | 000,033,920 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2009/10/09 23:15:13 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2009/05/14 11:43:09 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2009/05/14 11:43:09 | 000,764,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2009/05/14 11:43:09 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2009/05/14 11:43:09 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2009/05/14 11:43:08 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009/05/14 11:42:46 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2009/05/14 11:42:43 | 003,103,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/05/14 11:41:43 | 003,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2009/05/14 11:41:40 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2009/05/14 11:41:37 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/05/14 11:41:36 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2009/03/20 20:03:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/07/07 13:23:56 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/06/02 17:28:50 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2007/12/26 10:49:59 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/08/27 18:13:36 | 000,189,320 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/08/27 18:13:32 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/07/26 20:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/02/19 01:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/06/27 03:50:00 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/...UGO&form=ZGAPHP
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/...UGO&form=ZGAPHP
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}\ [2010/07/02 12:22:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{7F407392-4F54-4B22-B018-7C448707CE31}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}\ [2010/07/02 13:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A4423967-0FE1-45A0-A02F-24676A38EC26}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}\ [2010/07/02 14:36:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{656599F9-402B-4ABD-B3DD-B465296C0D22}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}\ [2010/07/02 14:39:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}\ [2010/07/03 08:50:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}\ [2010/07/03 09:01:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A19F0325-B322-4DC2-97B2-521B259F25C5}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{A19F0325-B322-4DC2-97B2-521B259F25C5}\ [2010/07/03 12:02:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1A8548C6-50F1-463B-9802-225F5F94F67F}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}\ [2010/07/03 13:29:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBD154CF-3450-438A-A1ED-432C3082042C}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}\ [2010/07/06 16:32:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{CCCB28FC-4068-4917-96E5-3983EF42704B}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}\ [2010/07/07 07:39:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6512AF10-2BD9-4242-83CE-3086EA813335}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}\ [2010/07/07 07:44:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}\ [2010/07/07 07:46:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}\ [2010/07/07 09:42:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}\ [2010/07/07 09:43:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}\ [2010/07/07 09:47:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{8D783363-3AE6-4CDD-B954-3B2301C786C7}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}\ [2010/07/07 09:53:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}\ [2010/07/07 11:27:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}\ [2010/07/07 11:36:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{F815F000-7EE3-4952-B739-09F30DAB8CE3}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}\ [2010/07/07 12:15:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{AE76301C-C986-4B42-8668-AC7A26389266}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}\ [2010/07/07 12:24:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}\ [2010/07/07 15:27:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}\ [2010/07/07 16:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/04/17 11:02:36 | 000,000,000 | ---D | M]

[2010/04/24 17:44:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions
[2010/04/24 17:44:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions\[email protected]
File not found (No name found) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\[email protected]

O1 HOSTS File: ([2011/05/28 21:53:55 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\YspService.exe (Yahoo! Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} https://gabrobins1.c...,2010,1215,1100 (F5 Networks VPN Manager)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.c...pport/acpir.cab (IASRunner Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} http://uspsy16m.gabr...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://gabrobins1.c...,2010,1215,1053 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} https://gabrobins1.c...,2010,0617,2017 (F5 Networks Auto Update)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab (F5 Networks Policy Agent Host Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1228492840640 (WUWebControl Class)
O16 - DPF: {68132570-CED6-11D5-91AE-000039F5040E} http://www.employeee...m/NAVUPDPRJ.CAB (NAVUPDPRJ.NAVUPDCTL)
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} https://gabrobins1.c...,2008,0404,2134 (F5 Networks Static Application Tunnel Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1228491044515 (MUWebControl Class)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab (F5 Virtual Sandbox Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.su...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.h...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} https://gabrobins1.c...1,2010,617,2010 (F5 Networks SuperHost Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://gabrobins1.c...31,2010,902,806 (F5 Networks Host Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab (URVNCX Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.209.36 97.64.168.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GABNA-AD.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/15 12:50:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/08/12 22:42:48 | 000,000,062 | ---- | M] () - E:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-2187378860-2228663326-329466524-1014\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/30 08:33:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\harrisap\Recent
[2011/05/28 22:12:34 | 000,000,000 | ---D | C] -- C:\tdsskiller
[2011/05/28 09:35:32 | 000,432,128 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\HeypPtdMGKlWj.exe
[2011/05/27 12:50:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2011/05/27 07:58:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\expense reprots
[2011/05/26 21:15:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/05/26 17:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/05/26 16:36:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2011/05/26 16:36:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/05/23 20:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2011/05/23 20:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011/05/23 08:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!
[2011/05/23 08:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\HPAppData
[2011/05/23 08:25:11 | 000,000,000 | ---D | C] -- C:\Program Files\Search Toolbar
[2011/05/22 10:30:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\harrisap\IECompatCache
[2011/05/22 10:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/22 10:20:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/22 10:00:28 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2011/05/21 23:11:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\850C3386F25D49ABBA82710CF64570A3
[2011/05/17 23:25:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Local Settings\Application Data\Identities
[2011/05/15 13:46:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\etheridge
[2011/05/14 23:07:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\new bama losses
[2011/05/10 10:07:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2011/05/06 17:34:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\quake106
[1 C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/30 08:38:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/30 08:36:09 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/30 08:36:08 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2011/05/30 08:36:06 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2011/05/30 08:35:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/29 22:52:16 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2011/05/28 21:53:55 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/28 16:45:07 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/28 10:47:47 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/28 10:34:33 | 000,013,160 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\Upgrd.exe
[2011/05/28 10:34:27 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.exe
[2011/05/28 10:15:15 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/27 16:54:45 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\LinkUp USA (2).url
[2011/05/27 15:01:05 | 000,002,219 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\GAB SSL.lnk
[2011/05/26 16:41:41 | 000,047,249 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\GABR_New_logo.jpg
[2011/05/25 16:50:48 | 000,293,775 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2011/05/24 02:07:01 | 000,000,330 | ---- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/22 10:00:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.exe
[2011/05/17 10:07:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/02 16:45:17 | 000,137,448 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\us_mc1616_mail_yahoo_com_mc_showMessage_sMid=0&fid=Sent&.pdf
[2011/05/02 08:10:24 | 000,182,559 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\dads poa.pdf
[2011/05/02 08:10:10 | 000,192,947 | ---- | M] () -- C:\Documents and Settings\harrisap\My Documents\moms poa.pdf
[1 C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/29 22:22:31 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/27 21:36:08 | 000,012,178 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/26 16:41:41 | 000,047,249 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\GABR_New_logo.jpg
[2011/05/25 16:50:45 | 000,293,775 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\gmer.zip
[2011/05/09 13:16:36 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\harrisap\Start Menu\Programs\Windows Media Player.lnk
[2011/05/02 16:43:14 | 000,137,448 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\us_mc1616_mail_yahoo_com_mc_showMessage_sMid=0&fid=Sent&.pdf
[2011/05/02 08:10:24 | 000,182,559 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\dads poa.pdf
[2011/05/02 08:10:10 | 000,192,947 | ---- | C] () -- C:\Documents and Settings\harrisap\My Documents\moms poa.pdf
[2011/04/17 11:00:42 | 000,023,126 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2011/04/15 08:29:31 | 000,174,256 | ---- | C] () -- C:\WINDOWS\hpoins43.dat
[2011/04/15 08:29:31 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat
[2011/04/15 01:15:46 | 000,362,904 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/04/06 13:13:49 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/06 13:13:49 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/06 13:13:49 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/06 11:59:27 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/28 14:49:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/28 14:49:21 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/27 15:10:20 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/02/22 22:18:36 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/22 22:18:36 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/02/22 22:18:36 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\vidccleaner.exe
[2010/02/14 10:44:45 | 000,030,548 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/17 06:48:09 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\DM510.dll
[2009/12/12 16:29:07 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/30 22:46:45 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2009/06/19 15:23:17 | 000,157,263 | ---- | C] () -- C:\WINDOWS\hphins25.dat
[2009/06/19 15:23:17 | 000,000,879 | ---- | C] () -- C:\WINDOWS\hphmdl25.dat
[2009/06/12 10:44:28 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\fusioncache.dat
[2009/06/12 09:42:21 | 000,118,641 | ---- | C] () -- C:\WINDOWS\hpoins09.dat
[2009/05/27 22:04:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/05/14 11:42:44 | 000,172,033 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/05/14 11:41:33 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Atibrtmon.exe
[2009/05/14 11:41:06 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/05/14 11:39:33 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2009/05/14 11:37:47 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2009/05/14 11:37:14 | 000,003,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\atiide.sys
[2009/05/14 11:34:22 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ibmpmsvc.exe
[2009/05/14 11:34:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2008/03/18 11:58:05 | 000,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/12/26 12:18:32 | 000,000,455 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2007/11/28 15:39:06 | 000,000,029 | ---- | C] () -- C:\WINDOWS\vdialer.INI
[2007/11/28 12:12:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/11/16 15:25:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/11/16 15:23:19 | 000,003,981 | ---- | C] () -- C:\WINDOWS\RDSWIN.INI
[2007/11/16 12:47:22 | 000,000,033 | ---- | C] () -- C:\WINDOWS\WDTCPCON.INI
[2007/11/16 12:32:18 | 000,003,635 | ---- | C] () -- C:\WINDOWS\~WDINS.INI
[2007/11/16 10:06:19 | 000,000,555 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/15 15:55:40 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/11/15 12:58:54 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2007/11/15 12:47:12 | 000,023,444 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/11/15 06:12:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/11/15 06:11:50 | 000,152,384 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/11/15 06:11:46 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.exe
[2006/03/09 13:28:40 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat
[2006/01/26 16:42:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/03 20:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 09:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/06/17 01:53:02 | 000,000,702 | ---- | C] () -- C:\WINDOWS\Cm3.ini
[2001/08/23 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 12:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 11:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 11:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 11:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 11:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 11:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,491,116 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,090,342 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/07/30 09:24:34 | 000,000,218 | ---- | C] () -- C:\WINDOWS\oraodbc.ini

========== LOP Check ==========

[2008/03/18 12:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2009/08/30 22:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2009/09/01 20:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2009/09/10 22:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/09/10 22:35:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/03/18 11:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2011/04/15 16:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2010/04/24 17:45:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2011/04/14 23:11:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xactware
[2010/07/11 09:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/14 10:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Leadertech
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GABguest\Application Data\Leadertech
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GABuser\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GABuser\Application Data\Leadertech
[2011/05/21 23:11:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\850C3386F25D49ABBA82710CF64570A3
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Leadertech
[2009/12/17 06:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\LinkManager 4.0
[2010/05/06 09:58:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\RecoveryFix for Windows
[2010/04/24 17:44:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\TomTom
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\smithd\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\smithd\Application Data\Leadertech
[2011/05/24 02:07:01 | 000,000,330 | ---- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/07/10 07:00:36 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

========== Purity Check ==========



< End of report >
  • 0

#14
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Here is the awsmbr log

aswMBR version 0.9.5.317 Copyright© 2011 AVAST Software
Run date: 2011-05-30 08:58:06
-----------------------------
08:58:06.984 OS Version: Windows 5.1.2600 Service Pack 3
08:58:06.984 Number of processors: 2 586 0x1706
08:58:06.984 ComputerName: 7-51896 UserName:
08:58:07.734 Initialize success
08:58:21.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
08:58:21.250 Disk 0 Vendor: HITACHI_HTS543216L9SA00 FB2ZC48C Size: 152627MB BusType: 3
08:58:23.281 Disk 0 MBR read successfully
08:58:23.281 Disk 0 MBR scan
08:58:23.281 Disk 0 unknown MBR code
08:58:25.281 Disk 0 scanning sectors +312575760
08:58:25.312 Disk 0 scanning C:\WINDOWS\system32\drivers
08:58:32.718 Service scanning
08:58:34.125 Disk 0 trace - called modules:
08:58:34.140 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
08:58:34.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b07eab8]
08:58:34.140 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000099[0x8b03b9e8]
08:58:34.140 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8b09cd98]
08:58:59.343 Unsigned kernel modules:
08:58:59.343 0xba672000 C:\WINDOWS\system32\drivers\atiide.sys
08:58:59.906 0xba118000 C:\WINDOWS\system32\drivers\PxHelp20.sys
08:59:07.062 0xba410000 C:\WINDOWS\system32\DRIVERS\psadd.sys
08:59:17.031 Scan finished successfully
09:04:38.421 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
09:04:38.421 The log file has been saved successfully to "E:\aswMBR.txt"
  • 0

#15
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Please do the following:

========
Step 1
========

Run OTLPosted Image
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/05/21 23:11:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\850C3386F25D49ABBA82710CF64570A3
    [2011/05/27 21:36:08 | 000,012,178 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\s7846w86gi86yo4j3444wfp8hl
    [2011/05/28 09:35:32 | 000,432,128 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\HeypPtdMGKlWj.exe
    
    :Services
    
    :Reg
    
    :Files
    C:\Documents and Settings\LocalService\Local Settings\Application Data\s7846w86gi86yo4j3444wfp8hl
    C:\Documents and Settings\All Users\Application Data\HeypPtdMGKlWj.exe
    C:\Documents and Settings\harrisap\Application Data\850C3386F25D49ABBA82710CF64570A3
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

========
Step 2
========

Re-Run aswMBR.
Click SCAN.
On completion of the scan click the FIXMBR button.

You must reboot after aswMBR has carried out the fix

Posted Image

Save the log as before and post in your next reply

========
Step 3
========

Please remember to post the following:
OTL fix log (you forgot last time)
New OTL Quick Scan log
aswMBR log

Homburg
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP