TechSpot

Tidserv activity 2

Solved
By Wile E Coyote
May 10, 2011
Topic Status:
Not open for further replies.
  1. I keep getting notified by Norton tht I have been getting intrusion attempts resulting from: \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE

    Risk Name: System Infected: Tidserv Activity 2
    Attacking Computer: liber0-un0.com (194.247.183.80, 443)

    I tried the 8 step but can't seem to run dds.scr the other log files are pasted below:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6547

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/10/2011 2:08:11 PM
    mbam-log-2011-05-10 (14-08-11).txt

    Scan type: Quick scan
    Objects scanned: 174620
    Time elapsed: 16 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 1
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\Jon\x.exe (Trojan.KillAV) -> Quarantined and deleted successfully.

    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit scan 2011-05-10 14:48:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST94019A rev.5.11
    Running: tif0roxe.exe; Driver: C:\DOCUME~1\Jon\LOCALS~1\Temp\pgldyaoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT 86C12BF0 ZwAlertResumeThread
    SSDT 86C15590 ZwAlertThread
    SSDT 86C1B0B0 ZwAllocateVirtualMemory
    SSDT 86EABE30 ZwAssignProcessToJobObject
    SSDT 86B2BCF8 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB9CD3210]
    SSDT 86CA8368 ZwCreateMutant
    SSDT 86BFA1D0 ZwCreateSymbolicLinkObject
    SSDT 86BB9D68 ZwCreateThread
    SSDT 86E8A818 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB9CD3490]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB9CD39F0]
    SSDT 86C161C0 ZwDuplicateObject
    SSDT 86C81100 ZwFreeVirtualMemory
    SSDT 86E8EF28 ZwImpersonateAnonymousToken
    SSDT 86C120C8 ZwImpersonateThread
    SSDT 86B9E2D8 ZwLoadDriver
    SSDT 86C59CC0 ZwMapViewOfSection
    SSDT 86E4B4E8 ZwOpenEvent
    SSDT 86E8EFC0 ZwOpenProcess
    SSDT 86C25DC8 ZwOpenProcessToken
    SSDT 86E4E260 ZwOpenSection
    SSDT 86E8EE40 ZwOpenThread
    SSDT 86BBE1E0 ZwProtectVirtualMemory
    SSDT 86C1B2B8 ZwResumeThread
    SSDT 86C24D28 ZwSetContextThread
    SSDT 86C894C0 ZwSetInformationProcess
    SSDT 86FCA1F0 ZwSetSystemInformation
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB9CD3C40]
    SSDT 86E4B520 ZwSuspendProcess
    SSDT 86C22A70 ZwSuspendThread
    SSDT 86C31158 ZwTerminateProcess
    SSDT 86C24930 ZwTerminateThread
    SSDT 86C25908 ZwUnmapViewOfSection
    SSDT 86C356A8 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 214 804E2880 4 Bytes [E8, B4, E4, 86]
    .text ntoskrnl.exe!_abnormal_termination + 234 804E28A0 8 Bytes [C0, EF, E8, 86, C8, 5D, C2, ...]
    ? vqlnggj.sys The system cannot find the file specified. !
    ? SYMDS.SYS The system cannot find the file specified. !
    ? SYMEFA.SYS The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0117000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0118000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0116000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!CreateBindCtx + B5F 774FF14F 7 Bytes JMP 041C00F4
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!CoImpersonateClient + 51 775151F0 7 Bytes JMP 041C003A
    .text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A
    .text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A
    .text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006F000C
    .text C:\WINDOWS\System32\svchost.exe[1088] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EB000A
    .text C:\program files\real\realplayer\update\realsched.exe[2124] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
    .text C:\WINDOWS\system32\SearchIndexer.exe[2532] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    .text C:\WINDOWS\Explorer.EXE[3268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D1000A
    .text C:\WINDOWS\Explorer.EXE[3268] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DA000A
    .text C:\WINDOWS\Explorer.EXE[3268] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D0000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0118000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0119000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0117000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\iexplore.exe[416] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86F6331B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 86F6331B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86F6331B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86F6331B

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread realplay.exe [1544:1436] 7C810705

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----
     
  2. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================================================

    I still need DDS logs.
     
  3. Wile E Coyote

    Wile E Coyote TS Rookie Topic Starter

    How do I run DDS? Double clicking on the icon just brings up a window saying the system doesn't know how to run the file. I don't know what program to choose to run it and letting it go to the internet doesn't help either.
     
  4. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Let's leave DDS alone for now....

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  5. Wile E Coyote

    Wile E Coyote TS Rookie Topic Starter

    2011/05/11 10:53:34.0997 4940 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
    2011/05/11 10:53:38.0011 4940 ================================================================================
    2011/05/11 10:53:38.0011 4940 SystemInfo:
    2011/05/11 10:53:38.0011 4940
    2011/05/11 10:53:38.0011 4940 OS Version: 5.1.2600 ServicePack: 3.0
    2011/05/11 10:53:38.0011 4940 Product type: Workstation
    2011/05/11 10:53:38.0011 4940 ComputerName: PC105602224833
    2011/05/11 10:53:38.0011 4940 UserName: Jon
    2011/05/11 10:53:38.0011 4940 Windows directory: C:\WINDOWS
    2011/05/11 10:53:38.0011 4940 System windows directory: C:\WINDOWS
    2011/05/11 10:53:38.0011 4940 Processor architecture: Intel x86
    2011/05/11 10:53:38.0011 4940 Number of processors: 1
    2011/05/11 10:53:38.0011 4940 Page size: 0x1000
    2011/05/11 10:53:38.0011 4940 Boot type: Normal boot
    2011/05/11 10:53:38.0011 4940 ================================================================================
    2011/05/11 10:53:46.0383 4940 Initialize success
    2011/05/11 10:53:52.0422 5560 ================================================================================
    2011/05/11 10:53:52.0422 5560 Scan started
    2011/05/11 10:53:52.0422 5560 Mode: Manual;
    2011/05/11 10:53:52.0422 5560 ================================================================================
    2011/05/11 10:53:56.0137 5560 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/11 10:53:56.0878 5560 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/05/11 10:53:58.0010 5560 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/11 10:53:58.0741 5560 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/11 10:53:59.0171 5560 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/05/11 10:54:00.0043 5560 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2011/05/11 10:54:00.0423 5560 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/05/11 10:54:01.0284 5560 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/11 10:54:01.0595 5560 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/11 10:54:02.0076 5560 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/11 10:54:02.0396 5560 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/11 10:54:02.0716 5560 AVMAP_CP (a033b3b048ad571ad5b4a46161914e05) C:\WINDOWS\system32\Drivers\avmap_cp.sys
    2011/05/11 10:54:03.0227 5560 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    2011/05/11 10:54:03.0578 5560 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/11 10:54:03.0938 5560 BHDrvx86 (925a191c8c06124426c63ceb2ea93085) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110430.001\BHDrvx86.sys
    2011/05/11 10:54:04.0359 5560 CAMCAUD (2f78085eb29a20b7d030374e8a388e7f) C:\WINDOWS\system32\drivers\camcaud.sys
    2011/05/11 10:54:04.0719 5560 CAMCHALA (407cd35839a1fffd7e28e0467f1cf4b8) C:\WINDOWS\system32\drivers\camchal.sys
    2011/05/11 10:54:05.0020 5560 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/11 10:54:05.0370 5560 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\N360\0403000.005\ccHPx86.sys
    2011/05/11 10:54:05.0931 5560 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/11 10:54:06.0241 5560 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/11 10:54:06.0542 5560 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/11 10:54:07.0133 5560 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/05/11 10:54:07.0684 5560 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/05/11 10:54:08.0224 5560 CYGF32X (2ac98caaf07009fbd461208386e6e3c0) C:\WINDOWS\system32\drivers\CygF32x.sys
    2011/05/11 10:54:09.0005 5560 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/11 10:54:09.0316 5560 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/11 10:54:09.0656 5560 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/11 10:54:09.0977 5560 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/11 10:54:10.0277 5560 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/11 10:54:11.0028 5560 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/11 10:54:11.0539 5560 DSFKSVCS (6e559d2b8053c782016d0cff7173398e) C:\WINDOWS\system32\DRIVERS\dsfksvcs.sys
    2011/05/11 10:54:12.0040 5560 dsfroot (9c53b6cef1e01a312cf1ac49c58c4f56) C:\WINDOWS\system32\DRIVERS\dsfroot.sys
    2011/05/11 10:54:12.0541 5560 eabfiltr (c6aca0190ee7b614673ee0c91863b1eb) C:\WINDOWS\system32\drivers\EABFiltr.sys
    2011/05/11 10:54:12.0901 5560 eabusb (da1011db09ad641de40cd5cca70c0c43) C:\WINDOWS\system32\drivers\eabusb.sys
    2011/05/11 10:54:13.0252 5560 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2011/05/11 10:54:13.0582 5560 EraserUtilDrv11110 (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys
    2011/05/11 10:54:14.0093 5560 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/11 10:54:14.0423 5560 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/11 10:54:14.0754 5560 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/11 10:54:15.0074 5560 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/05/11 10:54:15.0375 5560 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/05/11 10:54:15.0675 5560 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/11 10:54:16.0026 5560 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/11 10:54:16.0296 5560 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/05/11 10:54:16.0596 5560 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/11 10:54:16.0907 5560 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
    2011/05/11 10:54:17.0217 5560 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/11 10:54:17.0888 5560 hpusbfd (fea040582be5db58a8fafe3948736526) C:\WINDOWS\system32\DRIVERS\hpusbfd.sys
    2011/05/11 10:54:18.0860 5560 HRMCFGSPC (c56b42a1493bbbc890096e0a6b9d2bdc) C:\WINDOWS\system32\DRIVERS\HRMCFGSPC.SYS
    2011/05/11 10:54:19.0160 5560 HRMINTS (a72fdcaba055ba5949590ee101fcfceb) C:\WINDOWS\system32\DRIVERS\HRMINTS.SYS
    2011/05/11 10:54:19.0461 5560 HRMPORTS (2cb4dda6a5e590d6512b91e3a8d6260d) C:\WINDOWS\system32\DRIVERS\HRMPORTS.SYS
    2011/05/11 10:54:19.0871 5560 HSFHWICH (a4877a17e87d6e6ab959b36b9ef3de8a) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
    2011/05/11 10:54:20.0262 5560 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    2011/05/11 10:54:20.0772 5560 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/11 10:54:21.0243 5560 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/11 10:54:21.0764 5560 ialm (da91f5385cfc8ba0f110f2fde112b563) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2011/05/11 10:54:22.0174 5560 IDSxpx86 (50fa4c70534cf3b5c17ec83debe07afd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110509.001\IDSxpx86.sys
    2011/05/11 10:54:22.0515 5560 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/11 10:54:23.0016 5560 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/05/11 10:54:23.0296 5560 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/11 10:54:23.0757 5560 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/05/11 10:54:24.0047 5560 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/11 10:54:24.0317 5560 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/11 10:54:24.0658 5560 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/11 10:54:24.0948 5560 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/11 10:54:25.0239 5560 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/11 10:54:25.0720 5560 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/11 10:54:26.0070 5560 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/11 10:54:26.0421 5560 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/11 10:54:26.0771 5560 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/11 10:54:27.0332 5560 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/05/11 10:54:27.0702 5560 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/11 10:54:28.0043 5560 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/11 10:54:28.0373 5560 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/11 10:54:28.0724 5560 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/11 10:54:29.0044 5560 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/11 10:54:29.0795 5560 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/11 10:54:30.0116 5560 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/11 10:54:30.0436 5560 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/11 10:54:30.0787 5560 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/11 10:54:31.0097 5560 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/11 10:54:31.0378 5560 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/11 10:54:31.0738 5560 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/11 10:54:32.0039 5560 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/11 10:54:32.0349 5560 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110510.024\NAVENG.SYS
    2011/05/11 10:54:32.0770 5560 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110510.024\NAVEX15.SYS
    2011/05/11 10:54:33.0170 5560 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/11 10:54:33.0451 5560 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/11 10:54:33.0821 5560 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/11 10:54:34.0132 5560 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/11 10:54:34.0452 5560 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/11 10:54:34.0923 5560 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/11 10:54:35.0243 5560 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/11 10:54:35.0644 5560 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/05/11 10:54:35.0934 5560 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    2011/05/11 10:54:36.0235 5560 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/11 10:54:36.0625 5560 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/11 10:54:37.0006 5560 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/11 10:54:37.0286 5560 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/11 10:54:37.0647 5560 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/11 10:54:37.0997 5560 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/05/11 10:54:38.0558 5560 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/11 10:54:38.0959 5560 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/11 10:54:39.0249 5560 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/11 10:54:39.0569 5560 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/11 10:54:39.0990 5560 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/05/11 10:54:40.0280 5560 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/05/11 10:54:41.0462 5560 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/11 10:54:41.0933 5560 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/05/11 10:54:42.0283 5560 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/11 10:54:42.0704 5560 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/11 10:54:43.0816 5560 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/11 10:54:44.0116 5560 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2011/05/11 10:54:44.0436 5560 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/11 10:54:45.0077 5560 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/11 10:54:45.0478 5560 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/11 10:54:46.0219 5560 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/11 10:54:46.0720 5560 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/11 10:54:47.0230 5560 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/11 10:54:47.0711 5560 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/11 10:54:48.0112 5560 RTL8023 (31c3ebb3a71fe56b8109bfb4ed20ae69) C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys
    2011/05/11 10:54:48.0462 5560 RTL8023xp (3529828ec571fb2f64f6b142f9109993) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
    2011/05/11 10:54:48.0953 5560 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/11 10:54:49.0303 5560 Sentinel (da17773297995d1135dfd1aceef07d58) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
    2011/05/11 10:54:50.0054 5560 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/05/11 10:54:50.0395 5560 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/05/11 10:54:50.0735 5560 sermouse (1f16931c722c69e4a7866244796c66a0) C:\WINDOWS\system32\DRIVERS\sermouse.sys
    2011/05/11 10:54:51.0136 5560 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
    2011/05/11 10:54:51.0457 5560 silabenm (c16173316918a1360dc22947c4ff6352) C:\WINDOWS\system32\DRIVERS\silabenm.sys
    2011/05/11 10:54:52.0007 5560 silabser (093c31ec727ecbcbe38992fc69657594) C:\WINDOWS\system32\DRIVERS\silabser.sys
    2011/05/11 10:54:53.0169 5560 SIUSBXP (b81e9dc4dd203b80e99e0ebf4fdd4183) C:\WINDOWS\system32\drivers\SiUSBXp.sys
    2011/05/11 10:54:54.0210 5560 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
    2011/05/11 10:54:55.0382 5560 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/11 10:54:55.0743 5560 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/11 10:54:56.0093 5560 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\N360\0403000.005\SRTSP.SYS
    2011/05/11 10:54:56.0494 5560 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\N360\0403000.005\SRTSPX.SYS
    2011/05/11 10:54:56.0964 5560 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/11 10:54:57.0485 5560 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/11 10:54:58.0036 5560 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/11 10:54:58.0777 5560 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\N360\0403000.005\SYMDS.SYS
    2011/05/11 10:54:59.0158 5560 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\N360\0403000.005\SYMEFA.SYS
    2011/05/11 10:54:59.0468 5560 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    2011/05/11 10:55:00.0149 5560 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\N360\0403000.005\Ironx86.SYS
    2011/05/11 10:55:00.0940 5560 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\N360\0403000.005\SYMTDI.SYS
    2011/05/11 10:55:02.0753 5560 SynTP (0f332c0ba9b968ebc8cbb906416f8597) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/05/11 10:55:03.0864 5560 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/11 10:55:04.0856 5560 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/11 10:55:05.0667 5560 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/11 10:55:06.0398 5560 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/11 10:55:06.0959 5560 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/11 10:55:07.0359 5560 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
    2011/05/11 10:55:07.0650 5560 U2SP (975e28ba5acdd645c3d7a6775a63c8d9) C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys
    2011/05/11 10:55:07.0990 5560 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/11 10:55:08.0551 5560 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/11 10:55:08.0932 5560 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/05/11 10:55:09.0232 5560 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/11 10:55:09.0522 5560 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/11 10:55:09.0823 5560 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/05/11 10:55:10.0103 5560 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/05/11 10:55:10.0394 5560 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
    2011/05/11 10:55:10.0854 5560 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/11 10:55:11.0245 5560 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/05/11 10:55:11.0746 5560 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/11 10:55:12.0407 5560 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/05/11 10:55:12.0767 5560 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/11 10:55:14.0369 5560 w29n51 (960ce9b896750cc02fe5f1103cc23460) C:\WINDOWS\system32\DRIVERS\w29n51.sys
    2011/05/11 10:55:15.0822 5560 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/11 10:55:16.0112 5560 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
    2011/05/11 10:55:16.0452 5560 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2011/05/11 10:55:17.0083 5560 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/11 10:55:17.0454 5560 winachsf (473ee64c368ce2eed110376c11960259) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2011/05/11 10:55:19.0226 5560 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/05/11 10:55:23.0763 5560 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/05/11 10:55:24.0123 5560 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/05/11 10:55:24.0474 5560 ZDPNDIS5 (29c917279d79848b3dd94909fc00e2a8) C:\WINDOWS\system32\ZDPNDIS5.SYS
    2011/05/11 10:55:25.0285 5560 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/05/11 10:55:25.0295 5560 ================================================================================
    2011/05/11 10:55:25.0295 5560 Scan finished
    2011/05/11 10:55:25.0295 5560 ================================================================================
    2011/05/11 10:55:25.0315 7268 Detected object count: 1
    2011/05/11 10:55:46.0646 7268 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    2011/05/11 10:55:46.0646 7268 \HardDisk0 - ok
    2011/05/11 10:55:46.0646 7268 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/05/11 10:55:51.0813 6968 Deinitialize success
     
  6. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Very good :)

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. Wile E Coyote

    Wile E Coyote TS Rookie Topic Starter

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 99ed1954602173ef14b43a708afaa354

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...


    ComboFix 11-05-11.01 - Jon 05/11/2011 16:27:45.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.454 [GMT -4:00]
    Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
    AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Jon\WINDOWS
    c:\program files\Common Files\Thumbs.db
    c:\windows\system32\_003353_.tmp.dll
    c:\windows\system32\_003354_.tmp.dll
    c:\windows\system32\_003355_.tmp.dll
    c:\windows\system32\_003356_.tmp.dll
    c:\windows\system32\_003361_.tmp.dll
    c:\windows\system32\_003362_.tmp.dll
    c:\windows\system32\_003363_.tmp.dll
    c:\windows\system32\_003364_.tmp.dll
    c:\windows\system32\_003365_.tmp.dll
    c:\windows\system32\_003366_.tmp.dll
    c:\windows\system32\_003367_.tmp.dll
    c:\windows\system32\_003368_.tmp.dll
    c:\windows\system32\_003369_.tmp.dll
    c:\windows\system32\_003370_.tmp.dll
    c:\windows\system32\_003371_.tmp.dll
    c:\windows\system32\_003372_.tmp.dll
    c:\windows\system32\_003373_.tmp.dll
    c:\windows\system32\_003374_.tmp.dll
    c:\windows\system32\_003375_.tmp.dll
    c:\windows\system32\_003376_.tmp.dll
    c:\windows\system32\_003377_.tmp.dll
    c:\windows\system32\_003378_.tmp.dll
    c:\windows\system32\_003379_.tmp.dll
    c:\windows\system32\_003380_.tmp.dll
    c:\windows\system32\_003382_.tmp.dll
    c:\windows\system32\_003383_.tmp.dll
    c:\windows\system32\_003385_.tmp.dll
    c:\windows\system32\_003386_.tmp.dll
    c:\windows\system32\_003387_.tmp.dll
    c:\windows\system32\_003388_.tmp.dll
    c:\windows\system32\_003389_.tmp.dll
    c:\windows\system32\_003390_.tmp.dll
    c:\windows\system32\_003392_.tmp.dll
    c:\windows\system32\_003393_.tmp.dll
    c:\windows\system32\_003394_.tmp.dll
    c:\windows\system32\_003395_.tmp.dll
    c:\windows\system32\_003396_.tmp.dll
    c:\windows\system32\_003397_.tmp.dll
    c:\windows\system32\_003398_.tmp.dll
    c:\windows\system32\_003399_.tmp.dll
    c:\windows\system32\_003400_.tmp.dll
    c:\windows\system32\_003403_.tmp.dll
    c:\windows\system32\_003404_.tmp.dll
    c:\windows\system32\_003405_.tmp.dll
    c:\windows\system32\_003406_.tmp.dll
    c:\windows\system32\_003407_.tmp.dll
    c:\windows\system32\_003408_.tmp.dll
    c:\windows\system32\_003409_.tmp.dll
    c:\windows\system32\_003411_.tmp.dll
    c:\windows\system32\_003412_.tmp.dll
    c:\windows\system32\_003413_.tmp.dll
    c:\windows\system32\_003414_.tmp.dll
    c:\windows\system32\_003415_.tmp.dll
    c:\windows\system32\_003416_.tmp.dll
    c:\windows\system32\_003417_.tmp.dll
    c:\windows\system32\_003418_.tmp.dll
    c:\windows\system32\_003419_.tmp.dll
    c:\windows\system32\_003420_.tmp.dll
    c:\windows\system32\_003421_.tmp.dll
    c:\windows\system32\_003422_.tmp.dll
    c:\windows\system32\_003424_.tmp.dll
    c:\windows\system32\_003425_.tmp.dll
    c:\windows\system32\_003426_.tmp.dll
    c:\windows\system32\_003427_.tmp.dll
    c:\windows\system32\_003429_.tmp.dll
    c:\windows\system32\_003431_.tmp.dll
    c:\windows\system32\_003432_.tmp.dll
    c:\windows\system32\_003433_.tmp.dll
    c:\windows\system32\_003434_.tmp.dll
    c:\windows\system32\_003435_.tmp.dll
    c:\windows\system32\_003436_.tmp.dll
    c:\windows\system32\_003437_.tmp.dll
    c:\windows\system32\_003438_.tmp.dll
    c:\windows\system32\_003440_.tmp.dll
    c:\windows\system32\_003441_.tmp.dll
    c:\windows\system32\_003442_.tmp.dll
    c:\windows\system32\_003443_.tmp.dll
    c:\windows\system32\_003444_.tmp.dll
    c:\windows\system32\_003445_.tmp.dll
    c:\windows\system32\_003446_.tmp.dll
    c:\windows\system32\_003447_.tmp.dll
    c:\windows\system32\_003449_.tmp.dll
    c:\windows\system32\_003450_.tmp.dll
    c:\windows\system32\_003452_.tmp.dll
    c:\windows\system32\_003453_.tmp.dll
    c:\windows\system32\_003455_.tmp.dll
    c:\windows\system32\_003456_.tmp.dll
    c:\windows\system32\_003460_.tmp.dll
    c:\windows\system32\_003461_.tmp.dll
    c:\windows\system32\_003463_.tmp.dll
    c:\windows\system32\_003465_.tmp.dll
    c:\windows\system32\_003466_.tmp.dll
    c:\windows\system32\_003469_.tmp.dll
    c:\windows\system32\_003470_.tmp.dll
    c:\windows\system32\_003471_.tmp.dll
    c:\windows\system32\_003472_.tmp.dll
    c:\windows\system32\_003475_.tmp.dll
    c:\windows\system32\_003476_.tmp.dll
    c:\windows\system32\_003477_.tmp.dll
    c:\windows\system32\_003478_.tmp.dll
    c:\windows\system32\_003479_.tmp.dll
    c:\windows\system32\_003484_.tmp.dll
    c:\windows\system32\_003486_.tmp.dll
    c:\windows\system32\regobj.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-11 08:57 . 2011-05-11 08:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2011-05-11 08:57 . 2011-05-11 08:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2011-05-10 19:44 . 2011-05-10 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
    2011-05-10 16:33 . 2011-05-10 16:33 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes
    2011-05-10 16:28 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-10 16:28 . 2011-05-10 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-10 16:28 . 2011-05-10 16:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-10 16:28 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-09 18:52 . 2011-05-09 18:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-05-09 18:52 . 2011-05-09 18:52 -------- d-----w- c:\program files\Symantec
    2011-05-09 18:52 . 2011-05-09 18:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-05-09 18:50 . 2011-05-10 09:39 -------- d-----w- c:\windows\system32\drivers\N360
    2011-05-09 18:50 . 2011-05-09 18:50 -------- d-----w- c:\program files\Norton Security Suite
    2011-05-09 18:50 . 2011-05-09 18:50 -------- d-----w- c:\program files\Windows Sidebar
    2011-05-09 18:48 . 2011-05-09 18:48 -------- d-----w- c:\program files\NortonInstaller
    2011-05-09 15:57 . 2011-05-09 15:57 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-09 15:21 . 2011-05-09 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2011-05-09 15:21 . 2011-05-09 16:36 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\NPE
    2011-05-09 09:05 . 2011-05-09 09:05 -------- d-----w- C:\NBRT
    2011-05-03 04:25 . 2011-05-03 04:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2011-04-26 03:12 . 2011-04-26 03:12 -------- d-----w- c:\documents and settings\Jon\Application Data\Windows Search
    2011-04-26 03:10 . 2011-04-26 03:10 -------- d-----w- c:\documents and settings\Jon\Application Data\Windows Desktop Search
    2011-04-26 03:03 . 2011-04-26 03:03 -------- d-----w- c:\program files\Common Files\Windows Live
    2011-04-26 03:01 . 2011-04-26 03:01 -------- d-----w- c:\windows\system32\winrm
    2011-04-26 03:01 . 2011-04-26 03:02 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
    2011-04-26 03:01 . 2011-04-26 03:01 -------- d-----w- c:\windows\system32\DRM
    2011-04-26 02:59 . 2011-04-26 03:32 -------- d-----w- c:\program files\Windows Desktop Search
    2011-04-26 02:59 . 2011-04-26 02:59 -------- d-----w- c:\windows\system32\GroupPolicy
    2011-04-26 02:56 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
    2011-04-26 02:56 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
    2011-04-26 02:56 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
    2011-04-26 02:55 . 2011-04-26 02:55 -------- d-----w- c:\program files\Synaptics
    2011-04-15 15:39 . 2011-04-15 15:48 -------- d-----w- c:\program files\Brother
    2011-04-12 17:25 . 2011-04-12 17:25 -------- d-----w- c:\program files\HRBlock2010
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-11 02:33 . 2005-03-17 17:12 94208 ----a-w- c:\windows\DUMPd74f.tmp
    2011-03-07 05:33 . 2004-08-04 08:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2004-08-04 08:00 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2008-09-14 13:24 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 13:18 . 2008-09-14 13:24 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2008-09-14 13:24 357888 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2009-04-15 11:08 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56 . 2004-08-04 08:00 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-11 13:25 . 2007-01-06 18:51 229888 ----a-w- c:\windows\system32\fxscover.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-12 274608]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
    2010-07-02 18:24 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2004-05-12 20:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    2006-01-13 06:58 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
    2004-08-04 13:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickGammaLoader]
    2009-08-15 02:31 98816 ----a-w- c:\program files\QuickGamma\QuickGammaLoader.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2011-01-12 19:26 274608 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "HP Lamp"=c:\scanjet\PrecisionScanPro\HPLamp.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
    "c:\\WINDOWS\\system32\\fxsclnt.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    "AllowInboundTimestampRequest"= 1 (0x1)
    "AllowInboundMaskRequest"= 1 (0x1)
    "AllowInboundRouterRequest"= 1 (0x1)
    "AllowOutboundDestinationUnreachable"= 1 (0x1)
    "AllowOutboundSourceQuench"= 1 (0x1)
    "AllowOutboundParameterProblem"= 1 (0x1)
    "AllowOutboundTimeExceeded"= 1 (0x1)
    "AllowRedirect"= 1 (0x1)
    "AllowOutboundPacketTooBig"= 1 (0x1)
    .
    R0 DSFKSVCS;Kernel Services for DSF;c:\windows\system32\drivers\dsfksvcs.sys [2/8/2010 9:52 PM 479992]
    R0 dsfroot;root enumerated bus driver;c:\windows\system32\drivers\dsfroot.sys [2/8/2010 9:52 PM 31608]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [5/10/2011 12:19 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [5/10/2011 12:19 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110430.001\BHDrvx86.sys [4/30/2011 1:44 AM 802936]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [5/10/2011 12:19 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [5/10/2011 12:19 AM 116784]
    R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 4:00 AM 14336]
    R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [5/10/2011 12:17 AM 126392]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 11:28 AM 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 10:47 PM 105592]
    R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\system32\drivers\hpusbfd.sys [4/20/2009 7:56 PM 7552]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110509.001\IDSXpx86.sys [5/10/2011 10:53 PM 341944]
    S1 MpKsl6f3043d3;MpKsl6f3043d3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{40850541-8EB0-48F5-8169-8DACE5169F2F}\MpKsl6f3043d3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{40850541-8EB0-48F5-8169-8DACE5169F2F}\MpKsl6f3043d3.sys [?]
    S1 MpKsl7e65967e;MpKsl7e65967e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{115DCED6-47EE-4A30-99C4-8897A34FE5BE}\MpKsl7e65967e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{115DCED6-47EE-4A30-99C4-8897A34FE5BE}\MpKsl7e65967e.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/3/2010 7:41 PM 136176]
    S2 PowerAlert Agent;PowerAlert Agent;c:\program files\TrippLite\PowerAlert\engine\pal.exe [10/16/2009 12:07 PM 1635664]
    S3 AVMAP_CP;AvMap Chart Plotter USB Driver (avmap_cp.sys);c:\windows\system32\drivers\avmap_cp.sys [12/25/2008 11:49 PM 18736]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/3/2010 7:41 PM 136176]
    S3 HRMACPI;DSF ACPI Redirection Module;c:\windows\system32\DRIVERS\HRMACPI.SYS --> c:\windows\system32\DRIVERS\HRMACPI.SYS [?]
    S3 HRMCFGSPC;DSF General Configuration Space Redirection Module;c:\windows\system32\drivers\hrmcfgspc.sys [2/8/2010 9:52 PM 92664]
    S3 HRMINTS;DSF Interrupt Redirection Module;c:\windows\system32\drivers\hrmints.sys [2/8/2010 9:52 PM 89976]
    S3 HRMPORTS;DSF IO Port Redirection Module;c:\windows\system32\drivers\hrmports.sys [2/8/2010 9:53 PM 103160]
    S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [11/25/2008 9:17 PM 17920]
    S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [11/25/2008 9:17 PM 60544]
    S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [6/5/2008 1:39 PM 11264]
    S3 SOFTHIDUSBK;USB HID Layer;c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS [?]
    S3 SOFTUSBK;Generic USB device;c:\windows\system32\DRIVERS\SOFTUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTUSBK.SYS [?]
    S3 SOFTUSBTESTHUB;Generic USB Test Hub;c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS --> c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS [?]
    S3 SOFTWADP;Wireless adapter devices;c:\windows\system32\DRIVERS\SOFTWADP.SYS --> c:\windows\system32\DRIVERS\SOFTWADP.SYS [?]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [6/11/2010 9:13 PM 11520]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S3 WSOFTUSBK;Generic wireless USB device;c:\windows\system32\DRIVERS\WSOFTUSBK.SYS --> c:\windows\system32\DRIVERS\WSOFTUSBK.SYS [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 23:41]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 23:41]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3679635613-1209586761-3265449678-1006Core.job
    - c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 01:34]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3679635613-1209586761-3265449678-1006UA.job
    - c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 01:34]
    .
    2011-05-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3679635613-1209586761-3265449678-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
    .
    2011-04-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3679635613-1209586761-3265449678-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
    .
    2011-05-11 c:\windows\Tasks\User_Feed_Synchronization-{1E903100-CF61-4BB3-A59B-4CB45F0B4732}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig?hl=en
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
    .
    .
    ------- File Associations -------
    .
    .scr=ft000002
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-Inline Search - c:\program files\Core Services\Inline Search\uninstall.exe
    AddRemove-SIUSBXP&10C4&EA61 - c:\windows\system32\Silabs\DriverUninstaller.exe USBXpress\SIUSBXP&10C4&EA61
    AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
    AddRemove-Jupiter Update - c:\program files\Ten-Tec\Jupiter Update\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-11 17:14
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet005\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet005\Services\DSFKSVCS\MofImagePath]
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3679635613-1209586761-3265449678-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2300)
    c:\windows\system32\WININET.dll
    c:\windows\system32\AcSignIcon.dll
    c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\tcpsvcs.exe
    c:\windows\System32\snmp.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\Synaptics\SynTP\SynTPEnh.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\SearchProtocolHost.exe
    c:\windows\system32\SearchFilterHost.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-11 17:27:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-11 21:27
    .
    Pre-Run: 11,971,383,296 bytes free
    Post-Run: 12,199,825,408 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,4,5,6
    - - End Of File - - ED994662E88B1BD4BDEF9DEE11998B88
     
  8. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Combofix log looks good now.

    Any current issues?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. Wile E Coyote

    Wile E Coyote TS Rookie Topic Starter

    No current issues noticed. Seems to be running a bit faster.

    OTL.txt:

    OTL logfile created on: 5/11/2011 6:40:35 PM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jon\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    990.00 Mb Total Physical Memory | 293.00 Mb Available Physical Memory | 30.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 53.00% Paging File free
    Paging file location(s): C:\pagefile.sys 336 672 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.25 Gb Total Space | 11.36 Gb Free Space | 30.48% Space Free | Partition Type: NTFS

    Computer Name: PC105602224833 | User Name: Jon | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/05/11 18:23:27 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\OTL.exe
    PRC - [2011/05/11 18:05:42 | 000,059,964 | ---- | M] (Macrovision Europe Ltd.) -- C:\Documents and Settings\Jon\Local Settings\temp\Adobelm_Cleanup.0001
    PRC - [2011/01/12 15:26:05 | 000,274,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
    PRC - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe
    PRC - [2009/11/13 11:28:04 | 000,110,592 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    PRC - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/05/16 22:12:59 | 000,075,376 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/05/11 18:23:27 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\OTL.exe
    MOD - [2011/01/11 10:59:44 | 000,653,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcr90.dll
    MOD - [2011/01/11 10:59:44 | 000,569,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcp90.dll
    MOD - [2010/09/20 15:26:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\asoehook.dll
    MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    MOD - [2009/05/24 22:41:34 | 000,304,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
    SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe -- (N360)
    SRV - [2009/11/13 11:28:04 | 000,110,592 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
    SRV - [2009/10/16 12:07:50 | 001,635,664 | ---- | M] (Tripp Lite) [Auto | Stopped] -- C:\Program Files\TrippLite\PowerAlert\engine\pal.exe -- (PowerAlert Agent)
    SRV - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
    SRV - [2008/04/13 20:12:02 | 000,105,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
    SRV - [2008/04/13 20:11:55 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)
    SRV - [2005/07/12 07:14:49 | 000,074,360 | ---- | M] (Autodesk, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/05/10 00:21:15 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2011/05/10 00:21:14 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2011/05/09 14:52:08 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2011/05/09 01:00:00 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110511.002\NAVEX15.SYS -- (NAVEX15)
    DRV - [2011/05/09 01:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110511.002\NAVENG.SYS -- (NAVENG)
    DRV - [2011/04/30 01:44:12 | 000,802,936 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110430.001\BHDrvx86.sys -- (BHDrvx86)
    DRV - [2011/04/26 16:27:36 | 000,341,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110509.001\IDSXpx86.sys -- (IDSxpx86)
    DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0403000.005\SYMTDI.SYS -- (SYMTDI)
    DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\Ironx86.SYS -- (SymIRON)
    DRV - [2010/04/21 23:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\SYMEFA.SYS -- (SymEFA)
    DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0403000.005\SRTSP.SYS -- (SRTSP)
    DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
    DRV - [2010/02/25 20:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\ccHPx86.sys -- (ccHP)
    DRV - [2010/02/08 21:53:06 | 000,103,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hrmports.sys -- (HRMPORTS)
    DRV - [2010/02/08 21:52:56 | 000,092,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hrmcfgspc.sys -- (HRMCFGSPC)
    DRV - [2010/02/08 21:52:56 | 000,089,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hrmints.sys -- (HRMINTS)
    DRV - [2010/02/08 21:52:54 | 000,479,992 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dsfksvcs.sys -- (DSFKSVCS)
    DRV - [2010/02/08 21:52:54 | 000,031,608 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dsfroot.sys -- (dsfroot)
    DRV - [2009/10/14 23:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\SYMDS.SYS -- (SymDS)
    DRV - [2009/02/13 11:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
    DRV - [2008/10/23 01:58:36 | 001,391,104 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2008/08/27 16:14:36 | 000,060,544 | ---- | M] (Silicon Laboratories) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\silabser.sys -- (silabser)
    DRV - [2008/08/27 16:14:36 | 000,017,920 | ---- | M] (Silicon Laboratories, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\silabenm.sys -- (silabenm)
    DRV - [2008/06/05 13:39:08 | 000,011,264 | ---- | M] (Silicon Laboratories) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SiUSBXp.sys -- (SIUSBXP)
    DRV - [2008/04/13 14:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
    DRV - [2008/02/25 12:54:56 | 000,105,088 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
    DRV - [2005/05/05 12:04:08 | 000,007,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
    DRV - [2005/05/05 12:04:04 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
    DRV - [2004/12/15 15:18:34 | 000,207,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
    DRV - [2004/12/15 15:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2004/12/15 15:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
    DRV - [2004/11/23 14:57:56 | 000,280,192 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camchal.sys -- (CAMCHALA)
    DRV - [2004/11/23 14:57:12 | 000,293,120 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camcaud.sys -- (CAMCAUD)
    DRV - [2004/09/20 04:41:00 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
    DRV - [2004/04/27 14:03:00 | 000,069,504 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtlnic51.sys -- (RTL8023)
    DRV - [2004/01/14 11:30:00 | 000,017,151 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ZDPNDIS5.sys -- (ZDPNDIS5)
    DRV - [2004/01/12 11:20:00 | 000,009,600 | ---- | M] (Cygnal Integrated Products) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CygF32x.sys -- (CYGF32X)
    DRV - [2003/10/02 16:17:40 | 000,018,736 | ---- | M] (C-Map) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avmap_cp.sys -- (AVMAP_CP) AvMap Chart Plotter USB Driver (avmap_cp.sys)
    DRV - [2002/08/26 18:29:42 | 000,023,387 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\u2s2kxp.sys -- (U2SP) USB to Serial Converter Driver(Philips)
    DRV - [2002/05/22 09:40:40 | 000,007,552 | ---- | M] (Hewlett-Packard Co.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hpusbfd.sys -- (hpusbfd)
    DRV - [2002/01/17 22:49:34 | 000,073,216 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
    DRV - [2001/08/17 16:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en
    IE - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2011/05/10 00:15:50 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2011/05/09 14:56:46 | 000,000,000 | ---D | M]

    [2011/05/09 13:24:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

    O1 HOSTS File: ([2011/05/11 17:13:05 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {2B474A76-93A8-4D94-B887-ACCCC409C061} - No CLSID value found.
    O2 - BHO: (no name) - {435EAA86-D32B-484F-869C-53745FCB1642} - No CLSID value found.
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
    O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ipsbho.dll (Symantec Corporation)
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (no name) - {8DB3D69D-DA5E-4165-B781-72A761790672} - No CLSID value found.
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
    O2 - BHO: (no name) - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - No CLSID value found.
    O2 - BHO: (IE DOM Explorer) - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
    O3 - HKLM\..\Toolbar: (no name) - {A8C7C2CA-6DFD-4E16-8458-592361564D38} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Developer Toolbar) - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
    O3 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
    O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
    O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
    O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
    O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
    O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll (Sun Microsystems, Inc.)
    O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
    O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
    O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O28 - HKLM ShellExecuteHooks: {CB0A0B68-3F3C-61D2-A901-8381E131D211} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/11/14 11:42:22 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/05/11 18:23:23 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\OTL.exe
    [2011/05/11 16:22:30 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/05/11 16:15:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/05/11 16:15:53 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/05/11 16:15:53 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/05/11 16:15:53 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/05/11 16:15:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/05/11 16:14:40 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/05/11 16:00:31 | 000,083,968 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Jon\Desktop\remover.exe
    [2011/05/11 16:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Desktop\bootkit_remover
    [2011/05/11 10:50:51 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jon\Desktop\TDSSKiller.exe
    [2011/05/11 04:57:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
    [2011/05/11 04:57:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
    [2011/05/10 15:44:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FileCure
    [2011/05/10 12:33:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Application Data\Malwarebytes
    [2011/05/10 12:28:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/05/10 12:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/05/10 12:28:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/05/10 12:28:10 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/05/10 12:28:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/05/10 12:27:03 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jon\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/05/10 12:07:57 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\TFC.exe
    [2011/05/10 00:19:33 | 000,339,504 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0403000.005\symtdiv.sys
    [2011/05/10 00:19:32 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0403000.005\symtdi.sys
    [2011/05/10 00:19:32 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0403000.005\symefa.sys
    [2011/05/10 00:19:31 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0403000.005\symds.sys
    [2011/05/10 00:19:30 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0403000.005\srtspx.sys
    [2011/05/10 00:19:29 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0403000.005\srtsp.sys
    [2011/05/10 00:19:28 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0403000.005\cchpx86.sys
    [2011/05/10 00:19:28 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0403000.005\ironx86.sys
    [2011/05/10 00:16:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360\0403000.005
    [2011/05/09 14:52:09 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
    [2011/05/09 14:52:08 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
    [2011/05/09 14:52:08 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
    [2011/05/09 14:50:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360
    [2011/05/09 14:50:31 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Suite
    [2011/05/09 14:50:30 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
    [2011/05/09 14:50:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Suite
    [2011/05/09 14:48:45 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
    [2011/05/09 14:48:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
    [2011/05/09 14:48:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\My Documents\Symantec
    [2011/05/09 14:39:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton
    [2011/05/09 13:37:34 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jon\Recent
    [2011/05/09 12:43:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
    [2011/05/09 11:54:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
    [2011/05/09 11:21:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
    [2011/05/09 11:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Local Settings\Application Data\NPE
    [2011/05/09 05:05:09 | 000,000,000 | ---D | C] -- C:\NBRT
    [2011/05/08 20:25:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2011/05/08 20:25:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2011/05/08 03:34:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\My Documents\NRA
    [2011/05/03 00:25:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
    [2011/04/25 23:12:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Application Data\Windows Search
    [2011/04/25 23:10:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Application Data\Windows Desktop Search
    [2011/04/25 23:03:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
    [2011/04/25 23:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\WindowsPowerShell
    [2011/04/25 23:01:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm
    [2011/04/25 23:01:52 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$
    [2011/04/25 23:01:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRM
    [2011/04/25 22:59:49 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
    [2011/04/25 22:59:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
    [2011/04/25 22:56:08 | 000,192,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\offfilt.dll
    [2011/04/25 22:56:08 | 000,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nlhtml.dll
    [2011/04/25 22:56:08 | 000,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mimefilt.dll
    [2011/04/25 22:55:32 | 000,000,000 | ---D | C] -- C:\Program Files\Synaptics
    [2011/04/15 20:13:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\My Documents\Brother
    [2011/04/15 11:39:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Brother P-touch
    [2011/04/15 11:39:30 | 000,000,000 | ---D | C] -- C:\Program Files\Brother
    [2011/04/12 13:26:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\H&R Block 2010
    [2011/04/12 13:25:08 | 000,000,000 | ---D | C] -- C:\Program Files\HRBlock2010
    [2011/04/12 13:25:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\My Documents\HRBlock
    [18 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/05/11 18:43:00 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1E903100-CF61-4BB3-A59B-4CB45F0B4732}.job
    [2011/05/11 18:23:27 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\OTL.exe
    [2011/05/11 18:00:01 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3679635613-1209586761-3265449678-1006UA.job
    [2011/05/11 17:56:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/05/11 17:34:36 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/05/11 17:34:31 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3679635613-1209586761-3265449678-1006.job
    [2011/05/11 17:34:10 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/05/11 17:32:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/05/11 17:31:58 | 1038,602,240 | -HS- | M] () -- C:\hiberfil.sys
    [2011/05/11 17:13:05 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/05/11 16:22:42 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/05/11 16:01:42 | 004,346,086 | R--- | M] () -- C:\Documents and Settings\Jon\Desktop\ComboFix.exe
    [2011/05/11 16:00:03 | 000,039,605 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\bootkit_remover.rar
    [2011/05/11 11:16:27 | 000,153,590 | ---- | M] () -- C:\Documents and Settings\Jon\My Documents\bookmark20110511.htm
    [2011/05/11 10:43:40 | 001,280,815 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\tdsskiller.zip
    [2011/05/11 08:58:13 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/05/11 06:00:03 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3679635613-1209586761-3265449678-1006Core.job
    [2011/05/10 15:20:31 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\dds.scr
    [2011/05/10 14:17:21 | 000,302,080 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\tif0roxe.exe
    [2011/05/10 12:28:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/05/10 12:27:03 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jon\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/05/10 12:08:13 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\TFC.exe
    [2011/05/10 05:39:15 | 000,002,010 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Security Suite.LNK
    [2011/05/10 05:39:04 | 000,737,502 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\Cat.DB
    [2011/05/09 14:52:08 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
    [2011/05/09 14:52:08 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
    [2011/05/09 14:52:08 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
    [2011/05/09 14:52:08 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
    [2011/05/09 14:39:01 | 000,000,873 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\Norton Installation Files.lnk
    [2011/05/09 13:45:15 | 102,760,448 | -HS- | M] () -- C:\NBRTPage(2).sys
    [2011/05/09 13:24:06 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
    [2011/05/09 12:12:57 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/05/09 11:49:58 | 000,007,610 | -HS- | M] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\0311i0slxg3g4ncr65ef01f4i5
    [2011/05/09 11:49:58 | 000,007,610 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0311i0slxg3g4ncr65ef01f4i5
    [2011/05/09 05:05:09 | 102,760,448 | -HS- | M] () -- C:\NBRTPage.sys
    [2011/05/06 12:51:26 | 000,018,297 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\RJR_NJ Saltwater.pdf
    [2011/05/06 12:49:42 | 000,018,289 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\RSR_NJ_Saltwater.pdf
    [2011/05/06 12:46:48 | 000,018,285 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\JRR_NJ_Saltwater.pdf
    [2011/05/04 18:25:22 | 000,940,251 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\FEA.pdf
    [2011/05/03 10:35:05 | 002,652,172 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\Pilot-Vanishing-Point-Black-Matte.pdf
    [2011/05/01 14:21:00 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jon\Desktop\TDSSKiller.exe
    [2011/04/30 10:31:30 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3679635613-1209586761-3265449678-1006.job
    [2011/04/29 19:54:33 | 000,002,513 | ---- | M] () -- C:\Documents and Settings\Jon\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2003.lnk
    [2011/04/28 22:30:13 | 000,130,860 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\U16A0.pdf
    [2011/04/25 23:12:16 | 000,509,704 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/04/25 23:12:16 | 000,089,920 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/04/25 23:00:14 | 000,001,787 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    [2011/04/25 21:38:19 | 000,009,324 | -HS- | M] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\6fq6p8858ae86mofmhwa61ow7l2sl4
    [2011/04/25 21:38:19 | 000,009,324 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\6fq6p8858ae86mofmhwa61ow7l2sl4
    [2011/04/24 11:15:17 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Jon\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
    [2011/04/22 19:36:07 | 004,623,051 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\Walther_catalog.pdf
    [2011/04/22 13:52:52 | 000,000,421 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\Shortcut to Recipes.lnk
    [2011/04/18 23:23:27 | 000,000,032 | ---- | M] () -- C:\WINDOWS\render.ini
    [2011/04/18 01:59:39 | 000,693,011 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\mikey_for_ipod_english.pdf
    [2011/04/15 23:58:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2011/04/15 21:12:49 | 000,631,576 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/04/13 13:02:29 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Jon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
    [2011/04/12 14:37:28 | 020,869,005 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\111Catalog.pdf
    [2011/04/12 13:33:38 | 000,001,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2010.lnk
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/05/11 16:22:42 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/05/11 16:22:34 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/05/11 16:15:53 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/05/11 16:15:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/05/11 16:15:53 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/05/11 16:15:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/05/11 16:15:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/05/11 16:01:26 | 004,346,086 | R--- | C] () -- C:\Documents and Settings\Jon\Desktop\ComboFix.exe
    [2011/05/11 15:59:57 | 000,039,605 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\bootkit_remover.rar
    [2011/05/11 11:16:24 | 000,153,590 | ---- | C] () -- C:\Documents and Settings\Jon\My Documents\bookmark20110511.htm
    [2011/05/11 10:47:43 | 001,280,815 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\tdsskiller.zip
    [2011/05/10 15:18:44 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\dds.scr
    [2011/05/10 14:17:14 | 000,302,080 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\tif0roxe.exe
    [2011/05/10 12:28:20 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/05/10 05:38:09 | 000,737,502 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\Cat.DB
    [2011/05/10 00:19:32 | 000,007,787 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\symnetv.cat
    [2011/05/10 00:19:32 | 000,007,368 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\symnet.cat
    [2011/05/10 00:19:32 | 000,001,473 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\symnetv.inf
    [2011/05/10 00:19:32 | 000,001,445 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\symnet.inf
    [2011/05/10 00:19:31 | 000,007,873 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\symefa.cat
    [2011/05/10 00:19:31 | 000,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\symefa.inf
    [2011/05/10 00:19:30 | 000,007,425 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\symds.cat
    [2011/05/10 00:19:30 | 000,002,793 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\symds.inf
    [2011/05/10 00:19:29 | 000,007,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\srtspx.cat
    [2011/05/10 00:19:29 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\srtsp.cat
    [2011/05/10 00:19:29 | 000,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\srtspx.inf
    [2011/05/10 00:19:29 | 000,001,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\srtsp.inf
    [2011/05/10 00:19:28 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\iron.cat
    [2011/05/10 00:19:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\iron.inf
    [2011/05/10 00:19:27 | 000,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\cchpx86.cat
    [2011/05/10 00:19:27 | 000,001,754 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\cchpx86.inf
    [2011/05/10 00:16:27 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0403000.005\isolate.ini
    [2011/05/09 14:52:08 | 000,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
    [2011/05/09 14:52:08 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
    [2011/05/09 14:51:30 | 000,002,010 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Security Suite.LNK
    [2011/05/09 14:39:00 | 000,000,873 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\Norton Installation Files.lnk
    [2011/05/09 13:15:28 | 102,760,448 | -HS- | C] () -- C:\NBRTPage(2).sys
    [2011/05/09 05:45:24 | 1038,602,240 | -HS- | C] () -- C:\hiberfil.sys
    [2011/05/09 05:05:08 | 102,760,448 | -HS- | C] () -- C:\NBRTPage.sys
    [2011/05/08 23:00:38 | 000,007,610 | -HS- | C] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\0311i0slxg3g4ncr65ef01f4i5
    [2011/05/08 23:00:38 | 000,007,610 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0311i0slxg3g4ncr65ef01f4i5
    [2011/05/06 12:51:26 | 000,018,297 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\RJR_NJ Saltwater.pdf
    [2011/05/06 12:49:42 | 000,018,289 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\RSR_NJ_Saltwater.pdf
    [2011/05/06 12:46:48 | 000,018,285 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\JRR_NJ_Saltwater.pdf
    [2011/05/04 18:25:22 | 000,940,251 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\FEA.pdf
    [2011/05/03 10:35:03 | 002,652,172 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\Pilot-Vanishing-Point-Black-Matte.pdf
    [2011/04/28 22:30:11 | 000,130,860 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\U16A0.pdf
    [2011/04/26 00:09:48 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
    [2011/04/25 23:00:54 | 000,873,374 | ---- | C] () -- C:\WINDOWS\System32\oem68.inf
    [2011/04/25 23:00:14 | 000,001,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
    [2011/04/25 23:00:14 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    [2011/04/25 20:53:59 | 000,009,324 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6fq6p8858ae86mofmhwa61ow7l2sl4
    [2011/04/25 20:53:58 | 000,009,324 | -HS- | C] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\6fq6p8858ae86mofmhwa61ow7l2sl4
    [2011/04/22 19:36:05 | 004,623,051 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\Walther_catalog.pdf
    [2011/04/22 13:52:52 | 000,000,421 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\Shortcut to Recipes.lnk
    [2011/04/18 23:23:27 | 000,000,032 | ---- | C] () -- C:\WINDOWS\render.ini
    [2011/04/18 01:59:35 | 000,693,011 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\mikey_for_ipod_english.pdf
    [2011/04/12 14:37:24 | 020,869,005 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\111Catalog.pdf
    [2011/04/12 13:26:30 | 000,001,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2010.lnk
    [2010/11/19 19:48:52 | 000,327,536 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
     
  10. Wile E Coyote

    Wile E Coyote TS Rookie Topic Starter

    OTL.txt continued:

    [2010/08/23 20:20:36 | 000,000,011 | ---- | C] () -- C:\WINDOWS\SA2005.ini
    [2010/03/26 17:55:46 | 000,001,130 | ---- | C] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\FASTWiz.html
    [2010/03/04 23:23:41 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Jon\Application Data\SpectraShop 3 Preferences
    [2010/03/02 14:34:43 | 000,001,121 | R--- | C] () -- C:\WINDOWS\System32\pt243L.INI
    [2010/03/02 14:34:42 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\pt243F.DLL
    [2010/01/18 15:57:28 | 000,002,249 | ---- | C] () -- C:\WINDOWS\itfmui01.ini
    [2009/07/01 18:22:12 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpspmins.dll
    [2009/07/01 18:22:12 | 000,000,991 | ---- | C] () -- C:\WINDOWS\System32\hpipxmon.ini
    [2009/06/24 18:23:09 | 000,013,592 | ---- | C] () -- C:\WINDOWS\hpdj5100.ini
    [2009/06/05 12:02:16 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2009/04/20 20:06:27 | 000,000,020 | ---- | C] () -- C:\WINDOWS\hp precisionscan pro.INI
    [2009/04/07 17:00:08 | 000,000,063 | ---- | C] () -- C:\WINDOWS\keytrans.ini
    [2009/04/07 16:59:54 | 000,006,870 | ---- | C] () -- C:\WINDOWS\Keytran1.ini
    [2009/04/05 14:41:26 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
    [2009/04/05 14:40:21 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
    [2009/04/05 14:40:21 | 000,000,091 | ---- | C] () -- C:\WINDOWS\wpd99.drv
    [2009/02/14 18:59:20 | 000,000,623 | R--- | C] () -- C:\WINDOWS\System32\hppapr10.dat
    [2009/02/14 18:59:11 | 000,000,209 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
    [2009/02/14 18:56:07 | 000,169,235 | ---- | C] () -- C:\WINDOWS\hppins10.dat
    [2009/02/14 18:56:06 | 000,005,186 | ---- | C] () -- C:\WINDOWS\hppmdl10.dat
    [2009/02/03 18:47:18 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
    [2008/12/26 00:06:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\USERIMG.BIN
    [2008/11/21 20:34:09 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\QL57F.DLL
    [2008/11/21 20:34:09 | 000,000,971 | ---- | C] () -- C:\WINDOWS\System32\QL57L.INI
    [2008/11/06 12:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
    [2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
    [2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
    [2008/02/18 23:43:09 | 000,000,074 | ---- | C] () -- C:\WINDOWS\TaxACT07.ini
    [2008/01/03 09:01:36 | 000,000,125 | ---- | C] () -- C:\WINDOWS\nsnsware.ini
    [2007/12/11 01:55:13 | 000,038,460 | ---- | C] () -- C:\Documents and Settings\Jon\Application Data\Microsoft Access.ADR
    [2007/11/27 20:38:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MTSTACK.INI
    [2007/11/27 20:38:06 | 000,042,496 | ---- | C] () -- C:\WINDOWS\System32\MTSTACK.EXE
    [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
    [2007/07/24 22:54:21 | 000,000,049 | ---- | C] () -- C:\WINDOWS\atomic.ini
    [2007/07/08 22:23:25 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
    [2007/05/18 20:52:02 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\ZyDelReg.exe
    [2007/05/18 20:52:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
    [2007/05/03 00:46:35 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
    [2007/03/30 06:38:51 | 000,004,096 | -H-- | C] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\keyfile3.drm
    [2007/03/16 18:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
    [2007/02/25 07:58:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
    [2007/02/23 21:43:08 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
    [2007/02/13 01:57:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack16.INI
    [2007/02/01 22:06:46 | 000,000,086 | ---- | C] () -- C:\WINDOWS\GpsDlg.ini
    [2007/01/28 22:03:04 | 000,000,070 | ---- | C] () -- C:\WINDOWS\dmcFindX.INI
    [2007/01/27 23:28:19 | 000,000,041 | ---- | C] () -- C:\WINDOWS\dmcPrefX.INI
    [2007/01/27 10:54:13 | 000,000,218 | ---- | C] () -- C:\WINDOWS\AgRemote.ini
    [2007/01/06 14:51:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2006/11/20 16:19:44 | 000,044,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\Surroundhp_kern_i386.sys
    [2006/11/20 16:19:44 | 000,037,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\csiidecoder_kern_i386.sys
    [2006/11/20 16:19:42 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\drivers\tshd4_kern_i386.sys
    [2006/11/08 13:55:52 | 000,000,214 | ---- | C] () -- C:\WINDOWS\EXAMWIN.INI
    [2006/10/30 22:15:01 | 000,000,251 | ---- | C] () -- C:\WINDOWS\COMWRK32.INI
    [2006/10/13 12:30:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
    [2006/09/12 19:53:56 | 000,000,092 | ---- | C] () -- C:\WINDOWS\TraceSrv.ini
    [2006/09/01 14:50:13 | 000,000,630 | ---- | C] () -- C:\WINDOWS\link32.INI
    [2006/05/12 23:42:16 | 000,073,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\SENTINEL.SYS
    [2006/05/12 23:42:16 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\SNTI386.DLL
    [2006/05/12 23:42:16 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\RNBOVDD.DLL
    [2006/04/27 20:24:48 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
    [2006/04/15 20:59:14 | 000,000,700 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2006/04/13 19:55:36 | 000,000,466 | ---- | C] () -- C:\WINDOWS\dload32.INI
    [2006/04/12 17:27:05 | 000,000,265 | ---- | C] () -- C:\WINDOWS\hpqgrcpy.INI
    [2006/04/01 00:42:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2006/04/01 00:42:12 | 000,107,134 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
    [2006/04/01 00:41:55 | 000,003,477 | ---- | C] () -- C:\WINDOWS\mozver.dat
    [2006/03/24 21:13:16 | 000,000,154 | ---- | C] () -- C:\WINDOWS\Readiris.ini
    [2006/03/24 21:13:13 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
    [2006/03/24 20:57:41 | 000,085,284 | ---- | C] () -- C:\WINDOWS\hpgins01.dat
    [2006/03/24 20:57:41 | 000,000,145 | ---- | C] () -- C:\WINDOWS\hpgmdl01.dat
    [2006/03/10 15:46:01 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
    [2006/03/10 15:46:00 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
    [2006/03/10 15:45:59 | 000,000,928 | ---- | C] () -- C:\WINDOWS\System32\hpsj1695.dll
    [2006/03/10 15:45:59 | 000,000,053 | ---- | C] () -- C:\WINDOWS\System32\hpwnscsi.ini
    [2005/12/14 21:59:06 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\Jon\Application Data\wklnhst.dat
    [2005/11/07 22:25:11 | 000,038,453 | ---- | C] () -- C:\Documents and Settings\Jon\Application Data\Comma Separated Values (Windows).ADR
    [2005/11/07 22:23:18 | 000,038,436 | ---- | C] () -- C:\Documents and Settings\Jon\Application Data\Microsoft Excel.ADR
    [2005/10/14 20:57:30 | 000,214,263 | ---- | C] () -- C:\WINDOWS\System32\drivers\TCPRASS3.SYS
    [2005/08/09 18:13:31 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
    [2005/08/09 18:13:31 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
    [2005/07/12 07:14:14 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\fusioncache.dat
    [2005/05/26 10:49:27 | 000,000,030 | ---- | C] () -- C:\WINDOWS\DeLGPS.ini
    [2005/05/25 20:10:37 | 000,000,041 | ---- | C] () -- C:\WINDOWS\loc2.INI
    [2005/05/25 20:10:29 | 000,000,041 | ---- | C] () -- C:\WINDOWS\FindServ.INI
    [2005/05/25 17:31:32 | 000,000,283 | ---- | C] () -- C:\WINDOWS\DeLSerial.ini
    [2005/05/03 18:12:41 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM21.dll
    [2005/05/03 18:12:41 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
    [2005/04/09 22:00:20 | 000,045,056 | ---- | C] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2004/11/13 03:02:36 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
    [2004/11/13 03:02:36 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
    [2004/11/13 03:02:36 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
    [2004/11/13 03:02:36 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
    [2004/11/13 03:02:36 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
    [2004/11/13 03:02:36 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
    [2004/11/13 03:01:32 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
    [2004/11/13 02:54:41 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2004/11/13 02:39:41 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2004/08/16 08:42:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2004/08/07 09:39:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2004/08/07 09:39:38 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2004/08/07 09:30:28 | 000,509,704 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/07 09:30:28 | 000,089,920 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/07 09:30:20 | 000,000,831 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2004/08/07 09:23:02 | 000,631,576 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2004/08/07 09:18:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2004/08/07 09:15:12 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2004/08/04 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 04:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2002/07/26 16:09:58 | 000,143,360 | ---- | C] () -- C:\WINDOWS\unzip.exe
    [2002/07/22 18:57:58 | 000,045,056 | ---- | C] () -- C:\WINDOWS\devenum.exe
    [2002/05/28 04:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2002/05/28 04:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2002/03/19 17:30:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\PowerCalc.exe
    [2002/03/14 13:00:26 | 000,038,567 | ---- | C] () -- C:\WINDOWS\System32\pcpbios.exe
    [1998/08/16 06:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll

    ========== Custom Scans ==========


    < * >
    [2011/05/09 12:12:57 | 000,000,211 | ---- | M] () -- \Boot.bak
    [2011/05/11 16:22:42 | 000,000,327 | RHS- | M] () -- \boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- \cmldr
    [2011/05/11 17:27:18 | 000,027,563 | ---- | M] () -- \ComboFix.txt
    [2011/05/11 17:31:58 | 1038,602,240 | -HS- | M] () --
    [2005/03/24 17:56:09 | 000,000,000 | RHS- | M] () -- \IO.SYS
    [2005/03/24 17:56:09 | 000,000,000 | RHS- | M] () -- \MSDOS.SYS
    [2011/05/09 13:45:15 | 102,760,448 | -HS- | M] () -- \NBRTPage(2).sys
    [2011/05/09 05:05:09 | 102,760,448 | -HS- | M] () -- \NBRTPage.sys
    [2004/08/04 04:00:00 | 000,047,564 | RHS- | M] () -- \ntdetect.com
    [2009/04/05 11:34:21 | 000,250,048 | RHS- | M] () -- \ntldr
    [2011/05/11 17:31:56 | 352,321,536 | -HS- | M] () --

    < %SYSTEMDRIVE%\*.* >
    [2011/05/09 12:12:57 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/05/11 16:22:42 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/05/11 17:27:18 | 000,027,563 | ---- | M] () -- C:\ComboFix.txt
    [2011/05/11 17:31:58 | 1038,602,240 | -HS- | M] () -- C:\hiberfil.sys
    [2005/03/24 17:56:09 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2005/03/24 17:56:09 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2011/05/09 13:45:15 | 102,760,448 | -HS- | M] () -- C:\NBRTPage(2).sys
    [2011/05/09 05:05:09 | 102,760,448 | -HS- | M] () -- C:\NBRTPage.sys
    [2004/08/04 04:00:00 | 000,047,564 | RHS- | M] () -- C:\ntdetect.com
    [2009/04/05 11:34:21 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/05/11 17:31:56 | 352,321,536 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
    [18 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2004/08/07 09:17:46 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini
    [18 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2002/01/10 11:08:34 | 000,046,592 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpprn02.dll
    [2008/01/16 19:45:58 | 000,241,664 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5k4.DLL
    [2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >
    [2010/01/18 15:38:23 | 000,001,826 | -H-- | M] () -- C:\Documents and Settings\Jon\Application Data\Microsoft\LastFlashConfig.WFC

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2004/08/07 02:05:54 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2004/08/07 02:05:54 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2004/08/07 02:05:54 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2009/04/05 11:45:47 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2005/03/17 13:26:29 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Jon\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2004/08/07 09:24:12 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Jon\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/05/11 16:01:42 | 004,346,086 | R--- | M] () -- C:\Documents and Settings\Jon\Desktop\ComboFix.exe
    [2011/05/10 12:27:03 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jon\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/05/11 18:23:27 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\OTL.exe
    [2010/09/01 15:33:49 | 000,083,968 | ---- | M] (eSage Lab) -- C:\Documents and Settings\Jon\Desktop\remover.exe
    [2011/05/01 14:21:00 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jon\Desktop\TDSSKiller.exe
    [2011/05/10 12:08:13 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\TFC.exe
    [2011/05/10 14:17:21 | 000,302,080 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\tif0roxe.exe

    < %PROGRAMFILES%\Common Files\*.* >
    [2003/11/06 09:09:00 | 002,206,317 | ---- | M] () -- C:\Program Files\Common Files\Fontinfo.hlp
    [1996/04/09 22:47:52 | 000,000,766 | ---- | M] () -- C:\Program Files\Common Files\Will.ico

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2004/08/04 09:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\addins\fxsext.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2005/03/17 13:26:28 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Jon\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/05/11 18:38:51 | 001,032,192 | -HS- | M] () -- C:\Documents and Settings\Jon\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 20:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/03 23:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/03 23:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 10:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 13:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 20:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2004/08/03 23:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/08/03 23:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/08/03 23:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/03 23:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/03 23:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-05-11 18:14:25


    < * >
    [2011/05/09 12:12:57 | 000,000,211 | ---- | M] () -- \Boot.bak
    [2011/05/11 16:22:42 | 000,000,327 | RHS- | M] () -- \boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- \cmldr
    [2011/05/11 17:27:18 | 000,027,563 | ---- | M] () -- \ComboFix.txt
    [2011/05/11 17:31:58 | 1038,602,240 | -HS- | M] () --
    [2005/03/24 17:56:09 | 000,000,000 | RHS- | M] () -- \IO.SYS
    [2005/03/24 17:56:09 | 000,000,000 | RHS- | M] () -- \MSDOS.SYS
    [2011/05/09 13:45:15 | 102,760,448 | -HS- | M] () -- \NBRTPage(2).sys
    [2011/05/09 05:05:09 | 102,760,448 | -HS- | M] () -- \NBRTPage.sys
    [2004/08/04 04:00:00 | 000,047,564 | RHS- | M] () -- \ntdetect.com
    [2009/04/05 11:34:21 | 000,250,048 | RHS- | M] () -- \ntldr
    [2011/05/11 17:31:56 | 352,321,536 | -HS- | M] () --

    < >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Jon\Desktop\dds.scr:SummaryInformation

    < End of report >
     
  11. Wile E Coyote

    Wile E Coyote TS Rookie Topic Starter

    Extras.txt:

    OTL Extras logfile created on: 5/11/2011 6:40:35 PM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jon\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    990.00 Mb Total Physical Memory | 293.00 Mb Available Physical Memory | 30.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 53.00% Paging File free
    Paging file location(s): C:\pagefile.sys 336 672 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.25 Gb Total Space | 11.36 Gb Free Space | 30.48% Space Free | Partition Type: NTFS

    Computer Name: PC105602224833 | User Name: Jon | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
    .jse [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found

    [HKEY_USERS\S-1-5-21-3679635613-1209586761-3265449678-1006\SOFTWARE\Classes\<extension>]
    .scr [@ = ft000002] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    jsfile [edit] -- Reg Error: Key error.
    jsfile [print] -- Reg Error: Key error.
    jsefile [edit] -- Reg Error: Key error.
    jsefile [open] -- Reg Error: Key error.
    jsefile [print] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
    "3540:UDP" = 3540:UDP:*:Enabled:peer Name Resolution Protocol (PNRP)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "3389:TCP" = 3389:TCP:*:Enabled:mad:xpsp2res.dll,-22009
    "3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
    "3540:UDP" = 3540:UDP:*:Enabled:peer Name Resolution Protocol (PNRP)
    "5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{028814FB-D05F-495E-81D7-636A87321025}" = CreativeProjectsTemplates
    "{08F32589-5E39-42B8-8BC5-6A8126ED2A70}" = Microsoft Visual C++ 2008 Redistributable Package
    "{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
    "{0E243038-5F19-457F-A5A1-287477354D75}" = H&R Block New Jersey 2010
    "{10964A8F-21C1-45EA-BC2D-F84B505C3848}" = H&R Block Deluxe + Efile + State 2010
    "{10CE1EA2-12E9-11D3-825E-00C04F6843FE}" = Microsoft Office Sounds
    "{11680998-6792-4DE9-8DE1-D6D041418B26}" = SkinsHP1
    "{13967EAF-6FE3-4394-ACAD-326C463FB6D4}" = Brother P-touch Editor Label Collection - Eco
    "{15C165F1-1DAE-4476-AFB6-8723729B41E7}" = hp deskjet 5100
    "{15C77FC3-8137-4A5E-8F81-F559045DD6B0}" = Shipping Assistant 3.7
    "{15C9AAEF-20D4-4416-A1BE-7D75FB5F2FE9}" = Internet Explorer Developer Toolbar
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
    "{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
    "{232DB76D-4751-41A9-9EC2-CDC0DAC1FAB6}" = WD SmartWare
    "{2405665A-16C9-4D3A-B70E-F006220E1472}" = Overland
    "{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
    "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
    "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
    "{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
    "{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
    "{339E14FF-8FDC-4809-AAF2-87BA22905C7F}" = DirectX for Managed Code Update (December 2004)
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3662AF19-6E4B-4F6D-A61C-F3CB6D67097D}" = QuickProjects
    "{3C216C29-D74B-4ACF-852A-82C4F3EED2F7}" = Copy
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3CA9D105-113C-11D8-AB3E-000102B0F79A}" = Readiris Pro 9
    "{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
    "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
    "{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
    "{45EA11B5-874D-480E-89B9-2545505BBE3E}" = Microsoft OpenType Font File Properties Extension
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
    "{5122DF4B-3740-4F0B-B423-48C46BA5834C}" = H&R Block New Jersey 2009
    "{5193B1FC-FC33-4CBA-9B9F-85F3D8F7CD87}" = readme
    "{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009
    "{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{5783F2D7-9028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2011
    "{58A7A4BA-AB8F-410F-963D-0BB3E73389F7}" = Brother P-touch Editor Label Collection - Office Signage
    "{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns
    "{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
    "{60BC5454-0DC9-413a-9241-BAE4231FCD26}" = HP Scanjet 4600
    "{619B8475-0F48-41B7-A370-5147F7092989}" = Virtual Earth 3D (Beta)
    "{61AF5841-A83E-4ACE-BE04-CFF6E2AF1B49}" =
    "{62BFB4C2-8C4E-4D91-BD7D-81C06EAAC3C0}" = Windows Rights Management Client with Service Pack 2
    "{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{696C94BC-44BC-4B8E-ABAA-6FFC0F11A6D3}" = PhotoGallery
    "{6CC02A6E-782C-4F3B-BBA9-32FE7D186091}" = Microsoft Small Basic v0.4
    "{7107A761-B2F7-4BB0-84DA-CD90B562A72D}" = Director
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}" = overland
    "{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
    "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
    "{827ECAB7-3F8E-4A66-A663-67A8F678536C}" = CreativeProjects
    "{83640671-5F02-4528-82B4-1F4637699C38}" = Brother P-touch Editor Label Collection - Caution
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
    "{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
    "{88E7FC62-7948-4262-93E2-1D0B1E992C84}" = PowerAlert Local Software
    "{89B6F63A-7E0C-424A-9D39-C4EF59E96D78}" = hppQFolderCP2020
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A3DECA0-EB4D-4FDC-A706-B88A3640A212}" = DeLorme Serial Emulator
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
    "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
    "{8B00EBB9-8C37-44D4-A909-6257531899F3}" = Virtual Weather Station
    "{8B097324-7654-4929-A5F9-B147BAA06674}" = Hydraflow Hydrographs 2002
    "{8DB2C22D-A23A-4C0E-9A56-7D10440B9B40}" = Microsoft Office Outlook 2003 Calendar Views Add-in
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-00B1-0409-0000-0000000FF1CE}" = Microsoft Save as XPS Add-in for 2007 Microsoft Office programs
    "{90120000-00D1-0409-0000-0000000FF1CE}" = Microsoft Office Access database engine 2007 (English)
    "{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
    "{94824ADD-8F26-43D2-84DB-22E11F377E5E}" = Microsoft English TTS Engine
    "{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
    "{9509674F-3972-11DE-806D-005056806466}" = Google Earth
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9D18F7F8-B984-4249-8512-CC621BC59F12}" = Microsoft Location Finder
    "{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
    "{A10A14F5-DF18-4151-9EB0-B79ABBFE6863}" = WebReg
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
    "{A5F39441-3414-4db2-9A71-0BA8AB3CB16A}" = HP Color LaserJet CP2020 Series 1.0
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
    "{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
    "{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
    "{AC76BA86-1033-F400-7760-000000000002}" = Adobe Acrobat 7.0 Professional - English, Français, Deutsch
    "{AC76BA86-7AD7-1033-7B44-A81100000003}" = Adobe Reader 8.1.1
    "{AC76BA86-7AD7-5A76-5A64-7E8A45000001}" = Adobe Reader Japanese Fonts
    "{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
    "{B24F0BA7-A962-47D2-A4E6-0E3AFCE8D874}" = Brother P-touch Editor Label Collection - Personal
    "{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
    "{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
    "{B3A77A42-DCF7-4830-AE0E-8CEE34A76200}" = CueTour
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B6D4C963-742C-46BF-BC7A-16ADD39FF3B7}" = Destinations
    "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
    "{B9AA72E1-DDB0-4344-9FFA-11545382ECB5}" = Brother P-touch Editor Label Collection - Files
    "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
    "{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008
    "{BCC992E5-5C81-4066-9B55-03DC10B24D21}" = InstantShare
    "{BDBA94DA-11B9-41D7-8C56-2C217C979376}" = WeatherLink 5.9.2
    "{BDF820F3-79A6-4ACF-B910-43B26BB894CC}" = Microsoft Network Monitor 3.1
    "{BFBDD199-81A2-4BFA-9581-D2EA1716B546}" = DSF-KitSetup
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C3502B86-FAC7-43AA-82D8-AB30EC51596A}" = PrintScreen
    "{C6141748-CA45-4F24-A519-2401F2CCA01D}" = TaxCut New Jersey 2008
    "{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}" = Microsoft Outlook Personal Folders Backup
    "{C7966AB3-A8D9-48D5-B7DF-922674C40098}" = Device Simulation Framework 1.0.1
    "{C82185E8-C27B-4EF4-2010-4444BC2C2B6D}" = Microsoft Streets & Trips 2010
    "{C9618743-1A5C-461E-91C4-E013A3D70F3C}" = Adobe® Photoshop® Album Starter Edition 3.0.1
    "{C99C37D6-6ADA-4CDF-971E-46DCB1E743CE}" = Brother P-touch Editor Label Collection - Shipping
    "{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CDE0AEA2-2F2F-4894-987F-5BE954E578A8}" = Brother P-touch Editor Label Collection - Retail
    "{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Picture Package Music Transfer
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CE378F36-E404-4244-A33F-F50A2A6D31BD}" = Microsoft Color Control Panel Applet for Windows XP
    "{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.20 H1
    "{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
    "{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
    "{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
    "{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
    "{DF67E8C2-1D4C-44E1-93DC-7E26E2D74D00}" = MSXML 6.0 SDK
    "{DF6DA606-904D-4C18-823F-A4CFC3035E53}" = eFax Messenger
    "{DF9A6075-9308-4572-8932-A4316243C4D9}" = Brother P-touch Editor 5.0
    "{E09FA6F2-FC66-4AA5-AE52-F37C6EAACC81}" = hpg4600
    "{E6343838-6EFE-4528-90ED-8D9258CA4584}" = installhelp
    "{E889F95A-B9E3-4580-B3D7-43DBC9C9CD43}" = TrayApp
    "{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{F5935CCE-4C12-4917-9B0F-972248EADBA0}" = Fugawi View ENC
    "{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "Adobe Acrobat 7.0 Professional - EFG" = Adobe Acrobat 7.1.0 Professional - English, Français, Deutsch
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "AutoCAD R14.0 Uninstall" = AutoCAD R14.0
    "Autodesk DWF Viewer" = Autodesk DWF Viewer
    "BN_DesktopReader" = NOOK for PC
    "Calc98" = Calc98
    "CCleaner" = CCleaner
    "CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_3080103C" = SoftV90 Data Fax Modem with SmartCP
    "Conexant PCI Audio" = Conexant AC-Link Audio
    "Corpscon" = Corpscon 6.0.1
    "Digital Editions" = Adobe Digital Editions
    "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
    "DWG TrueView 2011" = DWG TrueView 2011
    "eMule" = eMule
    "FPEditR" = Font Properties Editor (R) (Remove Only)
    "Free RAR Extract Frog" = Free RAR Extract Frog
    "HijackThis" = HijackThis 2.0.2
    "HP Photo & Imaging" = HP Image Zone 4.0
    "HP Standard Port Monitor" = HP Standard Port Monitor
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie8" = Windows Internet Explorer 8
    "ieSpell" = ieSpell
    "Inkscape" = Inkscape 0.46
    "InstallShield_{DF9A6075-9308-4572-8932-A4316243C4D9}" = Brother P-touch Editor 5.0
    "IsoBuster_is1" = IsoBuster 2.7
    "KitSetup Registration {B4285279-1846-49B4-B8FD-B9EAF0FF17DA}:{68656B6B-555E-5459-5E5D-6363635E5F61}" = Microsoft Windows Driver Kit 7.1.0.7600
    "KRISTAL Audio Engine" = KRISTAL Audio Engine
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "N360" = Norton Security Suite
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "NTREGOPT_is1" = NTREGOPT 1.1j
    "Picasa 3" = Picasa 3
    "Python 2.1" = Python 2.1
    "Python 2.1 combined Win32 extensions" = Python 2.1 combined Win32 extensions
    "QuickGamma_is1" = QuickGamma 3.0.0.1
    "Rainbow Sentinel Driver" = Sentinel System Driver
    "RealPlayer 12.0" = RealPlayer
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "TaxACT 2007" = TaxACT 2007
    "TaxACT New Jersey 2007" = TaxACT New Jersey 2007
    "TaxCut Deluxe 2005" = TaxCut Deluxe 2005
    "Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    "WIC" = Windows Imaging Component
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinGimp-2.0_is1" = GIMP 2.4.5
    "WMCSetup" = Windows Media Connect
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-3679635613-1209586761-3265449678-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Glucofacts Deluxe Updater 2.0" = Glucofacts Deluxe Updater 2.0
    "Google Chrome" = Google Chrome

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 5/9/2011 12:00:15 PM | Computer Name = PC105602224833 | Source = Windows Search Service | ID = 3029
    Description = The plug-in in <Search.TripoliIndexer> cannot be initialized. Context:
    Windows Application, SystemIndex Catalog Details: The content index cannot be read.
    (0xc0041800)

    Error - 5/9/2011 12:00:15 PM | Computer Name = PC105602224833 | Source = Windows Search Service | ID = 3028
    Description = The gatherer object cannot be initialized. Context: Windows Application,
    SystemIndex Catalog Details: The content index cannot be read. (0xc0041800)

    Error - 5/9/2011 12:00:15 PM | Computer Name = PC105602224833 | Source = Windows Search Service | ID = 3058
    Description = The application cannot be initialized. Context: Windows Application

    Details:
    The
    content index cannot be read. (0xc0041800)

    Error - 5/9/2011 12:13:06 PM | Computer Name = PC105602224833 | Source = Windows Search Service | ID = 3024
    Description = The update cannot be started because the content sources cannot be
    accessed. Fix the errors and try the update again. Context: Application, SystemIndex
    Catalog

    Error - 5/9/2011 12:22:32 PM | Computer Name = PC105602224833 | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 5/9/2011 1:21:03 PM | Computer Name = PC105602224833 | Source = Microsoft Security Client | ID = 1001
    Description =

    Error - 5/10/2011 1:00:25 PM | Computer Name = PC105602224833 | Source = Application Error | ID = 1000
    Description = Faulting application mbam.exe, version 1.50.1.3, faulting module ntdll.dll,
    version 5.1.2600.6055, fault address 0x00036822.

    Error - 5/11/2011 10:53:17 AM | Computer Name = PC105602224833 | Source = Bonjour Service | ID = 100
    Description = 300: ERROR: read_msg errno 10054 (An existing connection was forcibly
    closed by the remote host.)

    Error - 5/11/2011 10:53:17 AM | Computer Name = PC105602224833 | Source = Bonjour Service | ID = 100
    Description = 320: ERROR: read_msg errno 10054 (An existing connection was forcibly
    closed by the remote host.)

    Error - 5/11/2011 10:53:17 AM | Computer Name = PC105602224833 | Source = Bonjour Service | ID = 100
    Description = 312: ERROR: read_msg errno 10054 (An existing connection was forcibly
    closed by the remote host.)

    [ System Events ]
    Error - 5/11/2011 4:19:33 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7031
    Description = The Windows Media Player Network Sharing Service service terminated
    unexpectedly. It has done this 1 time(s). The following corrective action will
    be taken in 30000 milliseconds: Restart the service.

    Error - 5/11/2011 4:27:04 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7031
    Description = The Windows Media Player Network Sharing Service service terminated
    unexpectedly. It has done this 1 time(s). The following corrective action will
    be taken in 30000 milliseconds: Restart the service.

    Error - 5/11/2011 4:39:44 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7031
    Description = The Windows Media Player Network Sharing Service service terminated
    unexpectedly. It has done this 1 time(s). The following corrective action will
    be taken in 30000 milliseconds: Restart the service.

    Error - 5/11/2011 4:40:50 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7031
    Description = The Windows Media Player Network Sharing Service service terminated
    unexpectedly. It has done this 1 time(s). The following corrective action will
    be taken in 30000 milliseconds: Restart the service.

    Error - 5/11/2011 5:05:46 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7000
    Description = The Sentinel service failed to start due to the following error: %%20

    Error - 5/11/2011 5:05:46 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7000
    Description = The ASPI32 service failed to start due to the following error: %%2

    Error - 5/11/2011 5:06:11 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7034
    Description = The PowerAlert Agent service terminated unexpectedly. It has done
    this 1 time(s).

    Error - 5/11/2011 5:32:22 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7000
    Description = The Sentinel service failed to start due to the following error: %%20

    Error - 5/11/2011 5:32:22 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7000
    Description = The ASPI32 service failed to start due to the following error: %%2

    Error - 5/11/2011 5:32:53 PM | Computer Name = PC105602224833 | Source = Service Control Manager | ID = 7034
    Description = The PowerAlert Agent service terminated unexpectedly. It has done
    this 1 time(s).


    < End of report >
     
     
  12. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Very good :)

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {2B474A76-93A8-4D94-B887-ACCCC409C061} - No CLSID value found.
      O2 - BHO: (no name) - {435EAA86-D32B-484F-869C-53745FCB1642} - No CLSID value found.
      O2 - BHO: (no name) - {8DB3D69D-DA5E-4165-B781-72A761790672} - No CLSID value found.
      O2 - BHO: (no name) - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - {A8C7C2CA-6DFD-4E16-8458-592361564D38} - No CLSID value found.
      O3 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKU\S-1-5-21-3679635613-1209586761-3265449678-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Key error.)
      O28 - HKLM ShellExecuteHooks: {CB0A0B68-3F3C-61D2-A901-8381E131D211} - Reg Error: Key error. File not found
      [18 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
      [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [2011/05/09 11:49:58 | 000,007,610 | -HS- | M] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\0311i0slxg3g4ncr65ef01f4i5
      [2011/05/09 11:49:58 | 000,007,610 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0311i0slxg3g4ncr65ef01f4i5
      [2011/04/25 21:38:19 | 000,009,324 | -HS- | M] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\6fq6p8858ae86mofmhwa61ow7l2sl4
      [2011/04/25 21:38:19 | 000,009,324 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\6fq6p8858ae86mofmhwa61ow7l2sl4
      @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Jon\Desktop\dds.scr:SummaryInformation
      
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  13. Wile E Coyote

    Wile E Coyote TS Rookie Topic Starter

    There is a JavaRa log, not posted, you did not ask for it but it is saved if you need it.

    Otherwise,all seems to be in order.

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B474A76-93A8-4D94-B887-ACCCC409C061}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B474A76-93A8-4D94-B887-ACCCC409C061}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{435EAA86-D32B-484F-869C-53745FCB1642}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{435EAA86-D32B-484F-869C-53745FCB1642}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DB3D69D-DA5E-4165-B781-72A761790672}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DB3D69D-DA5E-4165-B781-72A761790672}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6FFE2AE-4D12-451F-B457-FE6125FFB1CF}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6FFE2AE-4D12-451F-B457-FE6125FFB1CF}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{A8C7C2CA-6DFD-4E16-8458-592361564D38} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8C7C2CA-6DFD-4E16-8458-592361564D38}\ not found.
    Registry value HKEY_USERS\S-1-5-21-3679635613-1209586761-3265449678-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
    Registry value HKEY_USERS\S-1-5-21-3679635613-1209586761-3265449678-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    Starting removal of ActiveX control {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
    C:\Program Files\WebEx\ieatgpc.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{CB0A0B68-3F3C-61D2-A901-8381E131D211} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB0A0B68-3F3C-61D2-A901-8381E131D211}\ not found.
    C:\WINDOWS\Fonts\SET495.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET496.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET497.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET498.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET499.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET49A.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET5C8.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET5C9.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET5CA.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET5CB.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET5CC.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET5CD.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET664.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET665.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET666.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET667.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET668.tmp deleted successfully.
    C:\WINDOWS\Fonts\SET669.tmp deleted successfully.
    C:\WINDOWS\DUMPd74f.tmp deleted successfully.
    C:\Documents and Settings\Jon\Local Settings\Application Data\0311i0slxg3g4ncr65ef01f4i5 moved successfully.
    C:\Documents and Settings\All Users\Application Data\0311i0slxg3g4ncr65ef01f4i5 moved successfully.
    C:\Documents and Settings\Jon\Local Settings\Application Data\6fq6p8858ae86mofmhwa61ow7l2sl4 moved successfully.
    C:\Documents and Settings\All Users\Application Data\6fq6p8858ae86mofmhwa61ow7l2sl4 moved successfully.
    ADS C:\Documents and Settings\Jon\Desktop\dds.scr:SummaryInformation deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Jon
    ->Temp folder emptied: 97040 bytes
    ->Temporary Internet Files folder emptied: 1331285 bytes
    ->Java cache emptied: 1853 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 51591 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 82395 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 215216 bytes

    Total Files Cleaned = 2.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Jon
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.22.3 log created on 05112011_210019

    Files\Folders moved on Reboot...
    C:\WINDOWS\temp\Perflib_Perfdata_384.dat moved successfully.
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_734.dat not found!

    Registry entries deleted on Reboot...


    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    HijackThis 2.0.2
    CCleaner
    Java(TM) 6 Update 25
    Out of date Java installed!
    Adobe Flash Player 10.0.32.18
    Adobe Reader 8.1.1
    Adobe Reader Japanese Fonts
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    ``````````End of Log````````````
     
  14. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    No, I don't need JavaRa log.

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    ....and Eset...
     
  15. Wile E Coyote

    Wile E Coyote TS Rookie Topic Starter

    Run Eset again? There was no log file as it reported nothing found.
     
  16. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Oh, I missed your info then. Sorry about that :)

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
     
  17. Wile E Coyote

    Wile E Coyote TS Rookie Topic Starter

    You didn't miss anything, I just didn't post anything since there was nothing found and no logfile to post. I guess I should have just explained there was nothing found.

    1: Is there a way to ensure that restore point doesn't get overwritten?
    2: Done
    3: Done
    4: Did that from another computer before I posted anything here. I wasn't sue if there was a trojan or not, but after reading the 8 step I made sure I covered my ***** just in case.
    5: Done
    6: Done
    7: Will do
    8: Done, will do
    9: Not done, not sure if I want to
    10: Done
    11: Done
    12: Seems ok. Actually, better than when I first noticed there was a problem and better than it has been in a long time.

    Is there a better/less resource hungry AV that you would recommend over Norton?
    Only using Norton as it was free with Comcast. Considering it didn't prevent what had happened, I'm not sure it's all that effective.

    Do you think a complete format/reinstall of the OS and all programs is warranted?

    Thank You very much for all your help.
     
  18. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    No. Why?

    If Norton came free from Comcast, I'd surely get rid of it, using this tool: http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

    Install one of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html

    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.