adware.ezula issue, hijack this log posted

Hello again,
This forum has been a great help with one infected system. We have another that is less critical but has a potentially serious spyware infection. This is showing up as adware.ezula in the Symantec antivirus scan but we can't get rid of it via Symantec. Here is the hijack this log as of this afternoon:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:34 PM, on 11/18/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\scdeybvw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
E:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\System32\logon.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [602fd3b5] rundll32.exe "C:\WINDOWS\system32\rhoxfmcr.dll ",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\mswsock.dll' missing
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - https://portal.carealliance.com/portal/applets/SharedSession.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://10.10.1.20/SWToolset.exe
O16 - DPF: {43E4476A-6C11-4274-AFA4-DF665B26EAE0} (Session Viewer) - https://10.10.1.43/plugins/vkvm/ActiveXVideoViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1189550347824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189550339113
O16 - DPF: {7D7D0CF0-BB7C-473E-8B35-7590F7D86671} (eFilmX Image Retrieval Module) - http://10.1.18.30/FusionServer/ActiveX/coefir.cab
O16 - DPF: {B1B22D8C-30F6-4BD5-8291-7C855D5CF2FC} (eFilmX Image Viewer) - http://10.1.18.30/FusionServer/ActiveX/eFilmX.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - https://portal.carealliance.com/portal/applets/mckntauth.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EFD42E0-A4D8-48AB-A4F5-6B1221F800F5}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = 65GW2003.com
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Remote Access Controller 4 (RAC4) (racsvc) - Dell, Inc. - C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SmaRTIndexServer - Self-Service Technologies - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! 8.0 Account Management Service (TIAccountManagementService80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe
O23 - Service: Track-It! Configuration (TIConfiguration) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
O23 - Service: Track-It! Dashboard Monitor (TIDashboardMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
O23 - Service: Track-It! File Storage (TIFileStorage) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
O23 - Service: Track-It! Monitor (TIMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Track-It! Search (TISearch) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
O23 - Service: Track-It! 8.0 Monitor Service (TIServerServices80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe
O23 - Service: Track-It! Software Licensing Monitor (TISoftwareLicensingMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
O23 - Service: Track-It! System Notification Monitor (TISystemNotificationMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
O23 - Service: Track-It! Work Order Monitor (TIWorkOrderMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
O23 - Service: Track-It! 8.0 User Synchronization Service (UserSyncService80) - Unknown owner - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - E:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12883 bytes

Additional info: this is a windows 2003 server R2 sp2 with terminal services, all functionality appears correct with the exception of the finding of this adware and erratic internet explorer behavior. The system is fully backed up using symantec backup exec and we have removed other virus and spyware that was infecting this system along the same time using symantec antivirus and spybot. Thanks for the help!

 

Ughhh ......... you've got one of the latest nasties, and it's a PITA. Lets see what we can do with it.

Again, where servers are concerned, I recommend a fresh image in the event of system failure. Most of these tools have little testing in server environments, so we can't always be sure of the outcome. Be sure to disconnect all client sessions and exit non-essential programs.

Uninstall SpywareBot. It's a rogue antispyware application.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident ".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Reboot.

Download VundoFix by Atribune, saving it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Then, download ComboFix by sUBs from here, saving the file to your desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log, the C:\VundoFix.txt log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

combofix log

ComboFix 07-11-08.3 - administrator 2007-11-19 10:43:26.1 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790.2.1252.1.1033.18.3229 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.65GW2003\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\65gsupport\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Administrator.65GW2003\Favorites\Online Security Guide.lnk
C:\Documents and Settings\hairfielda\Favorites\Online Security Guide.lnk
C:\Documents and Settings\hairfieldm\Favorites\Online Security Guide.lnk
C:\Documents and Settings\spitzj\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aocifdjv.dll
C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pcmssnen.dllbox
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\qstwa.bak2
C:\WINDOWS\system32\qstwa.ini
C:\WINDOWS\system32\qstwa.ini2
C:\WINDOWS\system32\qstwa.tmp
C:\WINDOWS\system32\vjdficoa.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.

2007-11-19 10:43 145,984 --a------ C:\WINDOWS\system32\pcmssnen.dll
2007-11-19 10:42 <DIR> d-------- C:\Temp\combfix
2007-11-19 10:42 145,984 --a------ C:\WINDOWS\system32\rljqnpit.dll
2007-11-19 10:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-19 10:40 71,232 --a------ C:\WINDOWS\system32\rptphqtm.exe
2007-11-19 10:30 71,232 --a------ C:\WINDOWS\system32\udvndlir.exe
2007-11-19 10:28 <DIR> d-------- C:\VundoFix Backups
2007-11-19 10:27 118,272 --a------ C:\Documents and Settings\Administrator.65GW2003\VundoFix.exe
2007-11-19 08:53 85,056 --a------ C:\WINDOWS\system32\alfehlaa.dll
2007-11-19 08:53 71,232 --a------ C:\WINDOWS\system32\rulqrxij.exe
2007-11-19 08:50 71,232 --a------ C:\WINDOWS\system32\pipsjnel.exe
2007-11-19 08:15 71,232 --a------ C:\WINDOWS\system32\idyvykee.exe
2007-11-19 07:57 71,232 --a------ C:\WINDOWS\system32\ybphpewf.exe
2007-11-18 19:59 71,232 --a------ C:\WINDOWS\system32\rmdhtmnd.exe
2007-11-18 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-18 13:16 71,232 --a------ C:\WINDOWS\system32\rkksgdus.exe
2007-11-17 19:59 71,232 --a------ C:\WINDOWS\system32\uxgmonco.exe
2007-11-16 19:59 71,232 --a------ C:\WINDOWS\system32\bwbayumi.exe
2007-11-15 19:59 71,232 --a------ C:\WINDOWS\system32\rdlkaqnk.exe
2007-11-15 07:56 71,232 --a------ C:\WINDOWS\system32\iucgtedb.exe
2007-11-14 19:56 71,232 --a------ C:\WINDOWS\system32\fjtnxgnc.exe
2007-11-14 16:53 71,232 --a------ C:\WINDOWS\system32\gbilfyeh.exe
2007-11-14 16:22 71,232 --a------ C:\WINDOWS\system32\cnyefinv.exe
2007-11-14 15:21 71,232 --a------ C:\WINDOWS\system32\tttpohgh.exe
2007-11-13 09:25 71,232 --a------ C:\WINDOWS\system32\nerkwrfy.exe
2007-11-13 08:22 <DIR> d-------- C:\Documents and Settings\o'brienp\WINDOWS
2007-11-12 09:26 71,232 --a------ C:\WINDOWS\system32\wrxolinr.exe
2007-11-12 09:19 71,232 --a------ C:\WINDOWS\system32\qmkrkypk.exe
2007-11-12 09:10 71,232 --a------ C:\WINDOWS\system32\oyksensg.exe
2007-11-12 09:06 71,232 --a------ C:\WINDOWS\system32\meiuvntb.exe
2007-11-12 09:03 71,232 --a------ C:\WINDOWS\system32\ilqelqim.exe
2007-11-12 09:01 71,232 --a------ C:\WINDOWS\system32\bttmmtrf.exe
2007-11-09 08:04 71,232 --a------ C:\WINDOWS\system32\kjluojcv.exe
2007-11-08 18:20 71,232 --a------ C:\WINDOWS\system32\aqwqlkvi.exe
2007-11-08 14:17 71,232 --a------ C:\WINDOWS\system32\jdpoukfa.exe
2007-11-08 13:37 <DIR> d-------- C:\Documents and Settings\65gspam\WINDOWS
2007-11-08 13:31 71,232 --a------ C:\WINDOWS\system32\psblqyul.exe
2007-11-08 06:58 71,232 --a------ C:\WINDOWS\system32\xpaiagtx.exe
2007-11-07 20:57 71,232 --a------ C:\WINDOWS\system32\exrtorir.exe
2007-11-07 20:45 71,232 --a------ C:\WINDOWS\system32\kpnycsdr.exe
2007-11-07 19:55 71,232 --a------ C:\WINDOWS\system32\ubnpubsn.exe
2007-11-07 19:11 71,232 --a------ C:\WINDOWS\system32\tvgxjffu.exe
2007-11-07 19:10 8,706,680 --a------ C:\Temp\Windows-KB890830-V1.34.exe
2007-11-07 18:10 71,232 --a------ C:\WINDOWS\system32\btglcsyy.exe
2007-11-07 17:53 71,232 --a------ C:\WINDOWS\system32\scdeybvw.exe
2007-11-07 16:47 <DIR> d-------- C:\Temp\symantec
2007-11-07 14:52 71,232 --a------ C:\WINDOWS\system32\oyeoidoj.exe
2007-11-07 13:43 71,232 --a------ C:\WINDOWS\system32\mwarisdc.exe
2007-11-07 13:33 71,232 --a------ C:\WINDOWS\system32\qssqycex.exe
2007-11-07 13:33 71,232 --a------ C:\WINDOWS\system32\pctlyrck.exe
2007-11-07 12:36 71,232 --a------ C:\WINDOWS\system32\ptrefreb.exe
2007-11-07 11:41 <DIR> d-------- C:\Documents and Settings\atlantalocaldispatch\WINDOWS
2007-11-07 11:19 71,232 --a------ C:\WINDOWS\system32\bqjieohr.exe
2007-11-07 10:08 71,232 --a------ C:\WINDOWS\system32\tnsygsok.exe
2007-11-07 09:00 71,232 --a------ C:\WINDOWS\system32\dtppnphn.exe
2007-11-07 08:56 71,232 --a------ C:\WINDOWS\system32\ocnlrxrd.exe
2007-11-07 08:56 22,016 --a------ C:\WINDOWS\system32\hidserv.dll
2007-11-07 08:56 22,016 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-11-06 13:57 71,232 --a------ C:\WINDOWS\system32\sawdptix.exe
2007-11-06 08:24 87,104 --a------ C:\WINDOWS\system32\xjpynghw.dll
2007-11-05 08:12 85,568 --a------ C:\WINDOWS\system32\cwntlius.dll
2007-11-04 13:20 86,080 --a------ C:\WINDOWS\system32\uwwixadt.dll
2007-11-04 13:13 <DIR> d-------- C:\Temp\dup1_tmp
2007-11-04 12:50 86,080 --a------ C:\WINDOWS\system32\mdbjcsdu.dll
2007-11-04 12:44 <DIR> d-------- C:\Temp\PE1850_BIOS_WIN_A06
2007-11-04 12:44 6,656 --a------ C:\WINDOWS\system32\BiosMsg.dll
2007-11-04 12:42 86,080 --a------ C:\WINDOWS\system32\wjwiubjs.dll
2007-11-04 12:21 86,080 --a------ C:\WINDOWS\system32\plfhggnj.dll
2007-11-04 11:59 86,080 --a------ C:\WINDOWS\system32\govytbts.dll
2007-11-04 11:42 <DIR> d-------- C:\Temp\Dell
2007-11-04 11:42 86,016 --a------ C:\WINDOWS\system32\DellSPMsg.dll
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\coakleya\WINDOWS
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\campbelle\WINDOWS
2007-11-02 08:30 <DIR> d-------- C:\Documents and Settings\hughesbi\WINDOWS
2007-11-01 15:42 <DIR> d-------- C:\Documents and Settings\beckerc\WINDOWS
2007-10-29 13:27 <DIR> d-------- C:\Documents and Settings\atcwvedi\WINDOWS
2007-10-24 16:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-24 16:29 255 --------- C:\ietempdel.bat
2007-10-21 17:16 <DIR> d-------- C:\Temp\windows software removal tool
2007-10-21 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-21 11:53 <DIR> d-------- C:\Documents and Settings\Administrator.65GW2003\Application Data\SUPERAntiSpyware.com
2007-10-21 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-21 09:50 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-10-21 09:49 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-20 12:50 <DIR> d---s---- C:\Documents and Settings\65gsupport\UserData
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\od2
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\ib1
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\cp1
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\bo2
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\ap1
2007-10-19 10:20 <DIR> d-------- C:\Documents and Settings\estesn\WINDOWS
2007-10-19 10:20 <DIR> d-------- C:\Documents and Settings\donaldsong\WINDOWS
2007-10-19 10:20 <DIR> d-------- C:\Documents and Settings\booneg\WINDOWS
2007-10-19 10:19 <DIR> d-------- C:\Documents and Settings\willeyr\WINDOWS
2007-10-19 10:19 <DIR> d-------- C:\Documents and Settings\davismo\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 15:49 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-04 16:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 16:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-30 22:09 --------- d-----w C:\Program Files\Solarwinds
2007-09-11 12:17 914 ------w C:\Documents and Settings\spitzj\SDM-2.3.2-1811-c181x-advipservicesk9-mz.124-6.T7.bin
2007-09-06 20:32 1,150 ------w C:\Documents and Settings\spitzj\SDM-2.3.1-1811-c181x-adventerprisek9-mz.124-6.T2.bin
2007-09-05 21:27 726 ------w C:\Documents and Settings\spitzj\SDM-2.2-1811-c181x-advipservicesk9-mz.124-2.XA.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03AD7A3A-3E67-4D64-8EFE-4317E909A461}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A42CB8-0D3E-45A9-ADFF-2AE544967C47}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D77A72C-0FA8-4A3C-B537-83A2A422644B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DFB38C8-6986-4015-A66D-E34D5277A00A}]
C:\Program Files\Windows NT\mevoxud4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320403C7-EAEA-493E-A64E-6B40D1AE1B70}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A1FDB3C-9812-4B97-9D44-7BDD8A3DF130}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{405182E5-6B8E-4518-058C-1FB7E488191F}]
C:\Program Files\WindowsUpdate\quharefow.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51A1820E-A937-4F00-974D-926A912D31EE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55E52BAE-BB19-4476-91A0-F9545AD662BA}]
C:\Program Files\Windows NT\mevoxud83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{571E9CE8-22CB-4436-A8F1-25B05DA73D26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CD19969-E60B-4FAC-B15B-388E94A0C84F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F3C2A8B-02A4-4B3D-87AC-F6B9A000A8EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D7043D-106A-4F87-948D-CA2A01996550}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78B66DF6-32BA-4FD5-89E0-E67F996627ED}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{958EE684-C2B5-4E4C-8B03-03231F0BA4DE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95ED77C1-A655-464A-8666-81353927343C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A842DAFC-FB78-4E50-AD07-308304B61F37}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-19 10:43 145984 --a------ C:\WINDOWS\system32\pcmssnen.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9D5AFAB-2A60-4572-A81A-618743CFC9D3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA70BA15-4AC5-405E-B405-56C294DB01D9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC62A6CC-CB14-4BD4-8F29-EFDB9631C9FE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0F1141D-0FBA-4753-8FD5-A23CC3295A0C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA034E38-D5CF-4A6E-A216-9DB0185F6CF6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB2644D1-6428-4E1E-9915-3DAD71000512}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583} "= C:\WINDOWS\system32\pcmssnen.dll [2007-11-19 10:43 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18]
"Acrobat Assistant 7.0 "= "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"SNM "= "E:\Program Files\SpyNoMore\SNM.exe" []
"602fd3b5 "= "C:\WINDOWS\system32\alfehlaa.dll" [2007-11-19 08:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareBot "= "C:\Program Files\SpywareBot\SpywareBot.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall "=%systemroot%\system32\tscupgrd.exe
"<NO NAME> "=
"O2K3ProfileSettings "= "E:\Program Files\ORKTools\ORK11\Tools\Profile Wizard\Proflwiz.exe" /r C:\Policies\o2k3ProfileSettings.ops /q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-16 09:25:39]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-08-02 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 2007-02-17 09:02 19456 C:\WINDOWS\system32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcmssnen]
pcmssnen.dll 2007-11-19 10:43 145984 C:\WINDOWS\system32\pcmssnen.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\awtsq.dll
"Notification Packages "= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1197\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LMALogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2616\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2626\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2987\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3207\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3222\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3446\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3447\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3448\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3449\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3450\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3789\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3790\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3791\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3792\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3793\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3794\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3795\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3797\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4028\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\CGSLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4117\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\TCHLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4230\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4233\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4256\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4279\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4428\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4446\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4447\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4448\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4449\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4462\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4467\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4475\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4477\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4478\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4479\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4480\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4495\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4502\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4504\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4505\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4506\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4545\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4547\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@= "Driver "

R0 crcdisk;CRC Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\crcdisk.sys
R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys
R0 VSP;Volume Snapshot Provider;C:\WINDOWS\system32\DRIVERS\vsp.sys
R2 AeLookupSvc;Application Experience Lookup Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 MSSEARCH;Microsoft Search; "C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe "
R2 TIAccountManagementService80;Track-It! 8.0 Account Management Service; "e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe "
R2 TIConfiguration;Track-It! Configuration; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe "
R2 TIDashboardMonitor;Track-It! Dashboard Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe "
R2 TIFileStorage;Track-It! File Storage; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe "
R2 TIMonitor;Track-It! Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe "
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe
R2 TISearch;Track-It! Search; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe "
R2 TIServerServices80;Track-It! 8.0 Monitor Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe /StartService
R2 TISoftwareLicensingMonitor;Track-It! Software Licensing Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe "
R2 TISystemNotificationMonitor;Track-It! System Notification Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe "
R2 TIWorkOrderMonitor;Track-It! Work Order Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe "
R2 UserSyncService80;Track-It! 8.0 User Synchronization Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe /StartService
R3 dcdbas;System Management Driver;C:\WINDOWS\system32\DRIVERS\dcdbas32.sys
R3 racser;racser;C:\WINDOWS\system32\DRIVERS\rac4ser.sys
S3 Dfs;Distributed File System;C:\WINDOWS\system32\Dfssvc.exe
S3 NtFrs;File Replication;C:\WINDOWS\system32\ntfrs.exe
S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe
S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 SmaRTIndexServer;SmaRTIndexServer;e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
S3 WinHttpAutoProxySvc;WinHTTP Web Proxy Auto-Discovery Service;C:\WINDOWS\system32\svchost.exe -k LocalService
S3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys
S4 AmdIde;AmdIde;C:\WINDOWS\system32\drivers\AmdIde.sys
S4 arc;arc;C:\WINDOWS\system32\drivers\arc.sys
S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
S4 hpcisss;hpcisss;C:\WINDOWS\system32\drivers\hpcisss.sys
S4 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe
S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe -k netsvcs
S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
iissvcs w3svc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 10:49:52
Windows 5.2.3790 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-19 10:50:21 - machine was rebooted
.
--- E O F ---

 

vundofix log

VundoFix V6.6.2

Checking Java version...

Sun Java not detected
Scan started at 10:28:52 AM 11/19/2007

Listing files found while scanning....

C:\WINDOWS\system32\foyqmrxc.dll
C:\windows\system32\nsfpihtg.dllbox
C:\windows\system32\xzydqxek.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\nsfpihtg.dllbox
C:\windows\system32\nsfpihtg.dllbox Has been deleted!

Attempting to delete C:\windows\system32\xzydqxek.dllbox
C:\windows\system32\xzydqxek.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

 

new Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51, on 2007-11-19
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
E:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {03AD7A3A-3E67-4D64-8EFE-4317E909A461} - (no file)
O2 - BHO: (no name) - {05A42CB8-0D3E-45A9-ADFF-2AE544967C47} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D77A72C-0FA8-4A3C-B537-83A2A422644B} - (no file)
O2 - BHO: (no name) - {2DFB38C8-6986-4015-A66D-E34D5277A00A} - C:\Program Files\Windows NT\mevoxud4444.dll (file missing)
O2 - BHO: (no name) - {320403C7-EAEA-493E-A64E-6B40D1AE1B70} - (no file)
O2 - BHO: (no name) - {3A1FDB3C-9812-4B97-9D44-7BDD8A3DF130} - (no file)
O2 - BHO: 0 - {405182E5-6B8E-4518-058C-1FB7E488191F} - C:\Program Files\WindowsUpdate\quharefow.dll (file missing)
O2 - BHO: (no name) - {51A1820E-A937-4F00-974D-926A912D31EE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55E52BAE-BB19-4476-91A0-F9545AD662BA} - C:\Program Files\Windows NT\mevoxud83122.dll (file missing)
O2 - BHO: (no name) - {571E9CE8-22CB-4436-A8F1-25B05DA73D26} - (no file)
O2 - BHO: (no name) - {5CD19969-E60B-4FAC-B15B-388E94A0C84F} - (no file)
O2 - BHO: (no name) - {5F3C2A8B-02A4-4B3D-87AC-F6B9A000A8EF} - (no file)
O2 - BHO: (no name) - {69D7043D-106A-4F87-948D-CA2A01996550} - (no file)
O2 - BHO: (no name) - {78B66DF6-32BA-4FD5-89E0-E67F996627ED} - (no file)
O2 - BHO: (no name) - {958EE684-C2B5-4E4C-8B03-03231F0BA4DE} - (no file)
O2 - BHO: (no name) - {95ED77C1-A655-464A-8666-81353927343C} - (no file)
O2 - BHO: (no name) - {A842DAFC-FB78-4E50-AD07-308304B61F37} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pcmssnen.dll
O2 - BHO: (no name) - {A9D5AFAB-2A60-4572-A81A-618743CFC9D3} - (no file)
O2 - BHO: (no name) - {AA70BA15-4AC5-405E-B405-56C294DB01D9} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CC62A6CC-CB14-4BD4-8F29-EFDB9631C9FE} - (no file)
O2 - BHO: (no name) - {D0F1141D-0FBA-4753-8FD5-A23CC3295A0C} - (no file)
O2 - BHO: (no name) - {DA034E38-D5CF-4A6E-A216-9DB0185F6CF6} - (no file)
O2 - BHO: (no name) - {FB2644D1-6428-4E1E-9915-3DAD71000512} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pcmssnen.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [602fd3b5] rundll32.exe "C:\WINDOWS\system32\alfehlaa.dll ",b
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\mswsock.dll' missing
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - https://portal.carealliance.com/portal/applets/SharedSession.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://10.10.1.20/SWToolset.exe
O16 - DPF: {43E4476A-6C11-4274-AFA4-DF665B26EAE0} (Session Viewer) - https://10.10.1.43/plugins/vkvm/ActiveXVideoViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1189550347824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189550339113
O16 - DPF: {7D7D0CF0-BB7C-473E-8B35-7590F7D86671} (eFilmX Image Retrieval Module) - http://10.1.18.30/FusionServer/ActiveX/coefir.cab
O16 - DPF: {B1B22D8C-30F6-4BD5-8291-7C855D5CF2FC} (eFilmX Image Viewer) - http://10.1.18.30/FusionServer/ActiveX/eFilmX.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - https://portal.carealliance.com/portal/applets/mckntauth.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EFD42E0-A4D8-48AB-A4F5-6B1221F800F5}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O20 - Winlogon Notify: pcmssnen - pcmssnen.dll (file missing)
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Remote Access Controller 4 (RAC4) (racsvc) - Dell, Inc. - C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SmaRTIndexServer - Self-Service Technologies - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! 8.0 Account Management Service (TIAccountManagementService80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe
O23 - Service: Track-It! Configuration (TIConfiguration) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
O23 - Service: Track-It! Dashboard Monitor (TIDashboardMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
O23 - Service: Track-It! File Storage (TIFileStorage) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
O23 - Service: Track-It! Monitor (TIMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Track-It! Search (TISearch) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
O23 - Service: Track-It! 8.0 Monitor Service (TIServerServices80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe
O23 - Service: Track-It! Software Licensing Monitor (TISoftwareLicensingMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
O23 - Service: Track-It! System Notification Monitor (TISystemNotificationMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
O23 - Service: Track-It! Work Order Monitor (TIWorkOrderMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
O23 - Service: Track-It! 8.0 User Synchronization Service (UserSyncService80) - Unknown owner - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - E:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 14422 bytes

 

Scan again with HijackThis and place a check next to the following entries, close all other windows then click Fix Checked.

O2 - BHO: (no name) - {03AD7A3A-3E67-4D64-8EFE-4317E909A461} - (no file)
O2 - BHO: (no name) - {05A42CB8-0D3E-45A9-ADFF-2AE544967C47} - (no file)
O2 - BHO: (no name) - {2D77A72C-0FA8-4A3C-B537-83A2A422644B} - (no file)
O2 - BHO: (no name) - {2DFB38C8-6986-4015-A66D-E34D5277A00A} - C:\Program Files\Windows NT\mevoxud4444.dll (file missing)
O2 - BHO: (no name) - {320403C7-EAEA-493E-A64E-6B40D1AE1B70} - (no file)
O2 - BHO: (no name) - {3A1FDB3C-9812-4B97-9D44-7BDD8A3DF130} - (no file)
O2 - BHO: 0 - {405182E5-6B8E-4518-058C-1FB7E488191F} - C:\Program Files\WindowsUpdate\quharefow.dll (file missing)
O2 - BHO: (no name) - {51A1820E-A937-4F00-974D-926A912D31EE} - (no file)
O2 - BHO: (no name) - {55E52BAE-BB19-4476-91A0-F9545AD662BA} - C:\Program Files\Windows NT\mevoxud83122.dll (file missing)
O2 - BHO: (no name) - {571E9CE8-22CB-4436-A8F1-25B05DA73D26} - (no file)
O2 - BHO: (no name) - {5CD19969-E60B-4FAC-B15B-388E94A0C84F} - (no file)
O2 - BHO: (no name) - {5F3C2A8B-02A4-4B3D-87AC-F6B9A000A8EF} - (no file)
O2 - BHO: (no name) - {69D7043D-106A-4F87-948D-CA2A01996550} - (no file)
O2 - BHO: (no name) - {78B66DF6-32BA-4FD5-89E0-E67F996627ED} - (no file)
O2 - BHO: (no name) - {958EE684-C2B5-4E4C-8B03-03231F0BA4DE} - (no file)
O2 - BHO: (no name) - {95ED77C1-A655-464A-8666-81353927343C} - (no file)
O2 - BHO: (no name) - {A842DAFC-FB78-4E50-AD07-308304B61F37} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pcmssnen.dll
O2 - BHO: (no name) - {A9D5AFAB-2A60-4572-A81A-618743CFC9D3} - (no file)
O2 - BHO: (no name) - {AA70BA15-4AC5-405E-B405-56C294DB01D9} - (no file)
O2 - BHO: (no name) - {CC62A6CC-CB14-4BD4-8F29-EFDB9631C9FE} - (no file)
O2 - BHO: (no name) - {D0F1141D-0FBA-4753-8FD5-A23CC3295A0C} - (no file)
O2 - BHO: (no name) - {DA034E38-D5CF-4A6E-A216-9DB0185F6CF6} - (no file)
O2 - BHO: (no name) - {FB2644D1-6428-4E1E-9915-3DAD71000512} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pcmssnen.dll
O4 - HKLM\..\Run: [602fd3b5] rundll32.exe "C:\WINDOWS\system32\alfehlaa.dll ",b
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O20 - Winlogon Notify: pcmssnen - pcmssnen.dll (file missing)

Close HijackThis.

Download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

deckerds main.txt log part 1

Deckard's System Scanner v20071014.68
Run by administrator on 2007-11-20 00:06:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:06, on 2007-11-20
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
E:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator.65GW2003\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\administrator.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pcmssnen.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pcmssnen.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\mswsock.dll' missing
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - https://portal.carealliance.com/portal/applets/SharedSession.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://10.10.1.20/SWToolset.exe
O16 - DPF: {43E4476A-6C11-4274-AFA4-DF665B26EAE0} (Session Viewer) - https://10.10.1.43/plugins/vkvm/ActiveXVideoViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1189550347824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189550339113
O16 - DPF: {7D7D0CF0-BB7C-473E-8B35-7590F7D86671} (eFilmX Image Retrieval Module) - http://10.1.18.30/FusionServer/ActiveX/coefir.cab
O16 - DPF: {B1B22D8C-30F6-4BD5-8291-7C855D5CF2FC} (eFilmX Image Viewer) - http://10.1.18.30/FusionServer/ActiveX/eFilmX.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - https://portal.carealliance.com/portal/applets/mckntauth.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EFD42E0-A4D8-48AB-A4F5-6B1221F800F5}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O20 - Winlogon Notify: pcmssnen - pcmssnen.dll (file missing)
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Remote Access Controller 4 (RAC4) (racsvc) - Dell, Inc. - C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SmaRTIndexServer - Self-Service Technologies - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! 8.0 Account Management Service (TIAccountManagementService80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe
O23 - Service: Track-It! Configuration (TIConfiguration) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
O23 - Service: Track-It! Dashboard Monitor (TIDashboardMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
O23 - Service: Track-It! File Storage (TIFileStorage) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
O23 - Service: Track-It! Monitor (TIMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Track-It! Search (TISearch) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
O23 - Service: Track-It! 8.0 Monitor Service (TIServerServices80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe
O23 - Service: Track-It! Software Licensing Monitor (TISoftwareLicensingMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
O23 - Service: Track-It! System Notification Monitor (TISystemNotificationMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
O23 - Service: Track-It! Work Order Monitor (TIWorkOrderMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
O23 - Service: Track-It! 8.0 User Synchronization Service (UserSyncService80) - Unknown owner - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - E:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12417 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071120-000401-108 O2 - BHO: (no name) - {CC62A6CC-CB14-4BD4-8F29-EFDB9631C9FE} - (no file)
backup-20071120-000401-110 O2 - BHO: (no name) - {571E9CE8-22CB-4436-A8F1-25B05DA73D26} - (no file)
backup-20071120-000401-117 O2 - BHO: (no name) - {55E52BAE-BB19-4476-91A0-F9545AD662BA} - C:\Program Files\Windows NT\mevoxud83122.dll (file missing)
backup-20071120-000401-125 O2 - BHO: (no name) - {69D7043D-106A-4F87-948D-CA2A01996550} - (no file)
backup-20071120-000401-144 O4 - HKLM\..\Run: [602fd3b5] rundll32.exe "C:\WINDOWS\system32\alfehlaa.dll ",b
backup-20071120-000401-158 O2 - BHO: (no name) - {AA70BA15-4AC5-405E-B405-56C294DB01D9} - (no file)
backup-20071120-000401-159 O2 - BHO: (no name) - {320403C7-EAEA-493E-A64E-6B40D1AE1B70} - (no file)
backup-20071120-000401-170 O2 - BHO: (no name) - {05A42CB8-0D3E-45A9-ADFF-2AE544967C47} - (no file)
backup-20071120-000401-249 O2 - BHO: 0 - {405182E5-6B8E-4518-058C-1FB7E488191F} - C:\Program Files\WindowsUpdate\quharefow.dll (file missing)
backup-20071120-000401-253 O2 - BHO: (no name) - {03AD7A3A-3E67-4D64-8EFE-4317E909A461} - (no file)
backup-20071120-000401-286 O2 - BHO: (no name) - {FB2644D1-6428-4E1E-9915-3DAD71000512} - (no file)
backup-20071120-000401-343 O2 - BHO: (no name) - {DA034E38-D5CF-4A6E-A216-9DB0185F6CF6} - (no file)
backup-20071120-000401-345 O2 - BHO: (no name) - {2DFB38C8-6986-4015-A66D-E34D5277A00A} - C:\Program Files\Windows NT\mevoxud4444.dll (file missing)
backup-20071120-000401-386 O2 - BHO: (no name) - {A9D5AFAB-2A60-4572-A81A-618743CFC9D3} - (no file)
backup-20071120-000401-448 O2 - BHO: (no name) - {51A1820E-A937-4F00-974D-926A912D31EE} - (no file)
backup-20071120-000401-555 O2 - BHO: (no name) - {78B66DF6-32BA-4FD5-89E0-E67F996627ED} - (no file)
backup-20071120-000401-601 O2 - BHO: (no name) - {5F3C2A8B-02A4-4B3D-87AC-F6B9A000A8EF} - (no file)
backup-20071120-000401-617 O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
backup-20071120-000401-715 O2 - BHO: (no name) - {95ED77C1-A655-464A-8666-81353927343C} - (no file)
backup-20071120-000401-724 O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pcmssnen.dll
backup-20071120-000401-796 O2 - BHO: (no name) - {958EE684-C2B5-4E4C-8B03-03231F0BA4DE} - (no file)
backup-20071120-000401-809 O2 - BHO: (no name) - {A842DAFC-FB78-4E50-AD07-308304B61F37} - (no file)
backup-20071120-000401-864 O2 - BHO: (no name) - {5CD19969-E60B-4FAC-B15B-388E94A0C84F} - (no file)
backup-20071120-000401-888 O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pcmssnen.dll
backup-20071120-000401-950 O2 - BHO: (no name) - {2D77A72C-0FA8-4A3C-B537-83A2A422644B} - (no file)
backup-20071120-000401-982 O2 - BHO: (no name) - {3A1FDB3C-9812-4B97-9D44-7BDD8A3DF130} - (no file)
backup-20071120-000401-991 O2 - BHO: (no name) - {D0F1141D-0FBA-4753-8FD5-A23CC3295A0C} - (no file)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1 ",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 catchme - c:\docume~1\admini~1.65g\locals~1\temp\catchme.sys (file missing)

S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 dcevt32 (DSM SA Event Manager) - "c:\program files\dell\sysmgt\dataeng\bin\dsm_sa_eventmgr32.exe" <Not Verified; Dell Inc.; Dell(R) Data Engine>
R2 dcstor32 (DSM SA Data Manager) - "c:\program files\dell\sysmgt\dataeng\bin\dsm_sa_datamgr32.exe" <Not Verified; Dell Inc.; Dell(R) Data Engine>
R2 mr2kserv - "c:\program files\dell\sysmgt\sm\mr2kserv.exe" <Not Verified; LSI Logic Corporation; mr2kserv>
R2 MSSEARCH (Microsoft Search) - "c:\program files\common files\system\mssearch\bin\mssearch.exe" <Not Verified; Microsoft Corporation; PKM>
R2 omsad (DSM SA Shared Services) - "c:\program files\dell\sysmgt\oma\bin\dsm_om_shrsvc32.exe" <Not Verified; Dell Inc.; Server Administrator>
R2 racsvc (Remote Access Controller 4 (RAC4)) - "c:\program files\dell\sysmgt\rac4\racsvc.exe" -startservice <Not Verified; Dell, Inc.; Remote Access Controller (RAC)>
R2 Server Administrator (DSM SA Connection Service) - "c:\program files\dell\sysmgt\iws\bin\win32\dsm_om_connsvc32.exe" <Not Verified; ; Server Administrator>
R2 TIAccountManagementService80 (Track-It! 8.0 Account Management Service) - "e:\program files\numara software\numara track-it! 8\web add-on\password reset\account management service\accountmanagementservice.exe" <Not Verified; Numara Software, Inc.; Track-It! Password Reset>
R2 TIConfiguration (Track-It! Configuration) - "e:\program files\numara software\numara track-it! 8\track-it! services\ticonfiguration.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIDashboardMonitor (Track-It! Dashboard Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\tidashboardmonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIFileStorage (Track-It! File Storage) - "e:\program files\numara software\numara track-it! 8\track-it! services\tifilestorage.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIMonitor (Track-It! Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\timonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIRmtSvc (Track-It! Workstation Manager) - c:\windows\tiremote\tiremoteservice.exe <Not Verified; Numara Software, Inc.; Track-It! 8.0>
R2 TISearch (Track-It! Search) - "e:\program files\numara software\numara track-it! 8\track-it! services\tisearch.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIServerServices80 (Track-It! 8.0 Monitor Service) - e:\program files\numara software\numara track-it! 8\track-it! server\tiserverservices.exe /startservice <Not Verified; Numara Software, Inc.; Track-It! 8.0>
R2 TISoftwareLicensingMonitor (Track-It! Software Licensing Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\tisoftwarelicensingmonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TISystemNotificationMonitor (Track-It! System Notification Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\tisystemnotificationmonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIWorkOrderMonitor (Track-It! Work Order Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\tiworkordermonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 UserSyncService80 (Track-It! 8.0 User Synchronization Service) - e:\program files\numara software\numara track-it! 8\track-it! server\user synch\bin\tiusersyncsvc.exe /startservice

S3 SmaRTIndexServer - e:\program files\numara software\numara track-it! 8\web add-on\smart\services\smartindexer.exe <Not Verified; Self-Service Technologies; SmartIndexer Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/1000 MT Network Connection
Device ID: PCI\VEN_8086&DEV_1076&SUBSYS_016D1028&REV_05\5&C8E9BA0&0&400228
Manufacturer: Intel
Name: Intel(R) PRO/1000 MT Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1076&SUBSYS_016D1028&REV_05\5&C8E9BA0&0&400228
Service: E1000


-- Files created between 2007-10-20 and 2007-11-20 -----------------------------

2007-11-19 10:43:16 145984 -----n--- C:\WINDOWS\system32\pcmssnen.dll
2007-11-19 10:40:08 71232 --a------ C:\WINDOWS\system32\rptphqtm.exe <Not Verified; ; DDC>
2007-11-19 10:30:00 71232 --a------ C:\WINDOWS\system32\udvndlir.exe <Not Verified; ; DDC>
2007-11-19 10:28:52 0 d-------- C:\VundoFix Backups
2007-11-19 10:27:17 118272 --a------ C:\Documents and Settings\Administrator.65GW2003\VundoFix.exe <Not Verified; Atribune.org; VundoFix>
2007-11-19 08:53:28 85056 -----n--- C:\WINDOWS\system32\alfehlaa.dll
2007-11-19 08:53:27 71232 --a------ C:\WINDOWS\system32\rulqrxij.exe <Not Verified; ; DDC>
2007-11-19 08:50:28 71232 --a------ C:\WINDOWS\system32\pipsjnel.exe <Not Verified; ; DDC>
2007-11-19 08:15:14 71232 --a------ C:\WINDOWS\system32\idyvykee.exe <Not Verified; ; DDC>
2007-11-19 07:57:10 71232 --a------ C:\WINDOWS\system32\ybphpewf.exe <Not Verified; ; DDC>
2007-11-18 19:59:33 71232 --a------ C:\WINDOWS\system32\rmdhtmnd.exe <Not Verified; ; DDC>
2007-11-18 13:17:27 0 d-------- C:\Program Files\Trend Micro
2007-11-18 13:16:46 71232 --a------ C:\WINDOWS\system32\rkksgdus.exe <Not Verified; ; DDC>
2007-11-17 19:59:33 71232 --a------ C:\WINDOWS\system32\uxgmonco.exe <Not Verified; ; DDC>
2007-11-16 19:59:32 71232 --a------ C:\WINDOWS\system32\bwbayumi.exe <Not Verified; ; DDC>
2007-11-15 19:59:31 71232 --a------ C:\WINDOWS\system32\rdlkaqnk.exe <Not Verified; ; DDC>
2007-11-15 07:56:31 71232 --a------ C:\WINDOWS\system32\iucgtedb.exe <Not Verified; ; DDC>
2007-11-14 19:56:52 71232 --a------ C:\WINDOWS\system32\fjtnxgnc.exe <Not Verified; ; DDC>
2007-11-14 16:53:36 71232 --a------ C:\WINDOWS\system32\gbilfyeh.exe <Not Verified; ; DDC>
2007-11-14 16:22:49 71232 --a------ C:\WINDOWS\system32\cnyefinv.exe <Not Verified; ; DDC>
2007-11-14 15:21:30 71232 --a------ C:\WINDOWS\system32\tttpohgh.exe <Not Verified; ; DDC>
2007-11-13 09:25:56 71232 --a------ C:\WINDOWS\system32\nerkwrfy.exe <Not Verified; ; DDC>
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\WINDOWS
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\Templates
2007-11-13 08:22:13 0 dr------- C:\Documents and Settings\o'brienp\Start Menu
2007-11-13 08:22:13 0 dr-h----- C:\Documents and Settings\o'brienp\SendTo
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\Recent
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\PrintHood
2007-11-13 08:22:13 786432 -----n--- C:\Documents and Settings\o'brienp\NTUSER.DAT
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\NetHood
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\My Documents
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\Local Settings
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\Favorites
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\Desktop
2007-11-13 08:22:13 0 d---s---- C:\Documents and Settings\o'brienp\Cookies
2007-11-13 08:22:13 0 dr-h----- C:\Documents and Settings\o'brienp\Application Data
2007-11-13 08:22:13 0 d---s---- C:\Documents and Settings\o'brienp\Application Data\Microsoft
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\Application Data\Identities
2007-11-12 09:26:03 71232 --a------ C:\WINDOWS\system32\wrxolinr.exe <Not Verified; ; DDC>
2007-11-12 09:19:25 71232 --a------ C:\WINDOWS\system32\qmkrkypk.exe <Not Verified; ; DDC>
2007-11-12 09:10:57 71232 --a------ C:\WINDOWS\system32\oyksensg.exe <Not Verified; ; DDC>
2007-11-12 09:06:11 71232 --a------ C:\WINDOWS\system32\meiuvntb.exe <Not Verified; ; DDC>
2007-11-12 09:03:42 71232 --a------ C:\WINDOWS\system32\ilqelqim.exe <Not Verified; ; DDC>
2007-11-12 09:01:45 71232 --a------ C:\WINDOWS\system32\bttmmtrf.exe <Not Verified; ; DDC>
2007-11-09 08:04:44 71232 --a------ C:\WINDOWS\system32\kjluojcv.exe <Not Verified; ; DDC>
2007-11-08 18:20:42 71232 --a------ C:\WINDOWS\system32\aqwqlkvi.exe <Not Verified; ; DDC>
2007-11-08 14:17:07 71232 --a------ C:\WINDOWS\system32\jdpoukfa.exe <Not Verified; ; DDC>
2007-11-08 13:37:34 0 d-------- C:\Documents and Settings\65gspam\Application Data\Identities
2007-11-08 13:37:16 0 d-------- C:\Documents and Settings\65gspam\WINDOWS
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\Templates
2007-11-08 13:37:12 0 dr------- C:\Documents and Settings\65gspam\Start Menu
2007-11-08 13:37:12 0 dr-h----- C:\Documents and Settings\65gspam\SendTo
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\Recent
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\PrintHood
2007-11-08 13:37:12 786432 ---h----- C:\Documents and Settings\65gspam\NTUSER.DAT
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\NetHood
2007-11-08 13:37:12 0 d-------- C:\Documents and Settings\65gspam\My Documents
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\Local Settings
2007-11-08 13:37:12 0 d-------- C:\Documents and Settings\65gspam\Favorites
2007-11-08 13:37:12 0 d-------- C:\Documents and Settings\65gspam\Desktop
2007-11-08 13:37:12 0 d---s---- C:\Documents and Settings\65gspam\Cookies
2007-11-08 13:37:12 0 dr-h----- C:\Documents and Settings\65gspam\Application Data
2007-11-08 13:37:12 0 d---s---- C:\Documents and Settings\65gspam\Application Data\Microsoft
2007-11-08 13:37:12 0 d-------- C:\Documents and Settings\65gspam\Application Data\Macromedia
2007-11-08 13:31:30 71232 --a------ C:\WINDOWS\system32\psblqyul.exe <Not Verified; ; DDC>
2007-11-08 06:58:34 71232 --a------ C:\WINDOWS\system32\xpaiagtx.exe <Not Verified; ; DDC>
2007-11-07 20:57:49 71232 --a------ C:\WINDOWS\system32\exrtorir.exe <Not Verified; ; DDC>
2007-11-07 20:45:52 71232 --a------ C:\WINDOWS\system32\kpnycsdr.exe <Not Verified; ; DDC>
2007-11-07 20:45:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-07 19:55:15 71232 --a------ C:\WINDOWS\system32\ubnpubsn.exe <Not Verified; ; DDC>
2007-11-07 19:11:21 71232 --a------ C:\WINDOWS\system32\tvgxjffu.exe <Not Verified; ; DDC>
2007-11-07 18:10:32 71232 --a------ C:\WINDOWS\system32\btglcsyy.exe <Not Verified; ; DDC>
2007-11-07 17:53:09 71232 --a------ C:\WINDOWS\system32\scdeybvw.exe <Not Verified; ; DDC>
2007-11-07 14:52:10 71232 --a------ C:\WINDOWS\system32\oyeoidoj.exe <Not Verified; ; DDC>
2007-11-07 13:43:14 71232 --a------ C:\WINDOWS\system32\mwarisdc.exe <Not Verified; ; DDC>
2007-11-07 13:33:46 71232 --a------ C:\WINDOWS\system32\pctlyrck.exe <Not Verified; ; DDC>
2007-11-07 13:33:18 71232 --a------ C:\WINDOWS\system32\qssqycex.exe <Not Verified; ; DDC>
2007-11-07 12:36:53 71232 --a------ C:\WINDOWS\system32\ptrefreb.exe <Not Verified; ; DDC>
2007-11-07 11:42:10 0 d-------- C:\Documents and Settings\atlantalocaldispatch\Application Data\Identities
2007-11-07 11:41:02 0 d-------- C:\Documents and Settings\atlantalocaldispatch\WINDOWS
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\Templates
2007-11-07 11:40:58 0 dr------- C:\Documents and Settings\atlantalocaldispatch\Start Menu
2007-11-07 11:40:58 0 dr-h----- C:\Documents and Settings\atlantalocaldispatch\SendTo
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\Recent
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\PrintHood
2007-11-07 11:40:58 786432 ---h----- C:\Documents and Settings\atlantalocaldispatch\NTUSER.DAT
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\NetHood
2007-11-07 11:40:58 0 d-------- C:\Documents and Settings\atlantalocaldispatch\My Documents
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\Local Settings
2007-11-07 11:40:58 0 d-------- C:\Documents and Settings\atlantalocaldispatch\Favorites
2007-11-07 11:40:58 0 d-------- C:\Documents and Settings\atlantalocaldispatch\Desktop
2007-11-07 11:40:58 0 d---s---- C:\Documents and Settings\atlantalocaldispatch\Cookies
2007-11-07 11:40:58 0 dr-h----- C:\Documents and Settings\atlantalocaldispatch\Application Data
2007-11-07 11:40:58 0 d---s---- C:\Documents and Settings\atlantalocaldispatch\Application Data\Microsoft
2007-11-07 11:40:58 0 d-------- C:\Documents and Settings\atlantalocaldispatch\Application Data\Macromedia
2007-11-07 11:19:58 71232 --a------ C:\WINDOWS\system32\bqjieohr.exe <Not Verified; ; DDC>
2007-11-07 10:08:06 71232 --a------ C:\WINDOWS\system32\tnsygsok.exe <Not Verified; ; DDC>
2007-11-07 09:00:04 71232 --a------ C:\WINDOWS\system32\dtppnphn.exe <Not Verified; ; DDC>
2007-11-07 08:56:50 71232 --a------ C:\WINDOWS\system32\ocnlrxrd.exe <Not Verified; ; DDC>
2007-11-06 13:57:10 71232 --a------ C:\WINDOWS\system32\sawdptix.exe <Not Verified; ; DDC>
2007-11-06 08:24:02 87104 --a------ C:\WINDOWS\system32\xjpynghw.dll
2007-11-05 08:12:03 85568 --a------ C:\WINDOWS\system32\cwntlius.dll
2007-11-04 13:20:41 86080 --a------ C:\WINDOWS\system32\uwwixadt.dll
2007-11-04 12:50:56 86080 --a------ C:\WINDOWS\system32\mdbjcsdu.dll
2007-11-04 12:44:11 6656 --a------ C:\WINDOWS\system32\BiosMsg.dll
2007-11-04 12:42:02 86080 --a------ C:\WINDOWS\system32\wjwiubjs.dll
2007-11-04 12:21:20 86080 --a------ C:\WINDOWS\system32\plfhggnj.dll
2007-11-04 11:59:38 86080 --a------ C:\WINDOWS\system32\govytbts.dll

 

deckerds main.txt log part 2

2007-11-04 11:42:26 86016 --a------ C:\WINDOWS\system32\DellSPMsg.dll <Not Verified; Dell, Inc.; Change Management SDK>
2007-11-02 08:32:16 0 d-------- C:\Documents and Settings\coakleya\Application Data\Identities
2007-11-02 08:31:52 0 d-------- C:\Documents and Settings\campbelle\Application Data\Identities
2007-11-02 08:31:30 0 d-------- C:\Documents and Settings\hughesbi\Application Data\Identities
2007-11-02 08:31:11 0 d-------- C:\Documents and Settings\coakleya\WINDOWS
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\Templates
2007-11-02 08:31:07 0 dr------- C:\Documents and Settings\coakleya\Start Menu
2007-11-02 08:31:07 0 dr-h----- C:\Documents and Settings\coakleya\SendTo
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\Recent
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\PrintHood
2007-11-02 08:31:07 786432 ---h----- C:\Documents and Settings\coakleya\NTUSER.DAT
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\NetHood
2007-11-02 08:31:07 0 d-------- C:\Documents and Settings\coakleya\My Documents
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\Local Settings
2007-11-02 08:31:07 0 d-------- C:\Documents and Settings\coakleya\Favorites
2007-11-02 08:31:07 0 d-------- C:\Documents and Settings\coakleya\Desktop
2007-11-02 08:31:07 0 d---s---- C:\Documents and Settings\coakleya\Cookies
2007-11-02 08:31:07 0 dr-h----- C:\Documents and Settings\coakleya\Application Data
2007-11-02 08:31:07 0 d---s---- C:\Documents and Settings\coakleya\Application Data\Microsoft
2007-11-02 08:31:07 0 d-------- C:\Documents and Settings\coakleya\Application Data\Macromedia
2007-11-02 08:31:01 0 d-------- C:\Documents and Settings\campbelle\WINDOWS
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\Templates
2007-11-02 08:30:57 0 dr------- C:\Documents and Settings\campbelle\Start Menu
2007-11-02 08:30:57 0 dr-h----- C:\Documents and Settings\campbelle\SendTo
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\Recent
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\PrintHood
2007-11-02 08:30:57 786432 ---h----- C:\Documents and Settings\campbelle\NTUSER.DAT
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\NetHood
2007-11-02 08:30:57 0 d-------- C:\Documents and Settings\campbelle\My Documents
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\Local Settings
2007-11-02 08:30:57 0 d-------- C:\Documents and Settings\campbelle\Favorites
2007-11-02 08:30:57 0 d-------- C:\Documents and Settings\campbelle\Desktop
2007-11-02 08:30:57 0 d---s---- C:\Documents and Settings\campbelle\Cookies
2007-11-02 08:30:57 0 dr-h----- C:\Documents and Settings\campbelle\Application Data
2007-11-02 08:30:57 0 d---s---- C:\Documents and Settings\campbelle\Application Data\Microsoft
2007-11-02 08:30:57 0 d-------- C:\Documents and Settings\campbelle\Application Data\Macromedia
2007-11-02 08:30:54 0 d-------- C:\Documents and Settings\hughesbi\WINDOWS
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\Templates
2007-11-02 08:30:49 0 dr------- C:\Documents and Settings\hughesbi\Start Menu
2007-11-02 08:30:49 0 dr-h----- C:\Documents and Settings\hughesbi\SendTo
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\Recent
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\PrintHood
2007-11-02 08:30:49 786432 ---h----- C:\Documents and Settings\hughesbi\NTUSER.DAT
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\NetHood
2007-11-02 08:30:49 0 d-------- C:\Documents and Settings\hughesbi\My Documents
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\Local Settings
2007-11-02 08:30:49 0 d-------- C:\Documents and Settings\hughesbi\Favorites
2007-11-02 08:30:49 0 d-------- C:\Documents and Settings\hughesbi\Desktop
2007-11-02 08:30:49 0 d---s---- C:\Documents and Settings\hughesbi\Cookies
2007-11-02 08:30:49 0 dr-h----- C:\Documents and Settings\hughesbi\Application Data
2007-11-02 08:30:49 0 d---s---- C:\Documents and Settings\hughesbi\Application Data\Microsoft
2007-11-02 08:30:49 0 d-------- C:\Documents and Settings\hughesbi\Application Data\Macromedia
2007-11-01 15:42:56 0 d-------- C:\Documents and Settings\beckerc\Application Data\Identities
2007-11-01 15:42:34 0 d-------- C:\Documents and Settings\beckerc\WINDOWS
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\Templates
2007-11-01 15:42:30 0 dr------- C:\Documents and Settings\beckerc\Start Menu
2007-11-01 15:42:30 0 dr-h----- C:\Documents and Settings\beckerc\SendTo
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\Recent
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\PrintHood
2007-11-01 15:42:30 786432 ---h----- C:\Documents and Settings\beckerc\NTUSER.DAT
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\NetHood
2007-11-01 15:42:30 0 d-------- C:\Documents and Settings\beckerc\My Documents
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\Local Settings
2007-11-01 15:42:30 0 d-------- C:\Documents and Settings\beckerc\Favorites
2007-11-01 15:42:30 0 d-------- C:\Documents and Settings\beckerc\Desktop
2007-11-01 15:42:30 0 d---s---- C:\Documents and Settings\beckerc\Cookies
2007-11-01 15:42:30 0 dr-h----- C:\Documents and Settings\beckerc\Application Data
2007-11-01 15:42:30 0 d---s---- C:\Documents and Settings\beckerc\Application Data\Microsoft
2007-11-01 15:42:30 0 d-------- C:\Documents and Settings\beckerc\Application Data\Macromedia
2007-10-29 13:30:06 0 d-------- C:\Documents and Settings\atcwvedi\Application Data\Identities
2007-10-29 13:27:40 0 d-------- C:\Documents and Settings\atcwvedi\WINDOWS
2007-10-29 13:27:35 0 d-------- C:\Documents and Settings\atcwvedi\Application Data\Macromedia
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\Templates
2007-10-29 13:27:34 0 dr------- C:\Documents and Settings\atcwvedi\Start Menu
2007-10-29 13:27:34 0 dr-h----- C:\Documents and Settings\atcwvedi\SendTo
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\Recent
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\PrintHood
2007-10-29 13:27:34 524288 ---h----- C:\Documents and Settings\atcwvedi\NTUSER.DAT
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\NetHood
2007-10-29 13:27:34 0 d-------- C:\Documents and Settings\atcwvedi\My Documents
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\Local Settings
2007-10-29 13:27:34 0 d-------- C:\Documents and Settings\atcwvedi\Favorites
2007-10-29 13:27:34 0 d-------- C:\Documents and Settings\atcwvedi\Desktop
2007-10-29 13:27:34 0 d---s---- C:\Documents and Settings\atcwvedi\Cookies
2007-10-29 13:27:34 0 dr-h----- C:\Documents and Settings\atcwvedi\Application Data
2007-10-29 13:27:34 0 d---s---- C:\Documents and Settings\atcwvedi\Application Data\Microsoft
2007-10-24 16:54:19 0 d-------- C:\Program Files\Enigma Software Group
2007-10-24 16:29:22 255 -----n--- C:\ietempdel.bat
2007-10-22 08:39:34 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2007-10-21 11:53:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-21 11:53:02 0 d-------- C:\Documents and Settings\Administrator.65GW2003\Application Data\SUPERAntiSpyware.com
2007-10-21 09:57:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-21 09:50:12 1152 --a------ C:\WINDOWS\system32\windrv.sys
2007-10-21 09:49:58 0 d-------- C:\Program Files\Common Files\Download Manager
2007-10-20 12:50:01 0 d---s---- C:\Documents and Settings\65gsupport\UserData
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\od2
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\ib1
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\cp1
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\bo2
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\ap1


-- Find3M Report ---------------------------------------------------------------

2007-11-19 10:49:06 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-14 16:35:37 0 d--h----- C:\Program Files\WindowsUpdate
2007-11-04 11:59:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-04 11:58:32 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-21 17:14:10 0 d-------- C:\Program Files\Common Files
2007-10-21 02:38:23 0 d-------- C:\Program Files\Windows NT
2007-09-30 17:09:00 0 d-------- C:\Program Files\Solarwinds


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-19 10:43 145984 --------- C:\WINDOWS\system32\pcmssnen.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583} "= C:\WINDOWS\system32\pcmssnen.dll [2007-11-19 10:43 145984]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18]
"Acrobat Assistant 7.0 "= "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"SNM "= "E:\Program Files\SpyNoMore\SNM.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall "=%systemroot%\system32\tscupgrd.exe
@=
"O2K3ProfileSettings "= "E:\Program Files\ORKTools\ORK11\Tools\Profile Wizard\Proflwiz.exe" /r C:\Policies\o2k3ProfileSettings.ops /q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-16 09:25:39]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-08-02 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 2007-02-17 09:02 19456 C:\WINDOWS\system32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcmssnen]
pcmssnen.dll 2007-11-19 10:43 145984 C:\WINDOWS\system32\pcmssnen.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\awtsq.dll
"Notification Packages "= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1197\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LMALogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2616\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2626\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2987\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3207\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3222\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3446\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3447\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3448\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3449\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3450\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3789\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3790\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3791\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3792\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3793\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3794\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3795\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3797\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4028\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\CGSLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4117\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\TCHLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4230\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4233\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4256\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4279\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4428\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4446\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4447\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4448\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4449\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4462\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4467\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4475\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4477\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4478\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4479\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4480\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4495\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4502\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4504\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4505\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4506\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4545\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4547\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
iissvcs w3svc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser



-- End of Deckard's System Scanner: finished at 2007-11-20 02:07:11 ------------

 

First, delete the copy of VundoFix.exe you currently have and download a fresh one. Then delete the file C:\VundoFix.txt

Delete the following folders.

C:\WINDOWS\system32\od2
C:\WINDOWS\system32\ib1
C:\WINDOWS\system32\cp1
C:\WINDOWS\system32\bo2
C:\WINDOWS\system32\ap1


Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: vundofix.vft << make sure it's .vft and NOT .txt
Save As Type: All Files (*.*)

Code:

C:\WINDOWS\system32\pcmssnen.dll
C:\WINDOWS\system32\rptphqtm.exe
C:\WINDOWS\system32\udvndlir.exe
C:\WINDOWS\system32\alfehlaa.dll
C:\WINDOWS\system32\rulqrxij.exe
C:\WINDOWS\system32\pipsjnel.exe
C:\WINDOWS\system32\idyvykee.exe
C:\WINDOWS\system32\ybphpewf.exe
C:\WINDOWS\system32\rmdhtmnd.exe
C:\WINDOWS\system32\rkksgdus.exe
C:\WINDOWS\system32\uxgmonco.exe
C:\WINDOWS\system32\bwbayumi.exe
C:\WINDOWS\system32\rdlkaqnk.exe
C:\WINDOWS\system32\iucgtedb.exe
C:\WINDOWS\system32\fjtnxgnc.exe
C:\WINDOWS\system32\gbilfyeh.exe
C:\WINDOWS\system32\cnyefinv.exe
C:\WINDOWS\system32\tttpohgh.exe
C:\WINDOWS\system32\nerkwrfy.exe
C:\WINDOWS\system32\wrxolinr.exe
C:\WINDOWS\system32\qmkrkypk.exe
C:\WINDOWS\system32\oyksensg.exe
C:\WINDOWS\system32\meiuvntb.exe
C:\WINDOWS\system32\ilqelqim.exe
C:\WINDOWS\system32\bttmmtrf.exe
C:\WINDOWS\system32\kjluojcv.exe
C:\WINDOWS\system32\aqwqlkvi.exe
C:\WINDOWS\system32\jdpoukfa.exe
C:\WINDOWS\system32\psblqyul.exe
C:\WINDOWS\system32\xpaiagtx.exe
C:\WINDOWS\system32\exrtorir.exe
C:\WINDOWS\system32\kpnycsdr.exe
C:\WINDOWS\system32\ubnpubsn.exe
C:\WINDOWS\system32\tvgxjffu.exe
C:\WINDOWS\system32\btglcsyy.exe
C:\WINDOWS\system32\scdeybvw.exe
C:\WINDOWS\system32\oyeoidoj.exe
C:\WINDOWS\system32\mwarisdc.exe
C:\WINDOWS\system32\pctlyrck.exe
C:\WINDOWS\system32\qssqycex.exe
C:\WINDOWS\system32\ptrefreb.exe
C:\WINDOWS\system32\bqjieohr.exe
C:\WINDOWS\system32\tnsygsok.exe
C:\WINDOWS\system32\dtppnphn.exe
C:\WINDOWS\system32\ocnlrxrd.exe
C:\WINDOWS\system32\sawdptix.exe
C:\WINDOWS\system32\xjpynghw.dll
C:\WINDOWS\system32\cwntlius.dll
C:\WINDOWS\system32\uwwixadt.dll
C:\WINDOWS\system32\mdbjcsdu.dll
C:\WINDOWS\system32\wjwiubjs.dll
C:\WINDOWS\system32\plfhggnj.dll
C:\WINDOWS\system32\govytbts.dll

• Close all other windows and programs.
• Double-click VundoFix.exe to run it.
• Drag vundofix.vft onto the listbox (white box) of VundoFix.
• Click the "Remove Vundo" button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new dss log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting


You comfortable editing the registry or would you rather I post formatted fixes?

Please go to jotti and upload the following two files for analysis. Copy the results and post them here.

C:\WINDOWS\system32\BiosMsg.dll
C:\WINDOWS\system32\windrv.sys

 

new logs - vundo/biosmsg/windrv results

Vundofix.txt:
Beginning removal...

Attempting to delete C:\WINDOWS\system32\alfehlaa.dll
C:\WINDOWS\system32\alfehlaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\aqwqlkvi.exe
C:\WINDOWS\system32\aqwqlkvi.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bqjieohr.exe
C:\WINDOWS\system32\bqjieohr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\btglcsyy.exe
C:\WINDOWS\system32\btglcsyy.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bttmmtrf.exe
C:\WINDOWS\system32\bttmmtrf.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bwbayumi.exe
C:\WINDOWS\system32\bwbayumi.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cnyefinv.exe
C:\WINDOWS\system32\cnyefinv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cwntlius.dll
C:\WINDOWS\system32\cwntlius.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dtppnphn.exe
C:\WINDOWS\system32\dtppnphn.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\exrtorir.exe
C:\WINDOWS\system32\exrtorir.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fjtnxgnc.exe
C:\WINDOWS\system32\fjtnxgnc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gbilfyeh.exe
C:\WINDOWS\system32\gbilfyeh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\govytbts.dll
C:\WINDOWS\system32\govytbts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\idyvykee.exe
C:\WINDOWS\system32\idyvykee.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilqelqim.exe
C:\WINDOWS\system32\ilqelqim.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\iucgtedb.exe
C:\WINDOWS\system32\iucgtedb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jdpoukfa.exe
C:\WINDOWS\system32\jdpoukfa.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjluojcv.exe
C:\WINDOWS\system32\kjluojcv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kpnycsdr.exe
C:\WINDOWS\system32\kpnycsdr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\mdbjcsdu.dll
C:\WINDOWS\system32\mdbjcsdu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\meiuvntb.exe
C:\WINDOWS\system32\meiuvntb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\mwarisdc.exe
C:\WINDOWS\system32\mwarisdc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nerkwrfy.exe
C:\WINDOWS\system32\nerkwrfy.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ocnlrxrd.exe
C:\WINDOWS\system32\ocnlrxrd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\oyeoidoj.exe
C:\WINDOWS\system32\oyeoidoj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\oyksensg.exe
C:\WINDOWS\system32\oyksensg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pcmssnen.dll
C:\WINDOWS\system32\pcmssnen.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pctlyrck.exe
C:\WINDOWS\system32\pctlyrck.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pipsjnel.exe
C:\WINDOWS\system32\pipsjnel.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\plfhggnj.dll
C:\WINDOWS\system32\plfhggnj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\psblqyul.exe
C:\WINDOWS\system32\psblqyul.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ptrefreb.exe
C:\WINDOWS\system32\ptrefreb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qmkrkypk.exe
C:\WINDOWS\system32\qmkrkypk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qssqycex.exe
C:\WINDOWS\system32\qssqycex.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rdlkaqnk.exe
C:\WINDOWS\system32\rdlkaqnk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rkksgdus.exe
C:\WINDOWS\system32\rkksgdus.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rmdhtmnd.exe
C:\WINDOWS\system32\rmdhtmnd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rptphqtm.exe
C:\WINDOWS\system32\rptphqtm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rulqrxij.exe
C:\WINDOWS\system32\rulqrxij.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\sawdptix.exe
C:\WINDOWS\system32\sawdptix.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\scdeybvw.exe
C:\WINDOWS\system32\scdeybvw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tnsygsok.exe
C:\WINDOWS\system32\tnsygsok.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tttpohgh.exe
C:\WINDOWS\system32\tttpohgh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvgxjffu.exe
C:\WINDOWS\system32\tvgxjffu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ubnpubsn.exe
C:\WINDOWS\system32\ubnpubsn.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\udvndlir.exe
C:\WINDOWS\system32\udvndlir.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwwixadt.dll
C:\WINDOWS\system32\uwwixadt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uxgmonco.exe
C:\WINDOWS\system32\uxgmonco.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wjwiubjs.dll
C:\WINDOWS\system32\wjwiubjs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wrxolinr.exe
C:\WINDOWS\system32\wrxolinr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xjpynghw.dll
C:\WINDOWS\system32\xjpynghw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xpaiagtx.exe
C:\WINDOWS\system32\xpaiagtx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybphpewf.exe
C:\WINDOWS\system32\ybphpewf.exe Has been deleted!

Performing Repairs to the registry.
Done!

biosmsg.dll joti scan results
File: BiosMsg.dll
Status: OK
MD5: 19d20181079a39f120ef0ffefbeb976f
Packers detected: -
Bit9 reports: No threat detected (more info)

Scan taken on 21 Nov 2007 12:59:21 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Windrv.sys joti scan results:
File: windrv.sys
Status: OK
MD5: f8cbd664f1c43af9c29501b9ea4a5766
Packers detected: -
Bit9 reports: File not found

Scan taken on 21 Nov 2007 13:07:00 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

registry

I would be comfortable editing the registry. Just let me know what needs to be done.

 

Grab an updated copy of ComboFix. Download ComboFix by sUBs from here or here, saving the file to your desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Make sure to disconnect all client logon sessions first.

 

new combofix log 11/23/07

ComboFix 07-11-19.3 - administrator 2007-11-23 18:07:57.2 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790.2.1252.1.1033.18.2859 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.65GW2003\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\65gsupport\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\system32\pcmssnen.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-20 00:05 <DIR> d-------- C:\Deckard
2007-11-19 10:42 <DIR> d-------- C:\Temp\combfix
2007-11-19 10:28 <DIR> d-------- C:\VundoFix Backups
2007-11-19 10:27 118,272 --------- C:\Documents and Settings\Administrator.65GW2003\VundoFix.exe
2007-11-19 08:53 1,374 ---hs---- C:\WINDOWS\system32\aalhefla.ini
2007-11-19 08:50 1,134 ---hs---- C:\WINDOWS\system32\bvskkekv.ini
2007-11-19 08:17 1,074 ---hs---- C:\WINDOWS\system32\eniuktwl.ini
2007-11-19 07:59 1,014 ---hs---- C:\WINDOWS\system32\xcmsjohf.ini
2007-11-18 20:05 714 ---hs---- C:\WINDOWS\system32\hnoctmce.ini
2007-11-18 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-18 13:16 774 ---hs---- C:\WINDOWS\system32\rcmfxohr.ini
2007-11-17 20:02 654 ---hs---- C:\WINDOWS\system32\fcsmtnwo.ini
2007-11-16 20:05 594 ---hs---- C:\WINDOWS\system32\yiyhfjjq.ini
2007-11-15 20:02 354 ---hs---- C:\WINDOWS\system32\dlrjbmdn.ini
2007-11-15 07:56 474 ---hs---- C:\WINDOWS\system32\tbmlufbo.ini
2007-11-14 19:59 294 ---hs---- C:\WINDOWS\system32\bobynphj.ini
2007-11-14 16:53 294 ---hs---- C:\WINDOWS\system32\aftbyymm.ini
2007-11-14 16:25 294 ---hs---- C:\WINDOWS\system32\fupetkcv.ini
2007-11-14 15:21 294 ---hs---- C:\WINDOWS\system32\ubdniyrg.ini
2007-11-13 09:26 474 ---hs---- C:\WINDOWS\system32\sjknwlaq.ini
2007-11-13 08:22 <DIR> d-------- C:\Documents and Settings\o'brienp\WINDOWS
2007-11-12 09:28 414 ---hs---- C:\WINDOWS\system32\gcsbqcjw.ini
2007-11-12 09:19 294 ---hs---- C:\WINDOWS\system32\anvajlny.ini
2007-11-12 09:10 1,734 ---hs---- C:\WINDOWS\system32\qesridhq.ini
2007-11-12 09:06 2,454 ---hs---- C:\WINDOWS\system32\tnjqxvmt.ini
2007-11-12 09:03 1,734 ---hs---- C:\WINDOWS\system32\fjgykpyf.ini
2007-11-12 09:01 1,614 ---hs---- C:\WINDOWS\system32\ydevqksu.ini
2007-11-09 08:04 1,554 ---hs---- C:\WINDOWS\system32\bwotgeia.ini
2007-11-08 18:20 894 ---hs---- C:\WINDOWS\system32\irsxqpgj.ini
2007-11-08 14:17 774 ---hs---- C:\WINDOWS\system32\nvdgrais.ini
2007-11-08 13:37 <DIR> d-------- C:\Documents and Settings\65gspam\WINDOWS
2007-11-08 13:31 594 ---hs---- C:\WINDOWS\system32\ltblheht.ini
2007-11-08 06:58 474 ---hs---- C:\WINDOWS\system32\enaufxde.ini
2007-11-07 20:57 354 ---hs---- C:\WINDOWS\system32\dktannad.ini
2007-11-07 20:52 354 ---hs---- C:\WINDOWS\system32\blnggryv.ini
2007-11-07 19:58 294 ---hs---- C:\WINDOWS\system32\qwfdmwkn.ini
2007-11-07 19:11 474 ---hs---- C:\WINDOWS\system32\nqdbptmd.ini
2007-11-07 19:10 8,706,680 --a------ C:\Temp\Windows-KB890830-V1.34.exe
2007-11-07 18:13 474 ---hs---- C:\WINDOWS\system32\rxywigdd.ini
2007-11-07 17:55 354 ---hs---- C:\WINDOWS\system32\nlghhebs.ini
2007-11-07 16:47 <DIR> d-------- C:\Temp\symantec
2007-11-07 14:57 294 ---hs---- C:\WINDOWS\system32\mmyhwxmr.ini
2007-11-07 13:36 654 ---hs---- C:\WINDOWS\system32\oftfwhhy.ini
2007-11-07 13:36 594 ---hs---- C:\WINDOWS\system32\xabrhvkd.ini
2007-11-07 12:39 534 ---hs---- C:\WINDOWS\system32\ucybutpn.ini
2007-11-07 11:41 <DIR> d-------- C:\Documents and Settings\atlantalocaldispatch\WINDOWS
2007-11-07 10:10 654 ---hs---- C:\WINDOWS\system32\qyoeghyf.ini
2007-11-07 09:02 894 ---hs---- C:\WINDOWS\system32\ibbfstdw.ini
2007-11-07 08:56 22,016 --a------ C:\WINDOWS\system32\hidserv.dll
2007-11-07 08:56 22,016 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-11-06 14:00 894 ---hs---- C:\WINDOWS\system32\fosvsqkq.ini
2007-11-06 08:24 894 ---hs---- C:\WINDOWS\system32\whgnypjx.ini
2007-11-05 14:03 354 ---hs---- C:\WINDOWS\system32\ssoscbjb.ini
2007-11-05 08:12 774 ---hs---- C:\WINDOWS\system32\suiltnwc.ini
2007-11-05 08:06 654 ---hs---- C:\WINDOWS\system32\qxipiotf.ini
2007-11-04 13:57 294 ---hs---- C:\WINDOWS\system32\aoxgwuoq.ini
2007-11-04 13:20 414 ---hs---- C:\WINDOWS\system32\tdaxiwwu.ini
2007-11-04 13:14 294 ---hs---- C:\WINDOWS\system32\ivnvyetb.ini
2007-11-04 13:13 <DIR> d-------- C:\Temp\dup1_tmp
2007-11-04 12:50 1,974 ---hs---- C:\WINDOWS\system32\udscjbdm.ini
2007-11-04 12:44 <DIR> d-------- C:\Temp\PE1850_BIOS_WIN_A06
2007-11-04 12:44 6,656 --------- C:\WINDOWS\system32\BiosMsg.dll
2007-11-04 12:42 414 ---hs---- C:\WINDOWS\system32\sjbuiwjw.ini
2007-11-04 12:21 294 ---hs---- C:\WINDOWS\system32\jngghflp.ini
2007-11-04 11:59 696,421 ---hs---- C:\WINDOWS\system32\stbtyvog.ini
2007-11-04 11:42 <DIR> d-------- C:\Temp\Dell
2007-11-04 11:42 86,016 --------- C:\WINDOWS\system32\DellSPMsg.dll
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\coakleya\WINDOWS
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\campbelle\WINDOWS
2007-11-02 08:30 <DIR> d-------- C:\Documents and Settings\hughesbi\WINDOWS
2007-11-01 15:42 <DIR> d-------- C:\Documents and Settings\beckerc\WINDOWS
2007-10-29 13:27 <DIR> d-------- C:\Documents and Settings\atcwvedi\WINDOWS
2007-10-26 09:50 696,421 ---hs---- C:\WINDOWS\system32\mkvnardk.ini
2007-10-26 04:34 694,381 ---hs---- C:\WINDOWS\system32\cexwrtup.ini
2007-10-24 16:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-24 16:29 255 --------- C:\ietempdel.bat
2007-10-24 04:32 694,201 ---hs---- C:\WINDOWS\system32\ddreuvhs.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 23:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-04 16:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 16:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-24 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 14:32 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-21 22:14 --------- d-----w C:\Documents and Settings\Administrator.65GW2003\Application Data\SUPERAntiSpyware.com
2007-10-21 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 22:09 --------- d-----w C:\Program Files\Solarwinds
2007-09-11 12:17 914 ------w C:\Documents and Settings\spitzj\SDM-2.3.2-1811-c181x-advipservicesk9-mz.124-6.T7.bin
2007-09-06 20:32 1,150 ------w C:\Documents and Settings\spitzj\SDM-2.3.1-1811-c181x-adventerprisek9-mz.124-6.T2.bin
2007-09-05 21:27 726 ------w C:\Documents and Settings\spitzj\SDM-2.2-1811-c181x-advipservicesk9-mz.124-2.XA.bin
.

((((((((((((((((((((((((((((( snapshot@2007-11-19_10.50.00.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-19 15:42:38 84,068 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-21 12:50:14 84,068 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-19 15:42:38 475,080 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-21 12:50:14 475,080 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18]
"Acrobat Assistant 7.0 "= "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"SNM "= "E:\Program Files\SpyNoMore\SNM.exe" []
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 18:29]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "C:\WINDOWS\system32\tscupgrd.exe" [2006-04-04 03:00]
"@ "=" " []
"O2K3ProfileSettings "= "E:\Program Files\ORKTools\ORK11\Tools\Profile Wizard\Proflwiz.exe" [2003-07-14 22:02]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-16 09:25:39]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-08-02 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 2007-02-17 09:02 19456 C:\WINDOWS\system32\dimsntfy.dll
C:\WINDOWS\system32\NavLogon.dll 2004-03-12 14:17 83176 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages "= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1197\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LMALogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2616\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2626\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2987\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3207\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3222\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3446\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3447\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3448\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3449\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3450\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3789\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3790\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3791\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3792\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3793\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3794\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3795\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3797\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4028\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\CGSLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4117\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\TCHLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4230\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4233\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4256\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4279\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4428\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4446\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4447\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4448\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4449\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4462\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4467\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4475\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4477\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4478\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4479\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4480\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4495\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4502\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4504\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4505\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4506\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4545\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4547\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@= "Driver "

R0 crcdisk;CRC Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\crcdisk.sys
R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys
R0 VSP;Volume Snapshot Provider;C:\WINDOWS\system32\DRIVERS\vsp.sys
R2 AeLookupSvc;Application Experience Lookup Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 MSSEARCH;Microsoft Search; "C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe "
R2 TIAccountManagementService80;Track-It! 8.0 Account Management Service; "e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe "
R2 TIConfiguration;Track-It! Configuration; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe "
R2 TIDashboardMonitor;Track-It! Dashboard Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe "
R2 TIFileStorage;Track-It! File Storage; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe "
R2 TIMonitor;Track-It! Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe "
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe
R2 TIServerServices80;Track-It! 8.0 Monitor Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe /StartService
R2 TISoftwareLicensingMonitor;Track-It! Software Licensing Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe "
R2 TISystemNotificationMonitor;Track-It! System Notification Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe "
R2 TIWorkOrderMonitor;Track-It! Work Order Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe "
R2 UserSyncService80;Track-It! 8.0 User Synchronization Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe /StartService
R3 dcdbas;System Management Driver;C:\WINDOWS\system32\DRIVERS\dcdbas32.sys
R3 racser;racser;C:\WINDOWS\system32\DRIVERS\rac4ser.sys
S2 TISearch;Track-It! Search; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe "
S3 Dfs;Distributed File System;C:\WINDOWS\system32\Dfssvc.exe
S3 NtFrs;File Replication;C:\WINDOWS\system32\ntfrs.exe
S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe
S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 SmaRTIndexServer;SmaRTIndexServer;e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
S3 WinHttpAutoProxySvc;WinHTTP Web Proxy Auto-Discovery Service;C:\WINDOWS\system32\svchost.exe -k LocalService
S3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys
S4 AmdIde;AmdIde;C:\WINDOWS\system32\drivers\AmdIde.sys
S4 arc;arc;C:\WINDOWS\system32\drivers\arc.sys
S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
S4 hpcisss;hpcisss;C:\WINDOWS\system32\drivers\hpcisss.sys
S4 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe
S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe -k netsvcs
S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
iissvcs w3svc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 18:12:08
Windows 5.2.3790 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 18:12:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-19 10:50
.
--- E O F ---

 

hijack this 11/23/07

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:13, on 2007-11-23
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
E:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\mswsock.dll' missing
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - https://portal.carealliance.com/portal/applets/SharedSession.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://10.10.1.20/SWToolset.exe
O16 - DPF: {43E4476A-6C11-4274-AFA4-DF665B26EAE0} (Session Viewer) - https://10.10.1.43/plugins/vkvm/ActiveXVideoViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1189550347824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189550339113
O16 - DPF: {7D7D0CF0-BB7C-473E-8B35-7590F7D86671} (eFilmX Image Retrieval Module) - http://10.1.18.30/FusionServer/ActiveX/coefir.cab
O16 - DPF: {B1B22D8C-30F6-4BD5-8291-7C855D5CF2FC} (eFilmX Image Viewer) - http://10.1.18.30/FusionServer/ActiveX/eFilmX.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - https://portal.carealliance.com/portal/applets/mckntauth.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EFD42E0-A4D8-48AB-A4F5-6B1221F800F5}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Remote Access Controller 4 (RAC4) (racsvc) - Dell, Inc. - C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SmaRTIndexServer - Self-Service Technologies - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! 8.0 Account Management Service (TIAccountManagementService80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe
O23 - Service: Track-It! Configuration (TIConfiguration) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
O23 - Service: Track-It! Dashboard Monitor (TIDashboardMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
O23 - Service: Track-It! File Storage (TIFileStorage) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
O23 - Service: Track-It! Monitor (TIMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Track-It! Search (TISearch) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
O23 - Service: Track-It! 8.0 Monitor Service (TIServerServices80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe
O23 - Service: Track-It! Software Licensing Monitor (TISoftwareLicensingMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
O23 - Service: Track-It! System Notification Monitor (TISystemNotificationMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
O23 - Service: Track-It! Work Order Monitor (TIWorkOrderMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
O23 - Service: Track-It! 8.0 User Synchronization Service (UserSyncService80) - Unknown owner - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - E:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12155 bytes

 

Empty the C:\Temp folder.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\aalhefla.ini
C:\WINDOWS\system32\bvskkekv.ini
C:\WINDOWS\system32\eniuktwl.ini
C:\WINDOWS\system32\xcmsjohf.ini
C:\WINDOWS\system32\hnoctmce.ini
C:\WINDOWS\system32\rcmfxohr.ini
C:\WINDOWS\system32\fcsmtnwo.ini
C:\WINDOWS\system32\yiyhfjjq.ini
C:\WINDOWS\system32\dlrjbmdn.ini
C:\WINDOWS\system32\tbmlufbo.ini
C:\WINDOWS\system32\bobynphj.ini
C:\WINDOWS\system32\aftbyymm.ini
C:\WINDOWS\system32\fupetkcv.ini
C:\WINDOWS\system32\ubdniyrg.ini
C:\WINDOWS\system32\sjknwlaq.ini
C:\WINDOWS\system32\gcsbqcjw.ini
C:\WINDOWS\system32\anvajlny.ini
C:\WINDOWS\system32\qesridhq.ini
C:\WINDOWS\system32\tnjqxvmt.ini
C:\WINDOWS\system32\fjgykpyf.ini
C:\WINDOWS\system32\ydevqksu.ini
C:\WINDOWS\system32\bwotgeia.ini
C:\WINDOWS\system32\irsxqpgj.ini
C:\WINDOWS\system32\nvdgrais.ini
C:\WINDOWS\system32\ltblheht.ini
C:\WINDOWS\system32\enaufxde.ini
C:\WINDOWS\system32\dktannad.ini
C:\WINDOWS\system32\blnggryv.ini
C:\WINDOWS\system32\qwfdmwkn.ini
C:\WINDOWS\system32\nqdbptmd.ini
C:\WINDOWS\system32\rxywigdd.ini
C:\WINDOWS\system32\nlghhebs.ini
C:\WINDOWS\system32\mmyhwxmr.ini
C:\WINDOWS\system32\oftfwhhy.ini
C:\WINDOWS\system32\xabrhvkd.ini
C:\WINDOWS\system32\ucybutpn.ini
C:\WINDOWS\system32\qyoeghyf.ini
C:\WINDOWS\system32\ibbfstdw.ini
C:\WINDOWS\system32\fosvsqkq.ini
C:\WINDOWS\system32\whgnypjx.ini
C:\WINDOWS\system32\ssoscbjb.ini
C:\WINDOWS\system32\suiltnwc.ini
C:\WINDOWS\system32\qxipiotf.ini
C:\WINDOWS\system32\aoxgwuoq.ini
C:\WINDOWS\system32\tdaxiwwu.ini
C:\WINDOWS\system32\ivnvyetb.ini
C:\WINDOWS\system32\udscjbdm.ini
C:\WINDOWS\system32\sjbuiwjw.ini
C:\WINDOWS\system32\jngghflp.ini
C:\WINDOWS\system32\stbtyvog.ini
C:\WINDOWS\system32\mkvnardk.ini
C:\WINDOWS\system32\cexwrtup.ini
C:\WINDOWS\system32\ddreuvhs.ini

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


I'm still a bit suspicous of the following 2 files. Please check their properties for company name, version, etc and let me know what you find.

C:\WINDOWS\system32\BiosMsg.dll
C:\WINDOWS\system32\DellSPMsg.dll

 

combofix log/file info 11/24/07

ComboFix 07-11-19.3 - administrator 2007-11-24 9:07:40.3 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790.2.1252.1.1033.18.2993 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.65GW2003\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.65GW2003\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\aalhefla.ini
C:\WINDOWS\system32\aftbyymm.ini
C:\WINDOWS\system32\anvajlny.ini
C:\WINDOWS\system32\aoxgwuoq.ini
C:\WINDOWS\system32\blnggryv.ini
C:\WINDOWS\system32\bobynphj.ini
C:\WINDOWS\system32\bvskkekv.ini
C:\WINDOWS\system32\bwotgeia.ini
C:\WINDOWS\system32\cexwrtup.ini
C:\WINDOWS\system32\ddreuvhs.ini
C:\WINDOWS\system32\dktannad.ini
C:\WINDOWS\system32\dlrjbmdn.ini
C:\WINDOWS\system32\enaufxde.ini
C:\WINDOWS\system32\eniuktwl.ini
C:\WINDOWS\system32\fcsmtnwo.ini
C:\WINDOWS\system32\fjgykpyf.ini
C:\WINDOWS\system32\fosvsqkq.ini
C:\WINDOWS\system32\fupetkcv.ini
C:\WINDOWS\system32\gcsbqcjw.ini
C:\WINDOWS\system32\hnoctmce.ini
C:\WINDOWS\system32\ibbfstdw.ini
C:\WINDOWS\system32\irsxqpgj.ini
C:\WINDOWS\system32\ivnvyetb.ini
C:\WINDOWS\system32\jngghflp.ini
C:\WINDOWS\system32\ltblheht.ini
C:\WINDOWS\system32\mkvnardk.ini
C:\WINDOWS\system32\mmyhwxmr.ini
C:\WINDOWS\system32\nlghhebs.ini
C:\WINDOWS\system32\nqdbptmd.ini
C:\WINDOWS\system32\nvdgrais.ini
C:\WINDOWS\system32\oftfwhhy.ini
C:\WINDOWS\system32\qesridhq.ini
C:\WINDOWS\system32\qwfdmwkn.ini
C:\WINDOWS\system32\qxipiotf.ini
C:\WINDOWS\system32\qyoeghyf.ini
C:\WINDOWS\system32\rcmfxohr.ini
C:\WINDOWS\system32\rxywigdd.ini
C:\WINDOWS\system32\sjbuiwjw.ini
C:\WINDOWS\system32\sjknwlaq.ini
C:\WINDOWS\system32\ssoscbjb.ini
C:\WINDOWS\system32\stbtyvog.ini
C:\WINDOWS\system32\suiltnwc.ini
C:\WINDOWS\system32\tbmlufbo.ini
C:\WINDOWS\system32\tdaxiwwu.ini
C:\WINDOWS\system32\tnjqxvmt.ini
C:\WINDOWS\system32\ubdniyrg.ini
C:\WINDOWS\system32\ucybutpn.ini
C:\WINDOWS\system32\udscjbdm.ini
C:\WINDOWS\system32\whgnypjx.ini
C:\WINDOWS\system32\xabrhvkd.ini
C:\WINDOWS\system32\xcmsjohf.ini
C:\WINDOWS\system32\ydevqksu.ini
C:\WINDOWS\system32\yiyhfjjq.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aalhefla.ini
C:\WINDOWS\system32\aftbyymm.ini
C:\WINDOWS\system32\anvajlny.ini
C:\WINDOWS\system32\aoxgwuoq.ini
C:\WINDOWS\system32\blnggryv.ini
C:\WINDOWS\system32\bobynphj.ini
C:\WINDOWS\system32\bvskkekv.ini
C:\WINDOWS\system32\bwotgeia.ini
C:\WINDOWS\system32\cexwrtup.ini
C:\WINDOWS\system32\ddreuvhs.ini
C:\WINDOWS\system32\dktannad.ini
C:\WINDOWS\system32\dlrjbmdn.ini
C:\WINDOWS\system32\enaufxde.ini
C:\WINDOWS\system32\eniuktwl.ini
C:\WINDOWS\system32\fcsmtnwo.ini
C:\WINDOWS\system32\fjgykpyf.ini
C:\WINDOWS\system32\fosvsqkq.ini
C:\WINDOWS\system32\fupetkcv.ini
C:\WINDOWS\system32\gcsbqcjw.ini
C:\WINDOWS\system32\hnoctmce.ini
C:\WINDOWS\system32\ibbfstdw.ini
C:\WINDOWS\system32\irsxqpgj.ini
C:\WINDOWS\system32\ivnvyetb.ini
C:\WINDOWS\system32\jngghflp.ini
C:\WINDOWS\system32\ltblheht.ini
C:\WINDOWS\system32\mkvnardk.ini
C:\WINDOWS\system32\mmyhwxmr.ini
C:\WINDOWS\system32\nlghhebs.ini
C:\WINDOWS\system32\nqdbptmd.ini
C:\WINDOWS\system32\nvdgrais.ini
C:\WINDOWS\system32\oftfwhhy.ini
C:\WINDOWS\system32\qesridhq.ini
C:\WINDOWS\system32\qwfdmwkn.ini
C:\WINDOWS\system32\qxipiotf.ini
C:\WINDOWS\system32\qyoeghyf.ini
C:\WINDOWS\system32\rcmfxohr.ini
C:\WINDOWS\system32\rxywigdd.ini
C:\WINDOWS\system32\sjbuiwjw.ini
C:\WINDOWS\system32\sjknwlaq.ini
C:\WINDOWS\system32\ssoscbjb.ini
C:\WINDOWS\system32\stbtyvog.ini
C:\WINDOWS\system32\suiltnwc.ini
C:\WINDOWS\system32\tbmlufbo.ini
C:\WINDOWS\system32\tdaxiwwu.ini
C:\WINDOWS\system32\tnjqxvmt.ini
C:\WINDOWS\system32\ubdniyrg.ini
C:\WINDOWS\system32\ucybutpn.ini
C:\WINDOWS\system32\udscjbdm.ini
C:\WINDOWS\system32\whgnypjx.ini
C:\WINDOWS\system32\xabrhvkd.ini
C:\WINDOWS\system32\xcmsjohf.ini
C:\WINDOWS\system32\ydevqksu.ini
C:\WINDOWS\system32\yiyhfjjq.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-20 00:05 <DIR> d-------- C:\Deckard
2007-11-19 10:28 <DIR> d-------- C:\VundoFix Backups
2007-11-19 10:27 118,272 --------- C:\Documents and Settings\Administrator.65GW2003\VundoFix.exe
2007-11-18 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 08:22 <DIR> d-------- C:\Documents and Settings\o'brienp\WINDOWS
2007-11-08 13:37 <DIR> d-------- C:\Documents and Settings\65gspam\WINDOWS
2007-11-07 11:41 <DIR> d-------- C:\Documents and Settings\atlantalocaldispatch\WINDOWS
2007-11-07 08:56 22,016 --a------ C:\WINDOWS\system32\hidserv.dll
2007-11-07 08:56 22,016 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-11-04 12:44 6,656 --------- C:\WINDOWS\system32\BiosMsg.dll
2007-11-04 11:42 86,016 --------- C:\WINDOWS\system32\DellSPMsg.dll
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\coakleya\WINDOWS
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\campbelle\WINDOWS
2007-11-02 08:30 <DIR> d-------- C:\Documents and Settings\hughesbi\WINDOWS
2007-11-01 15:42 <DIR> d-------- C:\Documents and Settings\beckerc\WINDOWS
2007-10-29 13:27 <DIR> d-------- C:\Documents and Settings\atcwvedi\WINDOWS
2007-10-24 16:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-24 16:29 255 --------- C:\ietempdel.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 23:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-04 16:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 16:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-24 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 14:32 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-21 22:14 --------- d-----w C:\Documents and Settings\Administrator.65GW2003\Application Data\SUPERAntiSpyware.com
2007-10-21 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 22:09 --------- d-----w C:\Program Files\Solarwinds
2007-09-11 12:17 914 ------w C:\Documents and Settings\spitzj\SDM-2.3.2-1811-c181x-advipservicesk9-mz.124-6.T7.bin
2007-09-06 20:32 1,150 ------w C:\Documents and Settings\spitzj\SDM-2.3.1-1811-c181x-adventerprisek9-mz.124-6.T2.bin
2007-09-05 21:27 726 ------w C:\Documents and Settings\spitzj\SDM-2.2-1811-c181x-advipservicesk9-mz.124-2.XA.bin
.

((((((((((((((((((((((((((((( snapshot@2007-11-19_10.50.00.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-19 15:42:38 84,068 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-23 23:15:19 84,068 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-19 15:42:38 475,080 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-23 23:15:19 475,080 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18]
"Acrobat Assistant 7.0 "= "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"SNM "= "E:\Program Files\SpyNoMore\SNM.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "C:\WINDOWS\system32\tscupgrd.exe" [2006-04-04 03:00]
"@ "=" " []
"O2K3ProfileSettings "= "E:\Program Files\ORKTools\ORK11\Tools\Profile Wizard\Proflwiz.exe" [2003-07-14 22:02]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-16 09:25:39]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-08-02 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 2007-02-17 09:02 19456 C:\WINDOWS\system32\dimsntfy.dll
C:\WINDOWS\system32\NavLogon.dll 2004-03-12 14:17 83176 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages "= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1197\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LMALogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2616\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2626\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2987\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3207\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3222\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3446\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3447\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3448\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3449\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3450\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3789\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3790\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3791\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3792\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3793\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3794\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3795\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3797\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4028\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\CGSLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4117\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\TCHLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4230\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4233\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4256\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4279\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4428\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4446\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4447\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4448\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4449\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4462\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4467\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4475\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4477\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4478\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4479\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4480\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4495\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4502\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4504\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4505\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4506\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4545\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4547\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@= "Driver "

R0 crcdisk;CRC Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\crcdisk.sys
R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys
R0 VSP;Volume Snapshot Provider;C:\WINDOWS\system32\DRIVERS\vsp.sys
R2 AeLookupSvc;Application Experience Lookup Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 MSSEARCH;Microsoft Search; "C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe "
R2 TIAccountManagementService80;Track-It! 8.0 Account Management Service; "e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe "
R2 TIConfiguration;Track-It! Configuration; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe "
R2 TIDashboardMonitor;Track-It! Dashboard Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe "
R2 TIFileStorage;Track-It! File Storage; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe "
R2 TIMonitor;Track-It! Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe "
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe
R2 TIServerServices80;Track-It! 8.0 Monitor Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe /StartService
R2 TISoftwareLicensingMonitor;Track-It! Software Licensing Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe "
R2 TISystemNotificationMonitor;Track-It! System Notification Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe "
R2 TIWorkOrderMonitor;Track-It! Work Order Monitor; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe "
R2 UserSyncService80;Track-It! 8.0 User Synchronization Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe /StartService
R3 dcdbas;System Management Driver;C:\WINDOWS\system32\DRIVERS\dcdbas32.sys
R3 racser;racser;C:\WINDOWS\system32\DRIVERS\rac4ser.sys
S2 TISearch;Track-It! Search; "e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe "
S3 Dfs;Distributed File System;C:\WINDOWS\system32\Dfssvc.exe
S3 NtFrs;File Replication;C:\WINDOWS\system32\ntfrs.exe
S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe
S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 SmaRTIndexServer;SmaRTIndexServer;e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
S3 WinHttpAutoProxySvc;WinHTTP Web Proxy Auto-Discovery Service;C:\WINDOWS\system32\svchost.exe -k LocalService
S3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys
S4 AmdIde;AmdIde;C:\WINDOWS\system32\drivers\AmdIde.sys
S4 arc;arc;C:\WINDOWS\system32\drivers\arc.sys
S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
S4 hpcisss;hpcisss;C:\WINDOWS\system32\drivers\hpcisss.sys
S4 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe
S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe -k netsvcs
S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
iissvcs w3svc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 09:08:51
Windows 5.2.3790 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 9:09:13
C:\ComboFix2.txt ... 2007-11-23 18:12
C:\ComboFix3.txt ... 2007-11-19 10:50
.
--- E O F ---

File info:
biosmsg.dll
version - no info
size - 6.5KB
date
created 11/4/07
mod 12/5/06
access 11/24/07

dellspmsg.dll
version: 5.2.0.35
size - 84KB
date
created 11/4/07
mod 1/3/07
access 11/24/07
Description: svm messages module
Company: Dell Inc

 

Looking good. The Dellspmsg.dll appears legit. Would you please upload the biosmsg.dll to my submission channel. Leave a link back to this topic.
Thanks!

Let's tidy up and get an online scan.

Click Start>Run and type ComboFix /u then hit enter.
Delete VundoFix.exe
Open HijackThis to the Misc Tools section>Backups and delete all backups.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more dss log.

 

kaspersky 112507 part 1

I submitted the biosmsg file as requested. Here are the results of the kaspersky scan:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-25 10:19
Operating System: Microsoft Windows Server 2003, Standard Edition, Service Pack 2 (Build 3790)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 465392
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 65687
Number of viruses found: 26
Number of infected objects: 214
Number of suspicious objects: 0
Duration of the scan process: 01:26:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\65gsupport\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\65gsupport\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\65gsupport\Local Settings\Temporary Internet Files\Content.IE5\9J38Y3DT\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\65gsupport\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\65gsupport\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.65GW2003\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.65GW2003\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\Administrator.65GW2003\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator.65GW2003\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.65GW2003\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.65GW2003\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.65GW2003\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator.65GW2003\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01780000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C0000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C0001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C0002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C0003.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C0006.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C0007.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C0008.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C0009.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C000A.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C000B.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C000C.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C000D.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880001.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880004.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880005.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880006.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880007.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880008.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\089C0000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\089C0001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\089C0002.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\089C0003.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0002.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0006.VBN Infected: not-a-virusownloader.Win32.WinFixer.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0008.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0009.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC000B.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A1C0000.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A1C0001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A1C0002.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80001.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0000.VBN Infected: not-a-virusownloader.Win32.WinFixer.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0001.VBN Infected: not-a-virusownloader.Win32.WinFixer.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0003.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0004.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0005.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0006.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0007.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0008.VBN/asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0008.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0008.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0009.VBN/asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0009.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0009.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C000E.VBN/command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C000E.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C000E.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C000F.VBN/command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C000F.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C000F.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0010.VBN/mwinklds.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0010.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0010.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0011.VBN/nsfpihtg.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0011.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0011.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0012.VBN/quharefow.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0012.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E9C0012.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10D00000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11440000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11440001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11980000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11980001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12140000.VBN Infected: Trojan-Downloader.Win32.Small.gci skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12140001.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12140002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13D00000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13D00001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13D00002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13D00003.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13D00004.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14800000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14800001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14800004.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14800005.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14800006.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14800007.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\192C0000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\192C0001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\192C0002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1A680000.VBN Infected: not-a-virusownloader.Win32.WinFixer.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1A680002.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80000.VBN Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80002.VBN Infected: not-virus:Hoax.Win32.Renos.kd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80003.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80004.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80005.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80006.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80007.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80008.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80009.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD8000A.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD8000B.VBN Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD8000C.VBN Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD8000D.VBN/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD8000D.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD8000D.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD8000E.VBN Infected: Trojan-Downloader.Win32.VB.bnq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD8000F.VBN Infected: Trojan.Win32.BHO.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80010.VBN/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80010.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AD80010.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AE00000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AE00001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AE00002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AE00003.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AE00004.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AE00006.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1AE00007.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B440000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B440001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B440002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B440003.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B440004.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B440005.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B440007.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B440008.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B440009.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1B44000A.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1DD80000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1DD80001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1DD80002.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ais skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1DD80003.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1DD80006.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1EB80000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1EB80001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1EB80002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1EB80003.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1FD80000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1FF40000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\1FF40001.VBN Infected: Trojan.Win32.Agent.bck

 

kaspersky 112507 part 2

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280003.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280004.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280005.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280006.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280007.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280008.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280009.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\2028000A.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\2028000B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280010.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280011.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280012.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280017.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20280018.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20940002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20940003.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20940004.VBN/xzydqxek.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20940004.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20940004.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20A80000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20A80001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20A80002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F00000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F00001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F00002.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F00003.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F00004.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F00006.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F00007.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F00008.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F00009.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\21F0000A.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25100001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25440000.VBN/asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25440000.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25440000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25440003.VBN/command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25440003.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25440003.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25440004.VBN/ivdwnll2.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25440004.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\25440004.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\26940000.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\26940001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\26940002.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\gardnera\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\gardnera\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\lisbyw\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lisbyw\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\WindowsUpdate\rteqegaxav.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Tasks\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Temp\Buf2.tmp Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1920 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportInbox.pst/Archive Folders/Inbox/28 Apr 2005 15:00 from Howard, Carla:FW: failure notice.eml/[From carla.howard@allergyasthmaconsultants.com][Date Thu, 28 Apr 2005 10:56:53 -0400]/UNNAMED/document.zip/document.scr Infected: Net-Worm.Win32.Mytob.ah skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportInbox.pst/Archive Folders/Inbox/28 Apr 2005 15:00 from Howard, Carla:FW: failure notice.eml/[From carla.howard@allergyasthmaconsultants.com][Date Thu, 28 Apr 2005 10:56:53 -0400]/UNNAMED/document.zip Infected: Net-Worm.Win32.Mytob.ah skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportInbox.pst/Archive Folders/Inbox/28 Apr 2005 15:00 from Howard, Carla:FW: failure notice.eml/[From carla.howard@allergyasthmaconsultants.com][Date Thu, 28 Apr 2005 10:56:53 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.ah skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportInbox.pst/Archive Folders/Inbox/28 Apr 2005 15:00 from Howard, Carla:FW: failure notice.eml Infected: Net-Worm.Win32.Mytob.ah skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportInbox.pst Mail MS Mail: infected - 4 skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Sent Items 2005/28 Nov 2005 16:39 to Sommer, Julia:FW: Your IP was logged///jtpdb01/TrackIt65/Track-It! Server - Professional Edition/woat/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Sent Items 2005/28 Nov 2005 16:39 to Sommer, Julia:FW: Your IP was logged///jtpdb01/TrackIt65/Track-It! Server - Professional Edition/woat Infected: Email-Worm.Win32.Sober.y skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2005/28 Nov 2005 16:32 from Sommer, Julia:FW: Your IP was logged/list.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2005/28 Nov 2005 16:32 from Sommer, Julia:FW: Your IP was logged/list.zip Infected: Email-Worm.Win32.Sober.y skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2005/28 Nov 2005 13:51 from Cosgrove, Catherine:FW: You visit illegal/list.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2005/28 Nov 2005 13:51 from Cosgrove, Catherine:FW: You visit illegal/list.zip Infected: Email-Worm.Win32.Sober.y skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2006/23 Jan 2006 02:17 from System Administrator:Undeliverable:You ha/23 Jan 2006 02:15 from 65G, Support:You have successfully update/accepted-password.zip/accepted-password.doc .scr Infected: Email-Worm.Win32.Doombot.g skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2006/23 Jan 2006 02:17 from System Administrator:Undeliverable:You ha/23 Jan 2006 02:15 from 65G, Support:You have successfully update/accepted-password.zip Infected: Email-Worm.Win32.Doombot.g skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2006/21 Jan 2006 08:47 from System Administrator:Undeliverable:Your A/21 Jan 2006 08:46 from 65G, Support:Your Account is Suspended/document.zip/document.txt .scr Infected: Email-Worm.Win32.Doombot.g skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2006/21 Jan 2006 08:47 from System Administrator:Undeliverable:Your A/21 Jan 2006 08:46 from 65G, Support:Your Account is Suspended/document.zip Infected: Email-Worm.Win32.Doombot.g skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2006/31 Mar 2006 13:52 from Snyder, Sandy:FW: TEST/message.zip/message.htm .scr Infected: Email-Worm.Win32.Mydoom.l skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2006/31 Mar 2006 13:52 from Snyder, Sandy:FW: TEST/message.zip Infected: Email-Worm.Win32.Mydoom.l skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Sent Items 2006B/31 Mar 2006 14:26 to Snyder, Sandy:FW: TEST///jtpdb01/TrackIt65/Track-It! Server - Professional Edition/woat/message.htm .scr Infected: Email-Worm.Win32.Mydoom.l skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Sent Items 2006B/31 Mar 2006 14:26 to Snyder, Sandy:FW: TEST///jtpdb01/TrackIt65/Track-It! Server - Professional Edition/woat Infected: Email-Worm.Win32.Mydoom.l skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2007/28 Feb 2007 19:25 from Sommer, Julia:FW: Request/details05.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst/Archive Folders/Inbox 2007/28 Feb 2007 19:25 from Sommer, Julia:FW: Request/details05.zip Infected: Email-Worm.Win32.NetSky.q skipped
E:\Accounts\65G\CorpShare\65GSupport----Archived E-mails\65GSupportSentItems.pst Mail MS Mail: infected - 16 skipped
E:\Accounts\65G\MyDoc\65gphonetree\desktop.ini Object is locked skipped
E:\Accounts\65G\MyDoc\65gphonetree\My Pictures\Desktop.ini Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\1367_001.tif Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\1459_001.tif Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\20069131035573.doc Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Amanda Latham.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\ATCCustomer Service 08-30-07.doc Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\ATCCustomer Service 08-31-07.doc Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\ATT31519.dat Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Collections Tracking Report Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Collections Tracking Report.qpw Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Dal-WB ns5gt 06-16-06.cfg Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Dal-WB ns5gt new IP 06-16-06.cfg Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Dal-WB ns5gt new IP 06-16-06.cfg.1 Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Default.rdp Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\EasyPrintUserGuide1.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Fax164.TIF Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\February 2006.xls Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\FTP SITE INFORMATION-Jones.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\GSK HibMenCY.wpd Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\HOC OCCURRENCE REPORTING FORM.rtf Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Hospice Phone Directory 11-03-06.xls Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Hospice Phone Directory.xls Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Income Growth Analysis $17 Projected Patients 33.html Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\IPSecPolicy.spd Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Joining_Cerner.com_Homecare_BeyondNowCommunity Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\JTPTS06 Apps.xls Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\K070525A Carolina Chillers 1215 comp.doc Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\My Videos\Desktop.ini Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\NGODBCError 010207.log Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\NGODBCError 010207.zip Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\part 1_2.dat Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\part 1_2.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\part 2_2.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\part2.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\part2.txt Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Preston 1 (Post and Courier Chiller)(Proposal).xls Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Preston 1 (Post and Courier Chiller)(Proposal).xlsx Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\RS32x_RS4xx Field Service Manual v3_0.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\STP Equipment.xls Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\Test.XLS Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\User_Audit_Detail_westerveltl.html Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\winmail.dat Object is locked skipped
E:\Accounts\65G\MyDoc\65gsupport\zip file misys Object is locked skipped
E:\Accounts\65G\MyDoc\65gtest\desktop.ini Object is locked skipped
E:\Accounts\65G\MyDoc\65gtest\My Pictures\Desktop.ini Object is locked skipped
E:\Accounts\65G\MyDoc\65gtrackit\desktop.ini Object is locked skipped
E:\Accounts\65G\MyDoc\billing\desktop.ini Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\alhcontacts.pst Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Appliances_datasheet.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill.htm Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\bellsouthlogo2.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\btn_closewindow.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\ebpp_service_promos.js Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\eei.js Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\gel_formations.js Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\gray.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\header_footer.js Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\print.js Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\printHid.js Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\sniffAPI.js Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BellSouth Internet Bill_files\spacer.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\bews_9_core_datasheet.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\be_options_datasheet_final.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BofA.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\BTA FileCabinet Error Message.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\CFSFedLoanApplication.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\CGS Equipment List.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\CGS New Office Exceptions.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\CGS Terminal Numbers.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Customer User List Template.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\DGSWE-Ch1.lit Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\DGSWE-Ch1.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\DGSWE-Ch1.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\DGSWE-Ch2.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\DGSWE-Ch2a.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\DGSWE-Ch3.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\DGSWE-Ch3.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Dr. Haynes-CDW Items.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\evaluating.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\GoExchange\GE-2-9-0_Setup.exe Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\GoExchange\GOexchangeHelp.chm Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\GOLD\Gold100.txt Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\GPMC_Administering.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\HIPAA.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\HIPAAReadinessChkLst.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\HIPAARegs.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\hipaa_info.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\History\DataSource0.xml Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\hoc hc int 5-24-06.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\How to Backup in Quickbooks.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\HP LaserJet 1300N Datasheet.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\JTPDIAL1 TCOM Port Evaluation 06-02-04.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\License Plates.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\lma\342407.tif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\lma\Cigna Email Dowload SS1.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\LMA Bulk Quote 9-15-05.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\LMA Computer and User Count for Network 6-8-05.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\LMA Licenses for Network 6-7-05.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\LMA NextGen PROD 5-2-16 License Keys.txt Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Lowcountry Medical Associates Migration to the 65G Network.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\MBNA.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\MCPSalary2003.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\mikenash5182004.ppt Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\mtn house.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\041022_SlessBonaparte1.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\041022_SlessRKeveza1.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\528 Parkwood Estates.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\65G Logo.bmp Object is locked skipped

 

kaspersky 112507 part 3

E:\Accounts\65G\MyDoc\hairfielda\My Pictures\65G Logo.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\65G Logo.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\absalliesbunks.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Absinthe Green Yellow Vintage Poster.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Alfred Gockel Fantasy Flowers.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Alfred Gockel Striped Fish.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Amaryliss Flower Red.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Anis Del Momo Green and Red.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Art Deco Border Stencil1.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Art Deco Palm Tree Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\a_new_livingRoom.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Beauty is in the Eye of the Beholder Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Bernese1.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\bernese_breedin5.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\bernese_summit5.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Bitter Campari Red and orange.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Blossom Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\calla_cake.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\calla_cake2_sm.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Cheri Blum Wall Art.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\ChocGroomsCake.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Cinzano Asti Red.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Cinzano Read and Blue.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Cognac Jacquet Red and Yellow.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Cognac Sorin Blue Vintage Poster.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\ColletteCake-caprice_de_jacques2size.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\ColletteCake-torte_of_babylon2size.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\ColletteCake-weddingcake_w_yellow.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\ColletteCakenyMagChocSwirl.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Convolvulous Flower Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\DargonFly 2 Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\db_CE0151.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\db_CE0201.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\db_CE1201.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\db_CE2221.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\db_HE0071.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\db_LE0011.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Desktop.ini Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\DragonFly Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\DragonFly.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Elvis Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Fairey Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Fish Tile Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\frame.url Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Frank the Tank.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Franz Marc Ecuries Print.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Gockel Eruption 1 Left Panel.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Gockel Eruption 1 Right Panel.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Gockel Green-purple Genny.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Gockel Moved by music.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Gockel Mysteries of the deep.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Gockel Red Poppies.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Goldberger Minimalist green flowers.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Goldberger Minimalist pink flowers.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\GoldenCallaLilyCake.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Grass Kickers Team Pic 1.JPG Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Grass Kickers Team Pic 2.JPG Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\grasskickers.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Green and Brown Flower.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Green MM.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Guinness Vintage Poster.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\H Monogram Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\hospitalgown.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\HPLJ1300n.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Huynh Pink Purple Gerber.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Ice Skaters Gliding Start Red.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0118.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0432.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0435.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0438.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0443.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0450.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0451.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0453.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0455.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0456.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0460.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0461.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0462.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0463.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0464.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0469.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0471.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0474.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0475.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\IMG_0476.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Inside a tulip Red.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\James Dean Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\jayandabbie.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\jayslastnite.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Lilac Rose.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\lips.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Logo02.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Marilyn Monroe Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Marsh Harbor Inn Logo.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Marsh Harbor Inn Logo2.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Martini Rossi Black Red White.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Mirza Print Naturals.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Moet Champagne Vintage Poster.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Morning Glory Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\m_1f996e62d7e94b86e2c76530e5c9a113.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\New Years Group.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\New Years.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Old Baldy.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Old Baldy2.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\old_baldy.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Orchid Georgia O'Keefe.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Oskar Koller Lysianthus.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Oskar Koller Poppies.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Over the Sofa Art.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Pablo Picasso Femme a la Fleur.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Palm Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Pink and Red Orchid.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Pink Blossom Print.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Pink Daisies.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Polka Dots Stencil.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\puppies.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Red and White Flowers.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Red martini rosi.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Red Rose.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Red Tie.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Rocket Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Sam Short Pink Gerbers.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\SQLErrorMessage.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Squiggles Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Swirls Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Taittinger Champagne Vintage Poster.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Take the Time to Smell the Roses Stencil.gif Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Thumbs.db Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\t_=54444961.htm Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Valencia Wine Vintage Poater green.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Vintage Bev Poster.bmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Vogue Red.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\WeddingCake1.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\WeddingCake2.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\WeddingCakeCalaLily.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\White Daisy with Blue Background.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\Wither Pink and Lovely Lime.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\wl_map1.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\My Pictures\yellowteam.jpg Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\netscreen_firewall_wp.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\NetScreen_IDP_White_Paper_Version_2_9_20_022.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Newbies Basics.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1113134338.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1116085569.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1124656914.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1138365583.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1151491321.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1156054166.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1213383705.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1254265858.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1262109700.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1266756880.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1289385726.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\nextel downloads\wall_1292504925.zip Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Nextel.csv Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\next_generation.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\NGLicense.dll Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\NSRP_Feature_Benefits.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Onstar Transactions May-July.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\ParkingPermitJanJune2003.pub Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\ParkingPermitJuneDec2003.pub Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Principles_of_Secure_Network_design.pdf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\PWV PC Quote.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Quote for CGS.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Quote for ECFP.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Quote for LEN.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Quote for LMA-LFM.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Quote for LMA-LFM2.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Quote for LMA.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Quote for LMA1.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Quote for LMA2.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Quote_184079792.txt Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\RECYCLER\S-1-5-21-1060284298-1606980848-1417001333-1208\D@1.rtf Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\RECYCLER\S-1-5-21-1060284298-1606980848-1417001333-1208\desktop.ini Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\RECYCLER\S-1-5-21-1060284298-1606980848-1417001333-1208\INFO2 Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Remote Scan BofA Charge.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Restricted Users Installation.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Roper Portal Certificate Screen Shot.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\SC Sleep Medicine Support Emails.xls Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Scan10005.JPG Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Scanned Images.doc Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\sc_mcse2003_setup.EXE Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct13.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct14.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct16.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct1E.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct25.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct29.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct33.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct36.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct3E.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sct4B.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Security\Database\sctA.tmp Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\stmt.txt Object is locked skipped
E:\Accounts\65G\MyDoc\hairfielda\Thin Client Tracking.doc Object is locked skipped