Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec Endpoint Protection reports multiple files bearing signature "js.securitytoolfraud.c"


  • This topic is locked This topic is locked
24 replies to this topic

#1 DnDer

DnDer

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 04 June 2010 - 04:25 PM

DDS (Ver_10-03-17.01) - NTFSx86
Run by etaylor at 16:11:30.32 on Thu 06/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638.284 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\EpStsSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec AntiVirus\DWHWizrd.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\ESDUSBMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\etaylor\Desktop\dds.scr

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://intranet
uInternet Settings,ProxyServer = 10.1.3.50:3128
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [ESDUSBMon.exe] c:\windows\system32\ESDUSBMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
uExplorerRun: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg
uExplorerRun: [2] regedit /c/s \\10.1.3.6\shared\chm.reg
uExplorerRun: [3] regedit /c/s \\10.1.3.6\shared\helpfiles.reg
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remote~1.lnk - c:\program files\symitar\sfw\RemoteAdminServer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {F0F2D382-2A02-4ED6-9CC6-FDD0AB208699} = 10.1.3.6,10.1.3.2
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-10 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-10 108392]
R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]
R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [2006-5-11 95485]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-12-10 2477304]
R3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\a302.sys [2006-11-2 11319]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100603.005\NAVENG.SYS [2010-6-3 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100603.005\NAVEX15.SYS [2010-6-3 1347504]
R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\system32\drivers\TMUSBXP.SYS [2006-11-28 48256]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-12-10 23888]

=============== Created Last 30 ================

2010-06-03 20:29:21 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-04-06 20:03:38 249856 ------w- c:\windows\Setup1.exe
2010-04-06 20:03:37 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 16:12:26.48 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-04 14:59:31
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\etaylor\LOCALS~1\Temp\pflyqpow.sys


---- System - GMER 1.0.15 ----

SSDT 82F63FD0 ZwAlertResumeThread
SSDT 82F64248 ZwAlertThread
SSDT 82F6E270 ZwAllocateVirtualMemory
SSDT 82F63D80 ZwCreateMutant
SSDT 82F82A30 ZwCreateThread
SSDT 82F652A0 ZwFreeVirtualMemory
SSDT 82F63E50 ZwImpersonateAnonymousToken
SSDT 82F63F10 ZwImpersonateThread
SSDT 8324C6D8 ZwMapViewOfSection
SSDT 82F63CC0 ZwOpenEvent
SSDT 82F6B2F8 ZwOpenProcessToken
SSDT 82F64660 ZwOpenThreadToken
SSDT 82FC9220 ZwResumeThread
SSDT 82F645A0 ZwSetContextThread
SSDT 82F64730 ZwSetInformationProcess
SSDT 82F644D0 ZwSetInformationThread
SSDT 82F63C00 ZwSuspendProcess
SSDT 82F64350 ZwSuspendThread
SSDT 82FC56B0 ZwTerminateProcess
SSDT 82F64410 ZwTerminateThread
SSDT 82F6E1F0 ZwUnmapViewOfSection
SSDT 82F672A0 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[488] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00F21B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 142
Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlModified 436
Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlErrors 27
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@CheckPointNumber 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\143
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\143@CrawlType 5
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\143@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\143@DoneAddingCrawlSeeds 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\143@LogName C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Crwl143.gthr
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\143@CheckPoint 0xA7 0x02 0x01 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\143@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\143@LogStartAddId 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0@CrawlNumberInProgress 143

---- EOF - GMER 1.0.15 ----



[EDIT: "attach.txt" attached.]

Edited by DnDer, 04 June 2010 - 04:26 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 PM

Posted 07 June 2010 - 06:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 08 June 2010 - 08:00 AM

I'm here. Thanks, Mole.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 PM

Posted 08 June 2010 - 04:16 PM

Do you have any logs from Symantec showing these files?
Posted Image
m0le is a proud member of UNITE

#5 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 09 June 2010 - 07:51 AM

I do. The log, a csv file, is too big to attach to a message. How would you like me to get it to you?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 PM

Posted 10 June 2010 - 04:58 PM

The Symantec file shows a lot of temp files being generated and then being quarantined. Let's run a tool which can remove the source of this and then it should be able to clear the temp folder too.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 14 June 2010 - 08:07 AM

I will get the combofix logs today. I was not able to get to them on Friday.

#8 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 14 June 2010 - 11:15 PM

I can not post the logs. I thought the issue was just the fact that I was remoting into the computer that it wasn't working right. ComboFix gives me a message, in multiple language, that I have an incompatible OS (the machine is running XP) and will shortly log me off the machine after that. If I'm logged on as machine administrator, or as myself - a domain admin - I get the same results.

I can't publish the Combo Fix logs for you, because I can't get the program to generate them.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 PM

Posted 15 June 2010 - 04:15 PM

Please do this......
  • Download OTLPE Network from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPENet.exe
    http://ottools.noahdfear.net/OTLPENet.exe

  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.

Posted Image
m0le is a proud member of UNITE

#10 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 16 June 2010 - 01:11 PM

OTL logfile created on: 6/16/2010 1:37:37 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

638.00 Mb Total Physical Memory | 328.00 Mb Available Physical Memory | 51.00% Memory free
582.00 Mb Paging File | 369.00 Mb Available in Paging File | 64.00% Paging File free
Paging file location(s): C:\pagefile.sys 192 960 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.38 Gb Total Space | 0.82 Gb Free Space | 4.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (winvnc)
SRV - [2009/12/10 18:31:35 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/12/10 18:31:35 | 001,864,888 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2009/12/10 18:31:35 | 000,341,320 | ---- | M] (Symantec Corporation) [Disabled] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2009/12/10 18:31:35 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/12/10 18:31:35 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/03/20 20:10:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2006/05/17 16:38:48 | 000,077,824 | ---- | M] (SEIKO EPSON Corp.) [Auto] -- C:\WINDOWS\System32\EpStsSrv.exe -- (EPSON ESCPOS Status Service)
SRV - [2006/05/12 17:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Auto] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2010/06/14 17:42:51 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100614.025\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/06/14 17:42:50 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100614.025\NAVENG.SYS -- (NAVENG)
DRV - [2010/06/07 15:22:49 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/27 00:15:21 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/12/14 15:50:41 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/12/10 18:31:35 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/12/10 18:31:35 | 000,320,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/12/10 18:31:35 | 000,281,648 | ---- | M] (Symantec Corporation) [File_System | System] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/12/10 18:31:35 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/12/10 18:31:34 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2006/05/11 12:51:34 | 000,048,256 | ---- | M] (SEIKO EPSON Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\TMUSBXP.SYS -- (TMUSB)
DRV - [2006/05/11 12:51:32 | 000,095,485 | ---- | M] (MK Systems CO., LTD.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\ESDPDX01.SYS -- (Esdpdx01)
DRV - [2003/01/14 13:37:40 | 000,011,319 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\a302.sys -- ({E6759E0C-470B-44DC-A4A1-627E68BB3A85})
DRV - [2001/08/22 10:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 09:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\administrator.NCU_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\administrator.NCU_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\administrator.NCU_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\ascholp_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\ascholp_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\ascholp_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\ascholp_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;*.elanfinancialservices.com;<local>
IE - HKU\ascholp_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=10.1.3.50:3128;https=10.1.3.50:3128;gopher=10.1.3.50:3128;socks=10.1.3.50:3128

IE - HKU\cpetrucci_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\cpetrucci_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\cpetrucci_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\cpetrucci_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;*.elanfinancialservices.com;*nada.com;<local>
IE - HKU\cpetrucci_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\etaylor_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\etaylor_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\etaylor_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\jperine_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\jperine_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\jperine_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\jperine_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;*.elanfinancialservices.com;*nada.com;<local>
IE - HKU\jperine_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\jsicinski_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\jsicinski_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\jsicinski_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\jsicinski_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;<local>
IE - HKU\jsicinski_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\jwilliamson_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\jwilliamson_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\jwilliamson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\jwilliamson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;*.elanfinancialservices.com;<local>
IE - HKU\jwilliamson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=10.1.3.50:3128;https=10.1.3.50:3128;gopher=10.1.3.50:3128;socks=10.1.3.50:3128

IE - HKU\kcreger_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\kcreger_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\kcreger_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\kcreger_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;<local>
IE - HKU\kcreger_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\kwilson_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\kwilson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\kwilson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;<local>
IE - HKU\kwilson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128


IE - HKU\lrobinson_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\lrobinson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\lrobinson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;<local>
IE - HKU\lrobinson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\mcastillo_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\mcastillo_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\mcastillo_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\mcastillo_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;*.elanfinancialservices.com;*nada.com;<local>
IE - HKU\mcastillo_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\mlalowski_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\mlalowski_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\mlalowski_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\mlalowski_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;*.elanfinancialservices.com;<local>
IE - HKU\mlalowski_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=10.1.3.50:3128;https=10.1.3.50:3128;gopher=10.1.3.50:3128;socks=10.1.3.50:3128

IE - HKU\momara_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\momara_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\momara_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\momara_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;<local>
IE - HKU\momara_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\msnoble_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\msnoble_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\msnoble_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\msnoble_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;*.elanfinancialservices.com;*nada.com;<local>
IE - HKU\msnoble_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\mviehweg_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\mviehweg_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\mviehweg_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\mviehweg_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;*.elanfinancialservices.com;*nada.com;<local>
IE - HKU\mviehweg_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128


IE - HKU\nmartinez_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\nmartinez_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\nmartinez_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\nmartinez_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;<local>
IE - HKU\nmartinez_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\pfhouse_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\pfhouse_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\pfhouse_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\rjacobo_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\rjacobo_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\rjacobo_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\rjacobo_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;*.elanfinancialservices.com;*nada.com;<local>
IE - HKU\rjacobo_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\rruettiger_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\rruettiger_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\rruettiger_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\rruettiger_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;<local>
IE - HKU\rruettiger_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\sathanasiou_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
IE - HKU\sathanasiou_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
IE - HKU\sathanasiou_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\sathanasiou_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *intranet;*10.1.3.2;*192.168.10.5;192.168.10.2;*e-facts.org;*broker2.images.membersunited.org;*federalreserve.org;170.209.0.2;170.209.0.3;*10.1.3.8;*.docmagic.com;*numarkcu.org;<local>
IE - HKU\sathanasiou_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.3.50:3128

IE - HKU\scan_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
IE - HKU\scan_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




O1 HOSTS File: ([2005/11/01 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe File not found
O4 - HKU\.DEFAULT..\RunOnce: [TSClientAXDisabler] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\nmartinez_ON_C..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Remote Admin Server.lnk = C:\Program Files\Symitar\SFW\RemoteAdminServer.exe (Symitarô, A Jack Henry Company)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\cpetrucci\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\jperine\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\kcreger\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\mcastillo\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\mviehweg\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\rjacobo\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\administrator.NCU_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\administrator.NCU_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\ascholp_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\cpetrucci_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\etaylor_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\etaylor_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\etaylor_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\jperine_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\jsicinski_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\jwilliamson_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\kcreger_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\kwilson_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\lrobinson_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\mcastillo_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\mlalowski_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\momara_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\msnoble_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\mviehweg_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\nmartinez_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\nmartinez_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\pfhouse_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\pfhouse_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\rjacobo_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\rruettiger_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\sathanasiou_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\scan_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ncu.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/02 15:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/14 18:03:28 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/06/14 18:02:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2010/06/14 17:59:36 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/06/11 16:59:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mviehweg\Application Data\Sun
[2010/06/11 16:00:41 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/11 15:29:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/11 15:29:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/11 15:29:09 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/11 15:29:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/11 15:28:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/11 15:27:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/09 09:12:11 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\asycfilt.dll
[2010/06/09 05:22:22 | 000,285,696 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\dllcache\atmfd.dll
[2010/06/03 16:29:21 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/03 16:29:21 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/03 16:29:21 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/03 16:29:21 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/24 18:07:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mviehweg\Application Data\OpenOffice.org
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/16 13:27:05 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/06/16 13:27:05 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/06/16 13:26:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/16 13:26:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/14 18:04:12 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/06/14 18:04:11 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/14 18:04:02 | 003,766,762 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/06/14 17:45:32 | 001,835,008 | -H-- | M] () -- C:\Documents and Settings\etaylor\NTUSER.DAT
[2010/06/14 17:45:32 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\etaylor\ntuser.ini
[2010/06/14 17:22:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/11 17:04:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\mviehweg\ntuser.ini
[2010/06/11 17:04:36 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\mviehweg\NTUSER.DAT
[2010/06/11 17:04:25 | 003,771,514 | -H-- | M] () -- C:\Documents and Settings\mviehweg\Local Settings\Application Data\IconCache.db
[2010/06/11 16:19:02 | 000,141,240 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 16:00:54 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/11 15:23:58 | 003,706,469 | R--- | M] () -- C:\Documents and Settings\etaylor\Desktop\ComboFix.exe
[2010/06/11 15:23:58 | 003,706,469 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/06/09 17:40:43 | 000,000,112 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/09 17:38:21 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/09 17:25:32 | 000,521,470 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/09 17:25:32 | 000,456,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/09 17:25:32 | 000,075,210 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/09 08:32:02 | 001,113,559 | ---- | M] () -- C:\Documents and Settings\etaylor\Desktop\sav_log.csv
[2010/06/03 17:08:36 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\etaylor\Desktop\dds.scr
[2010/06/03 15:52:27 | 000,004,748 | RHS- | M] () -- C:\Documents and Settings\etaylor\ntuser.pol
[2010/06/02 19:45:57 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\jperine\ntuser.ini
[2010/06/02 19:45:56 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\jperine\NTUSER.DAT
[2010/06/02 19:41:30 | 003,765,898 | -H-- | M] () -- C:\Documents and Settings\jperine\Local Settings\Application Data\IconCache.db
[2010/06/02 18:05:24 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\jperine\ntuser.pol
[2010/06/02 16:35:09 | 003,145,728 | -H-- | M] () -- C:\Documents and Settings\cpetrucci\NTUSER.DAT
[2010/06/02 16:35:09 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\cpetrucci\ntuser.ini
[2010/06/02 15:12:56 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\mcastillo\ntuser.ini
[2010/06/02 15:12:55 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\mcastillo\NTUSER.DAT
[2010/06/01 20:09:58 | 002,097,152 | -H-- | M] () -- C:\Documents and Settings\kcreger\NTUSER.DAT
[2010/06/01 20:09:58 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\kcreger\ntuser.ini
[2010/05/28 20:16:15 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\rjacobo\NTUSER.DAT
[2010/05/28 20:16:15 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\rjacobo\ntuser.ini
[2010/05/28 20:16:04 | 003,233,718 | -H-- | M] () -- C:\Documents and Settings\rjacobo\Local Settings\Application Data\IconCache.db
[2010/05/27 20:09:26 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\msnoble\ntuser.ini
[2010/05/27 20:09:25 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\msnoble\NTUSER.DAT
[2010/05/27 20:09:13 | 004,286,162 | -H-- | M] () -- C:\Documents and Settings\msnoble\Local Settings\Application Data\IconCache.db
[2010/05/27 18:23:16 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\msnoble\ntuser.pol
[2010/05/26 19:07:59 | 000,000,864 | ---- | M] () -- C:\Documents and Settings\mviehweg\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
[2010/05/25 18:09:00 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\mcastillo\ntuser.pol
[2010/05/22 09:21:04 | 000,005,228 | RHS- | M] () -- C:\Documents and Settings\kcreger\ntuser.pol
[2010/05/21 18:25:22 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\rjacobo\ntuser.pol
[2010/05/21 09:13:31 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\cpetrucci\ntuser.pol
[2010/05/20 18:05:51 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\mviehweg\ntuser.pol
[2010/05/19 17:24:05 | 000,024,408 | ---- | M] () -- C:\Documents and Settings\mviehweg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/14 17:59:19 | 003,706,469 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/06/11 16:00:54 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/11 16:00:46 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/11 15:29:09 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/11 15:29:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/11 15:29:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/11 15:29:09 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/11 15:29:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/11 15:26:45 | 003,706,469 | R--- | C] () -- C:\Documents and Settings\etaylor\Desktop\ComboFix.exe
[2010/06/09 08:31:58 | 001,113,559 | ---- | C] () -- C:\Documents and Settings\etaylor\Desktop\sav_log.csv
[2010/06/03 17:11:14 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\etaylor\Desktop\gmer.exe
[2010/06/03 17:11:05 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\etaylor\Desktop\dds.scr
[2010/05/26 19:07:59 | 000,000,864 | ---- | C] () -- C:\Documents and Settings\mviehweg\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
[2010/01/08 15:11:23 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\mlalowski\ntuser.pol
[2010/01/08 15:11:21 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\mlalowski\ntuser.ini
[2010/01/08 15:11:18 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\mlalowski\ntuser.dat.LOG
[2010/01/08 15:11:17 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\mlalowski\NTUSER.DAT
[2010/01/04 09:17:32 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\rjacobo\ntuser.pol
[2010/01/04 09:17:27 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\rjacobo\ntuser.ini
[2010/01/04 09:17:23 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\rjacobo\ntuser.dat.LOG
[2010/01/04 09:17:22 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\rjacobo\NTUSER.DAT
[2009/12/29 10:14:38 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\mviehweg\ntuser.pol
[2009/12/29 10:14:36 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\mviehweg\ntuser.ini
[2009/12/29 10:14:32 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\mviehweg\NTUSER.DAT
[2009/12/29 10:14:32 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\mviehweg\ntuser.dat.LOG
[2009/11/03 19:13:23 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\jperine\ntuser.pol
[2009/11/03 19:13:21 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\jperine\ntuser.ini
[2009/11/03 19:13:18 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\jperine\ntuser.dat.LOG
[2009/11/03 19:13:17 | 001,572,864 | -H-- | C] () -- C:\Documents and Settings\jperine\NTUSER.DAT
[2009/08/24 08:19:26 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\rruettiger\ntuser.pol
[2009/08/24 08:19:24 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\rruettiger\ntuser.ini
[2009/08/24 08:19:20 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\rruettiger\NTUSER.DAT
[2009/08/24 08:19:20 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\rruettiger\ntuser.dat.LOG
[2009/06/05 14:48:59 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\sathanasiou\ntuser.pol
[2009/06/05 14:48:57 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\sathanasiou\ntuser.ini
[2009/06/05 14:48:54 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\sathanasiou\NTUSER.DAT
[2009/06/05 14:48:54 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\sathanasiou\ntuser.dat.LOG
[2009/05/11 17:43:17 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\ascholp\ntuser.pol
[2009/05/11 17:43:15 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\ascholp\ntuser.ini
[2009/05/11 17:43:11 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\ascholp\NTUSER.DAT
[2009/05/11 17:43:11 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\ascholp\ntuser.dat.LOG
[2009/03/23 18:02:38 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\jsicinski\ntuser.pol
[2009/03/23 18:02:36 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\jsicinski\ntuser.ini
[2009/03/23 18:02:33 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\jsicinski\NTUSER.DAT
[2009/03/23 18:02:33 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\jsicinski\ntuser.dat.LOG
[2008/12/30 16:10:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/12/19 11:15:28 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\momara\ntuser.pol
[2008/12/19 11:15:26 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\momara\ntuser.ini
[2008/12/19 11:15:23 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\momara\ntuser.dat.LOG
[2008/12/19 11:15:22 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\momara\NTUSER.DAT
[2008/12/18 16:41:53 | 000,006,808 | RHS- | C] () -- C:\Documents and Settings\kwilson\ntuser.pol
[2008/12/18 16:41:51 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\kwilson\ntuser.ini
[2008/12/18 16:41:48 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\kwilson\ntuser.dat.LOG
[2008/12/18 16:41:47 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\kwilson\NTUSER.DAT
[2008/12/06 10:33:20 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\jwilliamson\ntuser.pol
[2008/12/06 10:33:19 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\jwilliamson\ntuser.ini
[2008/12/06 10:33:16 | 002,359,296 | -H-- | C] () -- C:\Documents and Settings\jwilliamson\NTUSER.DAT
[2008/12/06 10:33:16 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\jwilliamson\ntuser.dat.LOG
[2008/11/07 13:20:13 | 000,004,748 | RHS- | C] () -- C:\Documents and Settings\etaylor\ntuser.pol
[2008/11/07 13:20:10 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\etaylor\ntuser.ini
[2008/11/07 13:20:07 | 001,835,008 | -H-- | C] () -- C:\Documents and Settings\etaylor\NTUSER.DAT
[2008/11/07 13:20:07 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\etaylor\ntuser.dat.LOG
[2008/10/08 15:23:07 | 000,005,228 | RHS- | C] () -- C:\Documents and Settings\kcreger\ntuser.pol
[2008/10/08 15:23:06 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\kcreger\ntuser.ini
[2008/10/08 15:23:03 | 002,097,152 | -H-- | C] () -- C:\Documents and Settings\kcreger\NTUSER.DAT
[2008/10/08 15:23:03 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\kcreger\ntuser.dat.LOG
[2008/09/22 16:51:58 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\cpetrucci\ntuser.pol
[2008/09/22 16:51:56 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\cpetrucci\ntuser.ini
[2008/09/22 16:51:54 | 003,145,728 | -H-- | C] () -- C:\Documents and Settings\cpetrucci\NTUSER.DAT
[2008/09/22 16:51:54 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\cpetrucci\ntuser.dat.LOG
[2008/06/23 14:34:55 | 000,004,624 | RHS- | C] () -- C:\Documents and Settings\scan\ntuser.pol
[2008/06/23 14:34:53 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\scan\ntuser.ini
[2008/06/23 14:34:50 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\scan\NTUSER.DAT
[2008/06/23 14:34:50 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\scan\ntuser.dat.LOG
[2008/02/06 17:23:03 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\mcastillo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/05 18:54:08 | 000,004,253 | ---- | C] () -- C:\WINDOWS\pixcache.ini
[2008/01/14 17:10:51 | 000,002,688 | RHS- | C] () -- C:\Documents and Settings\administrator.NCU\ntuser.pol
[2007/02/20 10:02:24 | 000,262,144 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat
[2007/02/20 10:02:24 | 000,008,192 | -H-- | C] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
[2007/01/10 14:52:26 | 000,006,808 | RHS- | C] () -- C:\Documents and Settings\lrobinson\ntuser.pol
[2007/01/10 14:52:24 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\lrobinson\ntuser.ini
[2007/01/10 14:52:23 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\lrobinson\ntuser.dat.LOG
[2007/01/10 14:52:22 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\lrobinson\NTUSER.DAT
[2007/01/05 17:15:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll
[2007/01/05 16:21:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\BridgerInsight.INI
[2007/01/03 12:24:36 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/01/03 12:22:46 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/01/03 12:22:14 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/12/19 17:21:58 | 000,004,748 | RHS- | C] () -- C:\Documents and Settings\pfhouse\ntuser.pol
[2006/12/05 13:21:52 | 000,008,628 | RHS- | C] () -- C:\Documents and Settings\nmartinez\ntuser.pol
[2006/12/05 13:21:50 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\nmartinez\ntuser.ini
[2006/12/05 13:21:49 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\nmartinez\ntuser.dat.LOG
[2006/12/05 13:21:47 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\nmartinez\NTUSER.DAT
[2006/12/03 13:51:59 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\administrator.NCU\ntuser.ini
[2006/12/03 13:51:58 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\administrator.NCU\ntuser.dat.LOG
[2006/12/03 13:51:57 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\administrator.NCU\NTUSER.DAT
[2006/12/01 15:54:35 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\HPPAPR01.DLL
[2006/11/30 15:41:43 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\mcastillo\ntuser.pol
[2006/11/30 15:41:40 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\mcastillo\ntuser.ini
[2006/11/30 15:41:39 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\mcastillo\ntuser.dat.LOG
[2006/11/30 15:41:38 | 003,407,872 | -H-- | C] () -- C:\Documents and Settings\mcastillo\NTUSER.DAT
[2006/11/30 13:48:44 | 000,006,568 | RHS- | C] () -- C:\Documents and Settings\msnoble\ntuser.pol
[2006/11/30 13:48:42 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\msnoble\ntuser.dat.LOG
[2006/11/30 13:48:42 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\msnoble\ntuser.ini
[2006/11/30 13:48:41 | 001,572,864 | -H-- | C] () -- C:\Documents and Settings\msnoble\NTUSER.DAT
[2006/11/28 11:29:19 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SharpImg.dll
[2006/11/28 11:29:18 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\EpsStmEW.DLL
[2006/11/28 11:03:42 | 000,003,062 | ---- | C] () -- C:\WINDOWS\SigPlus.ini
[2006/11/02 19:58:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/02 18:49:51 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\pfhouse\ntuser.dat.LOG
[2006/11/02 18:49:51 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\pfhouse\ntuser.ini
[2006/11/02 18:49:50 | 001,572,864 | -H-- | C] () -- C:\Documents and Settings\pfhouse\NTUSER.DAT
[2006/11/02 18:12:03 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2006/11/02 18:12:02 | 000,077,824 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2006/11/02 18:12:01 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2006/11/02 18:04:05 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2006/11/02 18:04:05 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2006/11/02 18:04:05 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2006/11/02 15:19:43 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2006/11/02 15:19:42 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2006/11/02 15:19:42 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2006/05/12 12:08:43 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2006/05/12 12:08:43 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2006/01/30 12:00:00 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\VSHP1020.DLL
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2008/01/14 17:11:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.NCU\Application Data\Windows Desktop Search
[2009/05/29 15:00:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2009/05/11 17:44:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ascholp\Application Data\Windows Desktop Search
[2010/02/10 14:47:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\cpetrucci\Application Data\OpenOffice.org
[2008/09/22 16:52:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\cpetrucci\Application Data\Windows Desktop Search
[2008/11/07 13:21:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\etaylor\Application Data\Windows Desktop Search
[2010/02/25 14:59:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jperine\Application Data\OpenOffice.org
[2009/11/03 19:14:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jperine\Application Data\Windows Desktop Search
[2009/03/23 18:03:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jsicinski\Application Data\Windows Desktop Search
[2008/12/06 10:33:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jwilliamson\Application Data\Windows Desktop Search
[2010/02/19 11:24:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kcreger\Application Data\OpenOffice.org
[2008/10/08 15:23:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kcreger\Application Data\Windows Desktop Search
[2008/12/18 16:42:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kwilson\Application Data\Windows Desktop Search
[2008/12/09 17:44:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\lrobinson\Application Data\Windows Desktop Search
[2010/03/30 18:34:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mcastillo\Application Data\OpenOffice.org
[2007/10/29 18:09:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mcastillo\Application Data\Windows Desktop Search
[2010/01/08 15:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mlalowski\Application Data\Windows Desktop Search
[2008/12/19 11:16:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\momara\Application Data\Windows Desktop Search
[2008/03/19 14:22:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msnoble\Application Data\Windows Desktop Search
[2010/05/24 18:07:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mviehweg\Application Data\OpenOffice.org
[2009/12/29 10:15:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mviehweg\Application Data\Windows Desktop Search
[2007/12/05 16:31:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\nmartinez\Application Data\Windows Desktop Search
[2007/11/03 12:14:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\pfhouse\Application Data\Windows Desktop Search
[2010/04/23 13:46:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rjacobo\Application Data\OpenOffice.org
[2010/01/04 09:18:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rjacobo\Application Data\Windows Desktop Search
[2009/08/24 08:20:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rruettiger\Application Data\Windows Desktop Search
[2009/06/05 14:49:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sathanasiou\Application Data\Windows Desktop Search
[2008/06/23 14:35:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\scan\Application Data\Windows Desktop Search

========== Purity Check ==========



========== Custom Scans ==========


Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.

Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.exe

Invalid Environment Variable: %APPDATA%\*.

Invalid Environment Variable: %APPDATA%\*.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2005/11/01 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/14 01:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 01:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2005/11/01 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2005/11/01 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 06:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 06:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2005/11/01 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 06:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 06:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2005/11/01 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2005/11/01 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 06:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 06:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USERINIT.EXE >
[2005/11/01 08:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 06:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 06:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 08:13:30 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/11/02 08:13:30 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/11/02 08:13:30 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/06/20 13:46:57 | 000,147,968 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dnsapi.dll
[2010/05/04 13:20:35 | 006,067,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ieframe.dll
[2010/05/04 13:20:36 | 000,268,288 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iertutil.dll
[2008/04/14 06:42:02 | 000,274,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mstask.dll
[2008/04/14 06:42:04 | 000,067,072 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ntdsapi.dll
[2008/04/14 06:42:04 | 000,023,040 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\psapi.dll
[2008/06/17 15:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shell32.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< CREATERESTOREPOINT >
< End of report >
[2010/06/16 13:38:45 | 000,077,824 | -H-- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\sathanasiou\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\rruettiger\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\mviehweg\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\mcastillo\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\kcreger\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\jwilliamson\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\jperine\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\etaylor\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\ascholp\ntuser.dat.LOG
[2010/06/16 13:34:02 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\administrator.NCU\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\scan\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\rjacobo\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\pfhouse\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\nmartinez\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\msnoble\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\momara\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\mlalowski\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\lrobinson\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\kwilson\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\jsicinski\ntuser.dat.LOG
[2010/06/16 13:34:01 | 000,008,192 | -H-- | M] () -- C:\Documents and Settings\cpetrucci\ntuser.dat.LOG
[2010/06/16 13:27:05 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/06/16 13:27:05 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/06/16 13:26:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/16 13:26:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/14 18:04:12 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/06/14 18:04:11 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/14 18:04:02 | 003,766,762 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/06/14 18:02:40 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\Cookies
[2010/06/14 18:02:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/06/14 18:02:25 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator\Application Data
[2010/06/14 18:02:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2010/06/14 17:59:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Desktop
[2010/06/14 17:45:32 | 001,835,008 | -H-- | M] () -- C:\Documents and Settings\etaylor\NTUSER.DAT
[2010/06/14 17:45:32 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\etaylor\ntuser.ini
[2010/06/14 17:22:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/11 17:04:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\mviehweg\ntuser.ini
[2010/06/11 17:04:36 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\mviehweg\NTUSER.DAT
[2010/06/11 17:04:25 | 003,771,514 | -H-- | M] () -- C:\Documents and Settings\mviehweg\Local Settings\Application Data\IconCache.db
[2010/06/11 16:59:32 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\mviehweg\Application Data
[2010/06/11 16:59:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mviehweg\Application Data\Sun
[2010/06/11 16:52:30 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\mviehweg\Cookies
[2010/06/11 16:19:02 | 000,141,240 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 16:13:32 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\etaylor\Application Data
[2010/06/11 15:26:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\etaylor\Desktop
[2010/06/11 15:23:58 | 003,706,469 | R--- | M] () -- C:\Documents and Settings\etaylor\Desktop\ComboFix.exe
[2010/06/11 15:23:58 | 003,706,469 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/06/09 17:40:43 | 000,000,112 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/09 17:38:21 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/09 17:25:32 | 000,521,470 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/09 17:25:32 | 000,456,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/09 17:25:32 | 000,075,210 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/09 17:04:02 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/06/09 08:32:02 | 001,113,559 | ---- | M] () -- C:\Documents and Settings\etaylor\Desktop\sav_log.csv
[2010/06/04 15:59:32 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\etaylor\Recent
[2010/06/04 13:46:09 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\etaylor\Cookies
[2010/06/04 13:44:28 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\NetworkService\Cookies
[2010/06/04 13:42:46 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\LocalService\Cookies
[2010/06/04 12:32:39 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec AntiVirus
[2010/06/03 17:08:36 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\etaylor\Desktop\dds.scr
[2010/06/03 16:44:51 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\cpetrucci\Cookies
[2010/06/03 16:44:32 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\jperine\Cookies
[2010/06/03 16:44:19 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\kcreger\Cookies
[2010/06/03 16:43:50 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\mcastillo\Cookies
[2010/06/03 16:43:48 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\msnoble\Cookies
[2010/06/03 16:42:56 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\rjacobo\Cookies
[2010/06/03 16:37:52 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\mcastillo\Recent
[2010/06/03 16:37:52 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\cpetrucci\Recent
[2010/06/03 16:37:51 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\rjacobo\Recent
[2010/06/03 16:29:52 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files\Java
[2010/06/03 16:29:03 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/06/03 16:26:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\etaylor\Local Settings
[2010/06/03 15:52:27 | 000,004,748 | RHS- | M] () -- C:\Documents and Settings\etaylor\ntuser.pol
[2010/06/02 19:45:57 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\jperine\ntuser.ini
[2010/06/02 19:45:56 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\jperine\NTUSER.DAT
[2010/06/02 19:41:30 | 003,765,898 | -H-- | M] () -- C:\Documents and Settings\jperine\Local Settings\Application Data\IconCache.db
[2010/06/02 18:05:24 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\jperine\ntuser.pol
[2010/06/02 16:35:09 | 003,145,728 | -H-- | M] () -- C:\Documents and Settings\cpetrucci\NTUSER.DAT
[2010/06/02 16:35:09 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\cpetrucci\ntuser.ini
[2010/06/02 15:12:56 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\mcastillo\ntuser.ini
[2010/06/02 15:12:55 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\mcastillo\NTUSER.DAT
[2010/06/01 20:09:58 | 002,097,152 | -H-- | M] () -- C:\Documents and Settings\kcreger\NTUSER.DAT
[2010/06/01 20:09:58 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\kcreger\ntuser.ini
[2010/05/28 20:16:15 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\rjacobo\NTUSER.DAT
[2010/05/28 20:16:15 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\rjacobo\ntuser.ini
[2010/05/28 20:16:04 | 003,233,718 | -H-- | M] () -- C:\Documents and Settings\rjacobo\Local Settings\Application Data\IconCache.db
[2010/05/27 20:09:26 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\msnoble\ntuser.ini
[2010/05/27 20:09:25 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\msnoble\NTUSER.DAT
[2010/05/27 20:09:13 | 004,286,162 | -H-- | M] () -- C:\Documents and Settings\msnoble\Local Settings\Application Data\IconCache.db
[2010/05/27 18:23:16 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\msnoble\ntuser.pol
[2010/05/26 19:07:59 | 000,000,864 | ---- | M] () -- C:\Documents and Settings\mviehweg\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
[2010/05/26 19:07:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\mviehweg\Application Data\Microsoft
[2010/05/25 18:09:00 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\mcastillo\ntuser.pol
[2010/05/24 18:07:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mviehweg\Application Data\OpenOffice.org
[2010/05/22 09:21:04 | 000,005,228 | RHS- | M] () -- C:\Documents and Settings\kcreger\ntuser.pol
[2010/05/21 18:25:22 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\rjacobo\ntuser.pol
[2010/05/21 09:13:31 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\cpetrucci\ntuser.pol
[2010/05/20 18:05:51 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\mviehweg\ntuser.pol
[2010/05/19 17:24:05 | 000,024,408 | ---- | M] () -- C:\Documents and Settings\mviehweg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/18 18:11:52 | 000,000,000 | R--D | M] -- C:\Documents and Settings\mcastillo\Favorites
[2010/04/22 13:55:57 | 000,024,408 | ---- | M] () -- C:\Documents and Settings\cpetrucci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/06 16:42:50 | 005,366,094 | -H-- | M] () -- C:\Documents and Settings\etaylor\Local Settings\Application Data\IconCache.db
[2010/02/06 14:04:43 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\ascholp\NTUSER.DAT
[2010/02/06 14:04:43 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\ascholp\ntuser.ini
[2010/02/06 14:04:32 | 003,773,172 | -H-- | M] () -- C:\Documents and Settings\ascholp\Local Settings\Application Data\IconCache.db
[2010/02/02 21:12:57 | 004,313,666 | -H-- | M] () -- C:\Documents and Settings\kcreger\Local Settings\Application Data\IconCache.db
[2010/01/22 21:39:02 | 002,359,296 | -H-- | M] () -- C:\Documents and Settings\jwilliamson\NTUSER.DAT
[2010/01/22 21:39:02 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\jwilliamson\ntuser.ini
[2010/01/22 21:38:51 | 004,311,178 | -H-- | M] () -- C:\Documents and Settings\jwilliamson\Local Settings\Application Data\IconCache.db
[2010/01/20 11:20:37 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\mlalowski\NTUSER.DAT
[2010/01/20 11:20:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\mlalowski\ntuser.ini
[2010/01/20 11:20:26 | 003,225,406 | -H-- | M] () -- C:\Documents and Settings\mlalowski\Local Settings\Application Data\IconCache.db
[2010/01/20 11:08:11 | 000,020,624 | ---- | M] () -- C:\Documents and Settings\mlalowski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/19 15:20:08 | 000,020,624 | ---- | M] () -- C:\Documents and Settings\jperine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/16 15:24:01 | 003,781,844 | -H-- | M] () -- C:\Documents and Settings\cpetrucci\Local Settings\Application Data\IconCache.db
[2010/01/15 14:35:55 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\ascholp\ntuser.pol
[2010/01/08 15:11:24 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\mlalowski\ntuser.pol
[2010/01/05 19:45:55 | 000,020,232 | ---- | M] () -- C:\Documents and Settings\jwilliamson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/05 15:54:42 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\jwilliamson\ntuser.pol
[2009/09/04 09:27:09 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\rruettiger\NTUSER.DAT
[2009/09/04 09:27:05 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\nmartinez\NTUSER.DAT
[2009/09/04 09:27:05 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\nmartinez\ntuser.ini
[2009/09/04 09:26:59 | 003,772,208 | -H-- | M] () -- C:\Documents and Settings\nmartinez\Local Settings\Application Data\IconCache.db
[2009/09/04 08:54:45 | 000,008,628 | RHS- | M] () -- C:\Documents and Settings\nmartinez\ntuser.pol
[2009/09/01 20:08:07 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\rruettiger\ntuser.ini
[2009/09/01 20:07:50 | 002,694,442 | -H-- | M] () -- C:\Documents and Settings\rruettiger\Local Settings\Application Data\IconCache.db
[2009/08/27 15:33:02 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\momara\NTUSER.DAT
[2009/08/27 15:33:02 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\momara\ntuser.ini
[2009/08/27 15:32:48 | 003,230,626 | -H-- | M] () -- C:\Documents and Settings\momara\Local Settings\Application Data\IconCache.db
[2009/08/27 15:13:46 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\momara\ntuser.pol
[2009/08/24 08:19:27 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\rruettiger\ntuser.pol
[2009/08/21 19:06:27 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\sathanasiou\NTUSER.DAT
[2009/08/21 19:06:27 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\sathanasiou\ntuser.ini
[2009/08/21 19:06:22 | 003,228,350 | -H-- | M] () -- C:\Documents and Settings\sathanasiou\Local Settings\Application Data\IconCache.db
[2009/07/10 15:57:08 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\pfhouse\NTUSER.DAT
[2009/07/10 15:14:43 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\sathanasiou\ntuser.pol
[2009/07/03 13:52:38 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\pfhouse\ntuser.ini
[2009/07/03 13:50:29 | 000,004,748 | RHS- | M] () -- C:\Documents and Settings\pfhouse\ntuser.pol
[2009/06/30 11:54:59 | 000,020,232 | ---- | M] () -- C:\Documents and Settings\kcreger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/06/11 17:03:35 | 000,020,232 | ---- | M] () -- C:\Documents and Settings\mcastillo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/05/12 18:14:38 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\administrator.NCU\NTUSER.DAT
[2009/05/11 17:11:48 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\administrator.NCU\ntuser.ini
[2009/05/11 17:11:35 | 003,765,890 | -H-- | M] () -- C:\Documents and Settings\administrator.NCU\Local Settings\Application Data\IconCache.db
[2009/05/11 16:37:35 | 000,002,688 | RHS- | M] () -- C:\Documents and Settings\administrator.NCU\ntuser.pol
[2009/03/23 20:21:21 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\jsicinski\NTUSER.DAT
[2009/03/23 20:21:21 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\jsicinski\ntuser.ini
[2009/03/23 20:21:12 | 002,692,554 | -H-- | M] () -- C:\Documents and Settings\jsicinski\Local Settings\Application Data\IconCache.db
[2009/03/23 18:02:39 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\jsicinski\ntuser.pol
[2009/03/02 21:00:53 | 004,309,866 | -H-- | M] () -- C:\Documents and Settings\mcastillo\Local Settings\Application Data\IconCache.db
[2008/12/18 18:57:33 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\kwilson\NTUSER.DAT
[2008/12/18 18:57:00 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\kwilson\ntuser.ini
[2008/12/18 18:56:42 | 002,691,346 | -H-- | M] () -- C:\Documents and Settings\kwilson\Local Settings\Application Data\IconCache.db
[2008/12/18 16:41:54 | 000,006,808 | RHS- | M] () -- C:\Documents and Settings\kwilson\ntuser.pol
[2008/12/11 21:08:21 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\lrobinson\NTUSER.DAT
[2008/12/11 21:07:28 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\lrobinson\ntuser.ini
[2008/12/11 21:07:21 | 003,235,974 | -H-- | M] () -- C:\Documents and Settings\lrobinson\Local Settings\Application Data\IconCache.db
[2008/12/09 17:44:05 | 000,006,808 | RHS- | M] () -- C:\Documents and Settings\lrobinson\ntuser.pol
[2008/10/09 16:24:24 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\pfhouse\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/07/09 17:02:49 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\scan\NTUSER.DAT
[2008/07/02 16:39:05 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\scan\ntuser.ini
[2008/07/02 15:15:48 | 002,692,452 | -H-- | M] () -- C:\Documents and Settings\scan\Local Settings\Application Data\IconCache.db
[2008/06/23 14:34:56 | 000,004,624 | RHS- | M] () -- C:\Documents and Settings\scan\ntuser.pol
[2008/05/08 19:09:23 | 000,004,608 | ---- | M] () -- C:\Documents and Settings\mcastillo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/03 12:27:51 | 005,354,498 | -H-- | M] () -- C:\Documents and Settings\pfhouse\Local Settings\Application Data\IconCache.db
[2007/02/20 10:02:24 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat
[2006/11/02 18:04:05 | 000,000,020 | -HS- | M] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2006/11/02 15:19:43 | 000,000,020 | -HS- | M] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\scan\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\sathanasiou\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\rruettiger\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\rjacobo\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\pfhouse\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\nmartinez\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\mviehweg\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\msnoble\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\momara\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\mlalowski\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\mcastillo\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\lrobinson\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\kwilson\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\kcreger\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\jwilliamson\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\jsicinski\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\jperine\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\etaylor\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\cpetrucci\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\ascholp\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini
[2006/11/02 08:14:50 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\administrator.NCU\Application Data\desktop.ini
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/16 13:27:05 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/06/16 13:27:05 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/06/16 13:26:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/16 13:26:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/14 18:04:12 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/06/14 18:04:11 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/14 18:04:02 | 003,766,762 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/06/14 17:45:32 | 001,835,008 | -H-- | M] () -- C:\Documents and Settings\etaylor\NTUSER.DAT
[2010/06/14 17:45:32 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\etaylor\ntuser.ini
[2010/06/14 17:22:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/11 17:04:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\mviehweg\ntuser.ini
[2010/06/11 17:04:36 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\mviehweg\NTUSER.DAT
[2010/06/11 17:04:25 | 003,771,514 | -H-- | M] () -- C:\Documents and Settings\mviehweg\Local Settings\Application Data\IconCache.db
[2010/06/11 16:19:02 | 000,141,240 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 16:00:54 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/11 15:23:58 | 003,706,469 | R--- | M] () -- C:\Documents and Settings\etaylor\Desktop\ComboFix.exe
[2010/06/11 15:23:58 | 003,706,469 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/06/09 17:40:43 | 000,000,112 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/09 17:38:21 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/09 17:25:32 | 000,521,470 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/09 17:25:32 | 000,456,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/09 17:25:32 | 000,075,210 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/09 08:32:02 | 001,113,559 | ---- | M] () -- C:\Documents and Settings\etaylor\Desktop\sav_log.csv
[2010/06/03 17:08:36 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\etaylor\Desktop\dds.scr
[2010/06/03 15:52:27 | 000,004,748 | RHS- | M] () -- C:\Documents and Settings\etaylor\ntuser.pol
[2010/06/02 19:45:57 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\jperine\ntuser.ini
[2010/06/02 19:45:56 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\jperine\NTUSER.DAT
[2010/06/02 19:41:30 | 003,765,898 | -H-- | M] () -- C:\Documents and Settings\jperine\Local Settings\Application Data\IconCache.db
[2010/06/02 18:05:24 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\jperine\ntuser.pol
[2010/06/02 16:35:09 | 003,145,728 | -H-- | M] () -- C:\Documents and Settings\cpetrucci\NTUSER.DAT
[2010/06/02 16:35:09 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\cpetrucci\ntuser.ini
[2010/06/02 15:12:56 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\mcastillo\ntuser.ini
[2010/06/02 15:12:55 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\mcastillo\NTUSER.DAT
[2010/06/01 20:09:58 | 002,097,152 | -H-- | M] () -- C:\Documents and Settings\kcreger\NTUSER.DAT
[2010/06/01 20:09:58 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\kcreger\ntuser.ini
[2010/05/28 20:16:15 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\rjacobo\NTUSER.DAT
[2010/05/28 20:16:15 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\rjacobo\ntuser.ini
[2010/05/28 20:16:04 | 003,233,718 | -H-- | M] () -- C:\Documents and Settings\rjacobo\Local Settings\Application Data\IconCache.db
[2010/05/27 20:09:26 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\msnoble\ntuser.ini
[2010/05/27 20:09:25 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\msnoble\NTUSER.DAT
[2010/05/27 20:09:13 | 004,286,162 | -H-- | M] () -- C:\Documents and Settings\msnoble\Local Settings\Application Data\IconCache.db
[2010/05/27 18:23:16 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\msnoble\ntuser.pol
[2010/05/26 19:07:59 | 000,000,864 | ---- | M] () -- C:\Documents and Settings\mviehweg\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
[2010/05/25 18:09:00 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\mcastillo\ntuser.pol
[2010/05/22 09:21:04 | 000,005,228 | RHS- | M] () -- C:\Documents and Settings\kcreger\ntuser.pol
[2010/05/21 18:25:22 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\rjacobo\ntuser.pol
[2010/05/21 09:13:31 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\cpetrucci\ntuser.pol
[2010/05/20 18:05:51 | 000,006,568 | RHS- | M] () -- C:\Documents and Settings\mviehweg\ntuser.pol
[2010/05/19 17:24:05 | 000,024,408 | ---- | M] () -- C:\Documents and Settings\mviehweg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== LOP Check ==========

[2008/01/14 17:11:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.NCU\Application Data\Windows Desktop Search
[2009/05/29 15:00:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2009/05/11 17:44:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ascholp\Application Data\Windows Desktop Search
[2010/02/10 14:47:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\cpetrucci\Application Data\OpenOffice.org
[2008/09/22 16:52:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\cpetrucci\Application Data\Windows Desktop Search
[2008/11/07 13:21:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\etaylor\Application Data\Windows Desktop Search
[2010/02/25 14:59:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jperine\Application Data\OpenOffice.org
[2009/11/03 19:14:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jperine\Application Data\Windows Desktop Search
[2009/03/23 18:03:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jsicinski\Application Data\Windows Desktop Search
[2008/12/06 10:33:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jwilliamson\Application Data\Windows Desktop Search
[2010/02/19 11:24:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kcreger\Application Data\OpenOffice.org
[2008/10/08 15:23:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kcreger\Application Data\Windows Desktop Search
[2008/12/18 16:42:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kwilson\Application Data\Windows Desktop Search
[2008/12/09 17:44:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\lrobinson\Application Data\Windows Desktop Search
[2010/03/30 18:34:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mcastillo\Application Data\OpenOffice.org
[2007/10/29 18:09:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mcastillo\Application Data\Windows Desktop Search
[2010/01/08 15:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mlalowski\Application Data\Windows Desktop Search
[2008/12/19 11:16:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\momara\Application Data\Windows Desktop Search
[2008/03/19 14:22:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msnoble\Application Data\Windows Desktop Search
[2010/05/24 18:07:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mviehweg\Application Data\OpenOffice.org
[2009/12/29 10:15:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mviehweg\Application Data\Windows Desktop Search
[2007/12/05 16:31:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\nmartinez\Application Data\Windows Desktop Search
[2007/11/03 12:14:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\pfhouse\Application Data\Windows Desktop Search
[2010/04/23 13:46:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rjacobo\Application Data\OpenOffice.org
[2010/01/04 09:18:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rjacobo\Application Data\Windows Desktop Search
[2009/08/24 08:20:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rruettiger\Application Data\Windows Desktop Search
[2009/06/05 14:49:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sathanasiou\Application Data\Windows Desktop Search
[2008/06/23 14:35:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\scan\Application Data\Windows Desktop Search

========== Purity Check ==========



========== Custom Scans ==========


Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.

Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.exe

Invalid Environment Variable: %APPDATA%\*.

Invalid Environment Variable: %APPDATA%\*.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2005/11/01 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/14 01:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 01:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2005/11/01 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2005/11/01 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 06:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 06:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2005/11/01 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 06:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 06:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2005/11/01 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2005/11/01 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 06:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 06:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USERINIT.EXE >
[2005/11/01 08:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 06:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 06:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 08:13:30 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/11/02 08:13:30 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/11/02 08:13:30 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/06/20 13:46:57 | 000,147,968 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dnsapi.dll
[2010/05/04 13:20:35 | 006,067,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ieframe.dll
[2010/05/04 13:20:36 | 000,268,288 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iertutil.dll
[2008/04/14 06:42:02 | 000,274,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mstask.dll
[2008/04/14 06:42:04 | 000,067,072 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ntdsapi.dll
[2008/04/14 06:42:04 | 000,023,040 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\psapi.dll
[2008/06/17 15:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shell32.dll
[2010/05/04 13:20:39 | 001,168,384 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\urlmon.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< CREATERESTOREPOINT >

< End of report >


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 PM

Posted 16 June 2010 - 07:45 PM

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

CODE
:OTL
SRV - File not found [Auto] -- -- (winvnc)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe File not found
O4 - HKU\nmartinez_ON_C..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe File not found
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Then run a file through a scanner

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\dnsapi.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#12 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 17 June 2010 - 10:51 AM

I was not asked to reboot.

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winvnc deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WinVNC deleted successfully.
Registry value HKEY_USERS\nmartinez_ON_C\Software\Microsoft\Windows\CurrentVersion\RunOnce\\FlashPlayerUpdate deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTLPE by OldTimer - Version 3.1.39.0 log created on 06172010_115037


I'll run the scans right now.

#13 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 17 June 2010 - 10:55 AM

This file has been scanned before. The results for this previous scan are listed below.


Filename: dnsapi.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 29 Dec 2009 00:30:21 (CET) Permalink


File size: 147968 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5: 5d3fde8fb2801a2041d1b965372c4928
SHA1: 3eaf6478c6f14794b05a612d845c1725757beb0b



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 PM

Posted 17 June 2010 - 05:04 PM

Please uninstall the Combofix on your system

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Next run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#15 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 18 June 2010 - 03:55 PM

Scan's been running for 5h41m, with 2,530 alerts. We're still not out of C:\Documents and Settings\<users> folders yet.

Just let it keep going? Or there's something else you'd like me to try?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users